Australia: 10 tips for healthcare providers on managing patient privacy

Managing privacy obligations can be tricky for any business, particularly in the healthcare sector where patients' information must be handled with extra care.

Several important lessons have emerged from decisions and reports issued by the Australian Privacy Commissioner since the introduction of the Australian Privacy Principles (APPs). Here are our top 10 tips for healthcare providers.

General principles

1. Remember the bar is set higher

In the context of providing health services, it is likely that any personal information collected from a patient, including demographic information, will come within the definition of "health information" and will be "sensitive information" within the meaning of the Privacy Act. This means that all kinds of personal information are subject to a higher level of privacy protection when collected in connection with a health service.¹

2. Be aware of what you have and what you no longer need

Healthcare providers should regularly review the content of physical and electronic files to understand the scope of their records, and to identify information that is no longer required and can be securely disposed of or de-identified. Procedures for the regular review and destruction of physical files, and purging of electronic files, will minimise risks to the security of personal information, especially at the time of office moves or shifts from paper-based to electronic records.²

3. Think first, disclose second

Healthcare providers can sometimes come under unique pressure to disclose patient information to third parties such as law enforcement officers. In all cases, healthcare providers must take reasonable steps to secure personal information from unauthorised disclosure. A failure to take such reasonable steps may breach the APPs, and the patient whose information is disclosed may be entitled to compensation for distress or injury to their feelings.

One 'reasonable step' that can and should be taken is to establish policies and guidelines which explain when it is, and when it is not, permissible to disclose patient information. For example, these policies should set out how to ascertain whether there is a warrant or other formal request from a law enforcement agency, or a serious and imminent threat to the person or the public, which would authorise the disclosure of information. Healthcare professionals should review these policies before disclosing patient information.³

4. One privacy policy might not be enough

Healthcare providers must have a privacy policy which sets out how they handle personal information.

If the intention is for one privacy policy to apply to a number of health service facilities (such as a group of hospitals), this should be clearly stated in the policy. If the facilities handle different types of health information, or the same types of health information but in different ways, healthcare providers should consider whether a separate privacy policy should be developed for each facility.⁴

5. Get consent before using patient information for direct marketing

As a patient's information is sensitive information, if a healthcare provider intends to use that information to communicate directly with the patient to promote goods and services (direct marketing), it must obtain consent from the patient.

A patient's consent to use their information for direct marketing communications should not be 'bundled' with consent to use their information for other purposes. When a person is seeking health services, bundling consents has the potential to undermine the voluntary nature of the consents, and direct marketing in this context may breach the APPs. ⁵

The intricacies of the eHealth system

Healthcare providers often assist individuals to register for an eHealth record in the Personally Controlled Electronic Health Record System (eHealth system), and have ongoing involvement in accessing and using information contained on the eHealth system. In these circumstances, the following tips should be borne in mind.

6. Provide sufficient information to obtain informed consent to registration

When healthcare providers assist patients in registering with the eHealth system, they must obtain those patients' informed consent to collect their information as part of the registration process. In particular, they must:

• provide information that is understandable and accessible for the individual patient
• provide the patient with enough time to consider the information provided, so they can make an informed decision based on that information
• explain to the patient that registration is voluntary, and that there are other ways to register apart from assisted registration
• store the signed registration forms for at least three years, or send the forms securely to the Secretary of the Department of Health (as System Operator of the eHealth system). ⁶

7. Ensure employees are appropriately authorised

Healthcare providers should have clear policies and procedures for authorising employees to conduct assisted registrations. These policies should include the person / position responsible for performing assisted registrations, as well as details of training required. Training should cover privacy and information security considerations, and not just competence in the use of software. It is also best practice to keep an up-to-date register of authorised employees.7

8. Update IT security policies and formalise staff training

Healthcare providers' IT security policies should include information about relevant obligations to protect patient privacy when accessing the eHealth system, including reference to the Privacy Act as the legislative requirement underpinning the policy. Staff should also receive ongoing training on privacy and security obligations. This training should be provided as part of staff orientation and then at appropriate intervals as refresher training. The training should be documented and supported by written reference materials, including applicable policy and procedure documents.⁸

9. Review and document procedures for granting access to the eHealth system

Healthcare providers should take steps to ensure that access rights are appropriate for all staff members who have them at any given time. These steps should include regularly reviewing default access settings, managing access rights that were only intended to apply for temporary periods (by including a sunset date when the temporary period ends) and disposing of any access code which is no longer needed (such as when someone leaves the organisation or takes another role).⁹

10. Actively monitor the use of the eHealth system

Healthcare providers should actively monitor eHealth system usage to detect potentially inappropriate uses of information. This can be achieved through scans for anomalous activity or use of the eHealth system through staff accounts, or through the use of software to keep records of when users view the metadata of eHealth record documents.¹⁰

Footnotes

¹ Calvary Private Hospital ACT: Assessment Report June 2014, paragraph 3.7.
² Pound Road Medical Centre: Own Motion Investigation Report July 2014
³ EZ and EY [2015] AICmr 23 (27 March 2015)
⁴ Above, n [1], paragraph 3.4.
⁵ Above, n [1].
⁶ Assisted registration policies of ten registered healthcare provider organisations: Assessment Report December 2014, paragraphs 1.8, 4.30 - 4.32.
⁷ Ibid, paragraphs A.16, A4.36.
⁸ eHealth system – access security controls: St Vincent's Hospital Sydney Limited: Assessment Report June 2015, paragraphs 3.13, 3.17 – 3.19.
⁹ Ibid, paragraph 4.22.
¹⁰ Ibid, paragraphs 5.9, 5.12.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.