Mt Eliza Medical Centre’s Privacy Policy


Nature and scope of this practice policy:

This policy primarily addresses the management of ‘personal health information’ in the practice.

The policy covers the following areas:

  1. Privacy
  2. Informing new patients
  3. Patient access to their personal health information
  4. Alteration of patient records
  5. Access to personal health information by practice staff for the purposes of research, professional development and quality assurance/improvement
  6. Confidentiality agreements
  7. Disclosure to third parties
  8. Requests for personal health information and medical records by other medical practices
  9. Security
  10. Complaints about privacy related matters
  11. Retention of medical records
  12. Staff training

This policy:

  • is based on The Handbook for the Management of Health Information in Private Medical Practice published in July 2014;
  • is consistent with the National Privacy Principles for the Fair Handling of Personal Information in the Federal Privacy Act 2014 as amended; and
  • takes into account legislation pertaining to privacy in the ACT, NSW and Victoria.

While the policy focuses on the management of the patient’s health record, it also relates to other recorded information, for example Medicare data, billing and accounting records, pathology and radiology results, medical certificates and letters to and from hospitals and other doctors.

1.     Privacy

Personal health information is defined as information concerning a patient’s health, medical history, or past or present medical care; and which is in a form that enables or could enable the patient to be identified. It includes information about an individual’s express wishes concerning current and future health services.

All GPs and practice staff will ensure that patients can discuss issues relating to their health, and that the GP can record relevant personal health information, in a setting that provides visual privacy and protects against any conversation being overheard by a third party.

Staff will not enter a consultation room during a consultation without knocking or otherwise communicating with the GP.

Staff, registrars and students will not be present during the consultation without the prior permission of the patient.

2.     Informing new patients

New patients will be given the practice’s information sheet, which contains information about personal information, privacy and their GP, and will be offered access to the practice information policy.

This practice tries to make sure that the information on privacy available to patients is appropriate for the range of people who come here.

Practice staff will ensure that current and updated information sheets are available at reception.

3.     Patient access to their personal health information

Under privacy legislation provisions all patients have the right to access their health information stored at the practice. The treating GP will provide an up to date and accurate summary of their health information on request or whenever appropriate.

The treating GP will consider all requests made by a patient for access to their medical record. In doing so the GP will need to consider the risk of any physical or mental harm resulting from the disclosure of health information.

If the GP is satisfied that the patient may safely obtain the record then he/she will either show the patient the record, or arrange for provision of a photocopy, and explain the contents to the patient.

Any information that is provided by others (such as information provided by a referring medical practitioner or another medical specialist) is part of the health record and can be accessed by the patient.

Appropriate administration costs may be charged to the patient.

4.     Alteration of patient records

This practice will alter personal health information at the request of the patient when the request for alteration is straightforward (e.g. amending an address or telephone number).

With most requests to alter or correct information, the General Practitioner will annotate the patient’s record to indicate the nature of the request and whether the GP agrees with it. For legal reasons, the doctor will not alter or erase the original entry.

5.     Access to personal health information by practice staff for the purposes of research, professional development and quality assurance/improvement.

Patients will be advised of the ways in which the practice undertakes ‘recall’ and ‘follow-up’ activities, e.g. when the practice would write to a patient or phone them. This is stated on our information sheet under ‘Reminder system’.

When a patient agrees to participate in a recall or reminder system, the doctor will make a note of this in their record.

Patients will be informed when quality improvement, professional development and research activities are being conducted and given the opportunity to ‘opt out’ of any involvement in these activities. The GP responsible for the activity will ensure that appropriate information is available to patients from the reception staff.

When research projects are conducted in the practice under the approval of an institutional ethics committee, staff will be made aware of the requirements to obtain consent specified in the research protocol and ensure that consent is properly obtained.

Where possible identifying information will be removed from personal health information being used for research and QA activities. Where this is not possible, internal staff accessing personal health information are aware that they are under an obligation of confidentiality not to disclose the information. Breaches of that obligation may result in instant dismissal. The GP from the practice who is responsible will ensure that any external researchers are also under an explicit written obligation of confidentiality with appropriate penalties for disclosure.

6.     Confidentiality agreements

In order to protect personal privacy, this practice has staff, including temporary or casual staff; sub-contractors (e.g. software providers etc) and medical students sign a confidentiality agreement.

7.     Disclosure to third parties

GPs and staff will ensure that personal health information is disclosed to third parties only where consent of the patient has been obtained. Exceptions to this rule occur when the disclosure is necessary to manage a serious and imminent threat to the patient’s health or welfare, or is required by law.

The GP will refer to relevant legislation and the maturity of the patient before deciding whether the patient (in this case a minor) can make decisions about the use and disclosure of information independently (ie without the consent of a parent or guardian). For example, for the patient to consent to treatment, the GP must be satisfied that the patient (a minor) is aware and able to understand the nature, consequences and risks of the proposed treatment.  This patient is then also able to make decisions on the use and disclosure of his or her health information.

GPs will explain the nature of any information about the patient to be provided to other people, for example, in letters of referral to hospitals or specialists. The patient consents to the provision of this information by agreeing to take the letter to the hospital or specialist, or by agreeing for the practice to send it.

NOTE: Increasingly there is an expectation by patients that they will see and be advised of the contents of referral letters. They are able to access such letters in their records.

GPs and staff will disclose to third parties only that information which is required to fulfil the needs of the patient.

These principles apply to the personal information provided to a treating team (for example, a physiotherapist or consultant physician also involved in a person’s care). The principles also apply where the information is transferred by other means, for example, via email.

Information classified by a patient as restricted will not be disclosed to third parties without the explicit consent of the patient. GPs will make a contemporaneous note when such permission is given.

Should an outstanding debt be referred to a collection agency, this practice will provide only the contact details of the debtor and the amount of the debt. No other personal information will be provided.

Information supplied in response to a court order will be limited to the matter under consideration by the court.

From time to time General Practitioners will provide their medical defence organisation or insurer with information, in order to meet their insurance obligations.

This practice participates in practice accreditation, which assists it improve the quality of its services. Practice accreditation may involve the ‘surveyors’ who visit the practice reviewing patient records to ensure that appropriate standards are being met. This practice will advise patients when practice accreditation is occurring by placing a notice in the foyer prior to the survey visit occurring. Patients will be given the opportunity of refusing accreditation surveyors access to their (the patient’s) health information.

8.     Requests for personal health information and medical records by other medical practices

If a patient transfers away from the practice to another GP, and the patient requests that the medical record be transferred, the existing GP will provide the record, a summary, or a photocopy to the new treating GP or to the patient. This practice will retain original documents and records.

This practice will seek written permission from the patient for the provision of personal health information to another medical practice.

9.     Security

Medical practitioners, practice staff and contractors will protect personal health information against unauthorised access, modification or disclosure and misuse and loss while it is being stored or actively used for continued management of the patient’s health care.

Staff will ensure that patients, visitors and other health care providers to the practice do not have unauthorised access to the medical record storage area or computers.

Staff will ensure that records, pathology test results, and any other papers or electronic devices containing personal health information are not left where they may be accessed by unauthorised persons.

Non clinical staff will limit their access to personal health information to the minimum necessary for the performance of their duties.

Fax, e-mail and telephone messages will be treated with security equal to that applying to medical records.

Computer screens will be positioned to prevent unauthorised viewing of personal health information. Through the use of, for example, password-protected screen-savers, staff will ensure that computers left unattended cannot be accessed by unauthorised persons.

Medical practitioners and staff will ensure that personal health information held in the practice is secured against loss or alteration of data. This includes adherence to national encryption protocols.

Patient records will not be removed from the practice, except when required by clinical staff for patient care purposes. Records will be kept securely while away from the practice and the responsible clinician will ensure that records are returned to the practice and left in an appropriate place for filing.

Manual medical records and other papers containing personal health information will be filed promptly after each patient contact.

Staff will ensure that manual and electronic records, computers, other electronic devices and filing areas are secured at the end of each day and that the building is locked when leaving.

The data on the computer system will be backed up daily and a duplicate backup tape/cartridge given to the nominated staff member for storage off site. Backups should be routinely tested to ensure daily duplication processes are valid and retrievable.

10. Complaints about privacy-related matters

Complaints about privacy-related matters will be addressed in the same way as other complaints. This procedure is outlined elsewhere in this practice’s procedures manual and recorded on the practice information sheet.

11. Retention of medical records

It is the policy of the practice that individual patient medical records be retained until the patient has reached the age of 25 or for a minimum of 7 years from the time of last contact, whichever is the longer.

No record will be destroyed at any time without the permission of the treating GP or the clinic’s Medical Director.

If the practice relocates to new premises , patient records will be relocated to new practice as well. 

12. Staff training

Practice training and induction procedures for medical practitioners and staff whould ensure that medical practitioners and staff demonstrate understanding of this policy.

Ongoing education and training processes in the practice will ensure that skills and competence in the implementation of the privacy policy and related issues are maintained and updated.