privacy Policy

Hei Hei Health Centre

Privacy Policy

Date:  28/08/2023

All staff engaged by Hei Hei Health Centre who have access to patient’s personal and health information will sign a confidentiality agreement confirming they have read and understand this policy and the requirements of the Privacy Act and Health Information Privacy Code in respect to patient personal information.

The confidentiality agreement will be read in conjunction with privacy and confidentiality in employment contracts and agreements, and any staff Code of Conduct, as applicable.

This policy is intended to be read alongside our Health Information Privacy Policy and Notes Transfer Policy

 

Collecting health Information

Hei Hei Health Centre will only collect information that is relevant and required for the purpose of treating an individual, monitoring quality of care provided or administrative purposes.

Wherever possible the information will be obtained directly from the patient. Exceptions include when someone else is authorised to provide the information (such authorisation ideally being in writing) or when the patient is unable to do so.

Patients will be advised that the information is being collected, who will have access to it, why the information is being collected, the consequences of not providing the information and that they have a right to correct the information. The details for this could be provided orally, in a brochure, letter or poster or could be included in the enrolment form. We will utilise the Pegasus PHO “Enrolling with a Primary Health Organisation – Health Information Privacy Statement” as the basis for this advice.

Privacy protections

We will ensure the environments and devices that we use to collect information reduce the risk of unintended disclosure of personal and health information, this would include (but is not limited to):

  • Steps to provide privacy in reception areas for times when personal information is collected. This may include use of background music or television in waiting areas or a private location to help protect personal information.

  • Where Clinicians undertake video/telephone consultations they will:

    • Ensure they are in a private setting where they cannot be overheard.

    • Confirm the patient is in a private setting where the consultation cannot be viewed or overheard.

    • Advise the patient if the consultation is being recorded along with explaining the purpose for recording the consultation.

  • Medical imaging will not be recorded on personal mobile devices or cameras. XYZ Medical Centre provides a name device to be used for all medical imaging. Images are downloaded and saved to patient’s clinical notes immediately and deleted from the device/camera.

 

Security of Information

Health information will be stored for at least 10 years after the last contact with that patient.

Health information will be stored securely with safeguards to prevent access by unauthorised people or its loss.

  • All computers will have individual user passwords for access to programmes or files containing identifiable personal information or clinical records.

  • Staff will access records in accordance with their duties and role-based access to programmes may apply.

  • Time activated screen locking will be in place requiring staff to log on after 10 minutes of inactivity.

  • Filing cabinets, rooms and other areas used to store personal information will be locked when they are unattended.

  • Back up of computer systems will be completed each working day by TMG who manage our PMS cloud system.

  • When required, the destruction of private information will be in a secure manner such as shredder, burning or by an approved document destruction contractor.

 

Access to personal Information

All patients can access and correct personal and health information held about themselves. This includes former patients where information is being retained under the requirements of the Health (Retention of Health Information) Regulations 1996. No fee will be charged for a person wishing to access their health information/medical records. A request can be made verbally or in writing. (It may be useful to have the request in writing for clarity and scoping of the information sought).  Copies of records will be provided upon request free of charge no more frequently than once per year.

Disclosure

Health Information will not be disclosed without the authorisation of the patient unless:

  • It is to the individual patient concerned (or their authorised representative).

  • There is reasonable belief that it is not possible to get such consent and is for the purpose of treatment.

  • Disclosure is one of the reasons for which the information was obtained.

  • Disclosure is required to prevent serious and immediate harm to the individual.

  • It is to appropriate agencies for suspected child abuse.

  • Disclosure is to the Land Transport Authority when there are serious concerns about an individual’s ability to drive without endangering themselves or others.

  • It is for the purposes of a criminal proceeding.

  • The individual is dependent on or seeking a drug (Misuse of Drugs Act 1975 and section 49a of Medicines Act 1981). A warning is displayed in the waiting area advising that information about suspected drug seekers may be disclosed.

  • Disclosure to the Police under section 92 of the Arms Act 1983, relating to the use or possession of firearms.

  • Disclosure is authorised or required under any other legislation.

 

Breach Notification

Where any member of the Practice becomes aware of a potential privacy breach, they will respond as quickly as possible to initially contain the breach and notify the Privacy Officer. As a practice we will utilise the Privacy Commissioners 4 step process to help minimise any harm caused to the affected person/people and our practice.

There are four key steps in dealing with a privacy breach:

  • Contain

  • Assess

  • Notify

  • Prevent

We will complete the first three steps either at the same time or in quick succession. We will use step four to come up with longer-term solutions and prevention strategies.

We will evaluate a risk of harm to the patient or their family that may result from any privacy breach. We will consider each incident on a case-by-case basis and think about:

  • The risk of harm to people affected.

  • Whether there’s a risk of identity theft or fraud.

  • Whether there’s there a risk of physical harm.

  • Whether there’s a risk of humiliation, loss of dignity, or damage to the person’s reputation or relationships. For example, if the lost information includes mental health, medical, or disciplinary records.

  • What affected people can do to avoid or minimise possible harm, e.g., change a password.

  • Whether we have any legal or contractual obligations.

We will use all facts we have about the situation (and the guidance available from the Privacy Commissioner’s Office) to decide whether we will notify the people affected. Where the breach has caused serious harm, or is likely to do so, we will:

  1. Notify the Patient directly

  2. Use the Privacy Commissioners “NotifyUs” tool to report or update a breach.

https://www.privacy.org.nz/responsibilities/privacy-breaches/notify-us/

Resources: https://www.privacy.org.nz/responsibilities/privacy-breaches/responding-to-privacy-breaches/

 

Transfer of health Information

Medical records and other information will only be transferred to another health provider when a written request has been received. If an individual verbally requests a transfer of their records, they must sign a form to acknowledge the request. All requests will be scanned into the medical record of that individual.

The transfer should be completed in no more than 10 working days.

Request will be discussed with the appropriate doctor to ascertain whether copies of paper notes are to be retained (noting the requirement to then store the information for up to 10 years).

When medical records are being requested for a new patient, the patient will indicate this on the practice’s enrolment form.

In managing patient records, we will also comply with the requirements of the Medical Council’s document: Managing Patient Records (October 2019)

 References

 

APPENDIX 1 - Confidentiality Agreement

 

 

 

Staff Confidentiality Agreement

Staff working at this medical centre will be exposed to personal and health information of patients which is protected in terms of the Privacy Act 2020 and the Health Information Privacy Code 2020

 

 

 

 

I, _________________________[name], have read and understand the provisions of Hei Hei Health Centre Privacy Policy and understand that whilst working here I need to ensure that all personal and health information is kept confidential, secure and managed in line with the policy.

 

I agree that I will only access information which is required as part of my duties.

 

I have been made aware of the requirements of the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC) as it relates to my role at this practice. I understand that my obligation with respect to the confidentiality of personal and health information will endure after I have finished working at this practice.

 

 

 

 

……………………………………

Name

 

 

 

………………………….………..

Signature

 

 

 

…………………………………...

Date

 

 

 

 

glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587stf04