Articles and Case Studies

Does Your Privacy Policy Measure Up?

10 Jan 2015

by Karen Stephens

Privacy law¹ requires medical practices to have a privacy policy – now some practices are being put to the test.

Dear Doctor

This letter is to advise you of the Office of the Australian Information Commissioner’s (OAIC) intention to undertake an assessment of [your practice’s] privacy policy…

And so started a letter to 40 GP practices, randomly selected in May – June 2015 by the OAIC. The assessments intended to examine whether the GP practices had privacy policies which:

are clearly expressed
are up to date
cover the required topics
reflect the use of Personally Controlled Electronic Health Records (PCEHR), where relevant.

Clear expression

An OAIC guide to preparing a privacy policy² includes the following tips:

Think about your audience and word it accordingly.
Keep it simple and easy to read.
Use the terms “you” and “us/we”, rather than “patient” and “the practice”.
Don’t just repeat the words in the Australian Privacy Principles (APPs) – make it specific to your practice.
Arrange information in a way that makes sense for your patients.
Be as specific as possible.
Provide more detail about areas of information handling that patients are most concerned about, are unaware of, won’t reasonably expect or may not understand easily.
Seek input from your staff.
Contact your medical indemnity insurer.
Test it out on readers – it should be able to be easily read and understood by a 14-year-old.

Up to date

Changes to Australian privacy law came into effect on 14 March 2014, with the APPs replacing the National Privacy Principles. Your policy must reflect the current law.
A summary of the APPs is available in the OAIC’s Privacy Fact Sheet 17.³
Your policy must outline how your practice currently deals with personal information – if procedures change, your policy should also change accordingly. Regularly review and update your policy. Include the date and version number on the document.

Required topics

As specified in APP1 a practice privacy policy must cover:

the kinds of information collected or held
how it is collected
for what purposes it is collected, held or used
disclosure to any other persons or agencies – identity of agencies, what is disclosed, for what purpose(s)
the process for an individual to access the information
where access is withheld, why and how the individual is notified
the consent process for collection of information
situations where consent is not required, e.g. an emergency
the process for individuals to complain about a breach of privacy
whether information is disclosed to overseas recipients and to what countries.

Use of Personally Controlled Electronic Health Records (PCEHR)

If your practice uses PCEHR, your privacy policy should include:

what information you add to and access from patients’ eHealth record and what you do with the information
procedures to ensure compliance with the Personally Controlled Electronic Health Records Act 2012
how an eHealth record may be used in an emergency situation.

References

The Privacy Act 1988 (Cth).
Office of the Australian Information Commissioner. Guide to Developing an APP Privacy Policy. Canberra: OIC, 2014.
Privacy Fact Sheet 17: Australian Privacy Principles. 2014. Available at: oaic.gov.au/privacy/privacy- resources/privacy-fact-sheets/other/privacy-fact- sheet-17-australian-privacy-principles.

Confidentiality and Privacy, Practice Management, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME