Articles and Case Studies
Does Your Privacy Policy Measure Up?
09 Jan 2015
Privacy law1 requires medical practices to have a privacy policy – now some practices are being put to the test.
Dear Doctor
This letter is to advise you of the Office of the Australian Information Commissioner’s (OAIC) intention to undertake an assessment of [your practice’s] privacy policy…
And so started a letter to 40 GP practices, randomly selected in May – June 2015 by the OAIC. The assessments intended to examine whether the GP practices had privacy policies which:
- are clearly expressed
- are up to date
- cover the required topics
- reflect the use of Personally Controlled Electronic Health Records (PCEHR), where relevant.
Clear expression
An OAIC guide to preparing a privacy policy2 includes the following tips:
- Think about your audience and word it accordingly.
- Keep it simple and easy to read.
- Use the terms “you” and “us/we”, rather than “patient” and “the practice”.
- Don’t just repeat the words in the Australian Privacy Principles (APPs) – make it specific to your practice.
- Arrange information in a way that makes sense for your patients.
- Be as specific as possible.
- Provide more detail about areas of information handling that patients are most concerned about, are unaware of, won’t reasonably expect or may not understand easily.
- Seek input from your staff.
- Contact your medical indemnity insurer.
- Test it out on readers – it should be able to be easily read and understood by a 14-year-old.
Up to date
Changes to Australian privacy law came into effect on 14 March 2014, with the APPs replacing the National Privacy Principles. Your policy must reflect the current law.
A summary of the APPs is available in the OAIC’s Privacy Fact Sheet 17.3
Your policy must outline how your practice currently deals with personal information – if procedures change, your policy should also change accordingly. Regularly review and update your policy. Include the date and version number on the document.
Required topics
As specified in APP1 a practice privacy policy must cover:
- the kinds of information collected or held
- how it is collected
- for what purposes it is collected, held or used
- disclosure to any other persons or agencies – identity of agencies, what is disclosed, for what purpose(s)
- the process for an individual to access the information
- where access is withheld, why and how the individual is notified
- the consent process for collection of information
- situations where consent is not required, e.g. an emergency
- the process for individuals to complain about a breach of privacy
- whether information is disclosed to overseas recipients and to what countries.
Use of Personally Controlled Electronic Health Records (PCEHR)
If your practice uses PCEHR, your privacy policy should include:
- what information you add to and access from patients’ eHealth record and what you do with the information
- procedures to ensure compliance with the Personally Controlled Electronic Health Records Act 2012
- how an eHealth record may be used in an emergency situation.
References
- The Privacy Act 1988 (Cth).
- Office of the Australian Information Commissioner. Guide to Developing an APP Privacy Policy. Canberra: OIC, 2014.
- Privacy Fact Sheet 17: Australian Privacy Principles. 2014. Available at: oaic.gov.au/privacy/privacy- resources/privacy-fact-sheets/other/privacy-fact- sheet-17-australian-privacy-principles.
Confidentiality and Privacy, Practice Management, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME
No events found.
18 Dec 2019
01 Oct 2019
