Privacy Know-How

Your practice must have a privacy policy

Your privacy policy must include particular topics as specified in the legislation.¹ Your privacy policy is out of date if it was written before 2014 and refers to “National Privacy Principles” (rather than “Australian Privacy Principles”). Privacy policy templates are available from the RACGP² and the AMA,³ and the OAIC⁴ has a guide to developing a privacy policy. We recommend including in your policy how you contact patients, especially if using less traditional methods such as SMS.

Practices are expected to make their privacy policy available

Display your privacy policy in your practice and publish it on your website. New patient registration forms can include a statement such as, “I can ask to see the practice privacy policy, a copy of which is available to me, explaining how my personal information is dealt with”.

Using email to communicate with patients or colleagues

• Include your use of email in your privacy policy.
• Have policy and procedures controlling your use of email.
• Patients should give consent to be contacted by email, preferably in writing. 
• Encryption or secure messaging options provide greater email security, but this is not currently a legal requirement for medical practices. You must have robust IT systems and appropriate procedures to protect the security of emails.
• Consider carefully what information you include in emails. 
• Confirm the patient’s identity and contact details before hitting “send”.

The RACGP has resources to help practices decide whether to use email.⁵

Taking photos of patients on mobile phones

• If the patient is identifiable in the image, it is considered personal information under the Privacy Act. De-identifying an image may require removal of distinctive features like a rare visible medical condition, physical marking or tattoo. 
• You must get consent from the patient to take the photo, and to use or disclose it. Limited exceptions to the need to obtain consent include where there is a serious threat to life or health. When seeking consent, provide enough information for the patient to make an informed decision, for example, whether the photo will be placed on the internet. The OAIC advises that even if a patient is not identifiable, it would be good practice to obtain consent.
• You must take reasonable steps to keep the photo secure. With a mobile phone, this would involve security settings and passwords for the phone and any computer or cloud to which it is backed up.
• If using a photo sharing app, carefully consider whether you are able to maintain control of the images. If the photo is disclosed to an overseas location (directly, or via an app or cloud server) you will need to consider whether the overseas recipient complies with Australian privacy law.⁶

Providing copies of medical records to patients

Copies of medical records should be provided to patients in the format they request – for example, by email, phone, in person, hard or soft copy – if it is reasonable and practicable to do so. What is practicable will be influenced by:

• the volume of information (e.g. phone may not be practicable for a large volume)
• the nature of the information (e.g. you may not want to send very sensitive information by unencrypted email)
• any special needs of the individual requesting the information (e.g. a USB may not be useful to an elderly patient without a computer).

Cloud storage

To keep health information secure when using cloud storage, consider the recommendations⁷ from the Defence Department, which include:

• using an accredited cloud service (the international standard for cloud privacy is ISO27018) 
• encrypting data sent to the cloud
• choosing a service with multi-factor authentication
• storing encrypted backup offline or with another cloud provider
• having a contract with the provider which specifies who has access to your data and what security measures are used to protect your data.

Providers with servers located in Australia are recommended. If the servers are overseas, there are specific steps you must take, under the privacy law, to ensure that the overseas recipient complies with the Australian Privacy Principles.⁶

Transcription services

If health information is disclosed overseas, you will need to consider whether the overseas recipient complies with Australian privacy law.⁶

Direct marketing

A practice can only use or disclose personal information for direct marketing purposes if:

• the practice collected the information from the individual
• the individual would reasonably expect the practice to use the information for direct marketing (e.g. they have been told about it and consented to it)
• the practice provides a simple way to “opt out” from receiving direct marketing communications
• the individual has not made such a request to the organisation.

Disclosing information overseas

Before personal information is disclosed overseas, a practice must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles.

If you believe the recipient country has similar privacy laws to Australia, obtain documentation such as independent legal advice to support this.

If you do not believe the recipient country has similar privacy laws to Australia, do one of the following:

• Avoid disclosing the information. 
• Enter into a contract with the overseas recipient requiring them not to breach the APPs.
• Obtain the  patient’s consent to disclose their information to the overseas recipient.

Privacy breaches in the media

• More than a dozen unauthorised medical staff were caught accessing the confidential records of a man after he was arrested over the murder of his father, a well known football coach (Feb 2016).
• Gold Coast Health apologised unreservedly to a patient and planned to re-educate staff after a surgical report and personal information ended up lying in the street (April 2016).
• Medical files belonging to at least a dozen patients were allegedly stolen from a Melbourne GP clinic and dumped in a park (April 2016).
• Australian Red Cross Blood Service staff contacted more than 550,000 blood donors whose personal information was contained in a file accidentally placed on an unsecured, public-facing part of their website (October 2016).
• Hundreds of specialist letters to GPs were found in the bin of a Sydney apartment block, having been left there by a sub-contractor from a transcription firm (April 2017).
• A cosmetic surgery clinic’s website made public the details of hundreds of patients – names, home addresses, Medicare numbers, medical history, and before-and-after photos of breast enhancements (June 2017).
• A Guardian Australia journalist was able to buy their own Medicare details from a darknet trader who was illegally selling the information by "exploiting a vulnerability" in a government system (July 2017).

Karen Stephens
Risk Adviser, MDA National

See also the article Privacy Breaches – New Obligations for a quick guide to the new legal requirements related to the mandatory Notifiable Data Breaches scheme to be introduced in February 2018.

References

1. MDA National. Does Your Privacy Policy Measure Up? Available at: mdanational.com.au/Resources/Articles-and-Case-Studies/2017/09/Does-Your-Privacy-Policy-Measure-Up
2. Royal Australian College of General Practitioners. Privacy Resources: Make Privacy Your Business. Available at: racgp.org.au/your-practice/ehealth/protecting-information/
3. Australian Medical Association. Privacy and Health Record Resource Handbook for Medical Practitioners in the Private Sector. Available at: ama.com.au/article/privacy-and-health-record-resource-handbook-medical-practitioners-private-sector
4. Office of the Australian Information Commissioner. Guide to Developing an APP Privacy Policy. Available at: oaic.gov.au/agencies-and-organisations/guides/guide-to-developing-an-app-privacy-policy
5. Royal Australian College of General Practitioners. Using Email in General Practice. Available at: racgp.org.au/your-practice/ehealth/protecting-information/email/
6. Office of the Australian Information Commissioner. Chapter 8: APP 8 Cross-border Disclosure of Personal Information. Available at: oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information
7. Department of Defence. Cloud Computing Security for Tenants. Available at: cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/cloud-security-guidance/cloud-computing-security-tenants