2.1 The Privacy Act and Health Information Privacy Code

How we confidentially manage patient information is one of the most important aspects of general practice. Protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between not only between clinicians and their patients/whānau but also the wider practice team.

In general practice, when it comes to health information, The Code applies rules to organisations in the health sector and patients’ have expectations about how their health information will be managed.

The code recognises that people expect their health information:

• to be kept confidential because it was probably collected in a situation of confidence and trust
• to be treated as sensitive because it may include details about body, lifestyle, emotions and behaviour
• may have ongoing use if a piece of medical information becomes clinically relevant even a long time after it was initially collected
• will be used for the purposes for which it was originally collected and they will be told about those purposes

The Privacy Act 2020
The Privacy Act 2020 controls how ‘agencies’ collect, use, disclose, store and give access to ‘personal information’.

Health Information Privacy Code 2020
The Health Information Privacy Code 2020 sets specific rules for agencies in the health sector. It covers health information collected, used, held and disclosed by health agencies and takes the place of the information privacy principles for the health sector.

Rules of the Health Information Privacy Code
The Health Information Privacy Code has thirteen rules:

• Rules 1, 2, 3 and 4 govern the collection of health information. This includes the reasons why health information may be collected, where it may be collected from and how it is collected.
• Rule 5 governs the way health information is stored. It is designed to protect health information from unauthorised use or disclosure.
• Rule 6 gives individuals the right to access their health information.
• Rule 7 gives individuals the right to correct their health information.
• Rules 8, 9, 10 and 11 place restrictions on how people and organisations can use or disclose health information. These include ensuring information is accurate and up-to-date and is not improperly disclosed.
• Rule 12 governs the disclosure of health information outside of New Zealand. 
• Rule 13 governs how ‘unique identifiers’ - such as Inland Revenue Department (IRD) numbers, bank client numbers, driver's licence and passport numbers - can be used. 

Management of Patient information

General practice ICT security checklist
TheICT security checklist covers the essentials of digital security. This checklist is based on the baseline requirements discussed in the Health Information Security Framework.

Third party access
Patients can approve third party access to records, results, or request/collect prescriptions through clear documentation. Third parties include but are not limited to a family member, spouse, or friend. Discretion may be applied if the patient is incapacitated, cognitively or physically impaired, in difficult social circumstances or a child. Youth records should be reviewed to ensure their confidentiality is maintained.

Video and telephone consultations
Included in the privacy policy is the practice process for maintaining patient privacy with video and telephone consultations. This may include how a health provider establishes privacy at both the practitioner and patient ends of the consultation and informing the patient whether the consultation is being recorded or not. 

Developing a security policy and protecting health information in the practice
Rule 5 of the Health Information Privacy Code 2020 describes reasonable security safeguards to protect health information. This includes keeping the information safe from loss, as well as from unauthorised access, use, modification or disclosure.

The practice should include how they protect the patient’s privacy with photographs, in particular, using a secure device, not retaining photos on devices, submitting photos  securely and secure storage within the PMS

To comply with rule 5 the practice should consider what risks exists for the health information the practice holds and implement a plan to address those risks.

Security of electronic health information
Most sensitive information in general practice is likely to be stored within the PMS, therefore the electronic PMS must be deployed in an up-to-date, secure and fit-for-purpose IT environment.
Most PMS systems can assign roles to people and restrict the access of information at varying levels. People with access to the PMS should be assigned an appropriate role based on their need within the practice. Custodial or cleaning staff should not have access to the PMS. Receptionists and administrators are bound by the current Privacy Act and at the discretion of management, can be granted access to clinical information in order to fulfil their roles. 

It is essential that access to the PMS system requires a personal password and the system automatically requires a password to access the computer/terminal or the PMS after a period of inactivity (no more than 15 minutes). An alternative is password-protected screensavers or other automated security applications. This protects against unattended access to computers if team members forget to log off or walk away and are longer than they expect. Consider shorter timeout periods for computers in consultation rooms or other locations where patients may be left alone, even for short periods of time. Terminals and personal computers should be positioned so the screens cannot be seen by unauthorised personnel or patients.

Provision for maintaining patient confidentiality, privacy and security of patient information during video or telephone consults is included in the practices’ privacy policy. For example, a practice process which outlines which approved, secure digital platform the practice uses for video conferencing which has end to end encryption and is endorsed by established health providers who have completed both Privacy Impact Assessment (PIA) and Cloud Risk Assessment (CRA). We encourage all organisations and companies to work towards completing their own PIA and CRA. Click here for security tips developed by certnz. 

If your practice has a privacy breach that has caused serious harm to someone (or is likely to do so), the practice will need to notify the Office of the Privacy Commissioner as soon as possible. The practice should also notify those patients affected by the breach. 

Backup and retrieval system
A backup is a copy of some or all files and information stored on a system. The purpose of a backup is to be able to recover all patient information stored in the computer system. Backups should always include the PMS database and other patient information e.g. photos, scanned documents not in the PMS. It may also include other computer files contained on the system e.g. HR records, financial data, emails, business records.

At a minimum, the system should backup essential electronic data daily (if not in real time). Taking a backup of the most important files at least every day is important. In the event of a catastrophic loss of the system (perhaps a building fire or a computer virus that renders the files or system unusable), the backup is used to retrieve important information. Be aware that the practice will lose any information between the latest backup and when the practice wishes to restore it. Best practice is a backup that allows restoration of the complete ‘in practice’ computer system.

Holding a copy of the backups and files offsite (or using a secure online service) is important to protect against events such as fire or theft, where both the original files and backups could be compromised. Because the backups will almost always contain sensitive information, it is also important that the physical location in which the backups are being stored is secure and/or protected by secure password.

Practice team members storing backups in their homes is not considered to be a secure way of keeping offsite backups. There may be issues with practice team members having the potential to lose the backups or having those backups stolen from their home. Both situations would compromise the information security. If the practice uses physical backups, it is recommended that the practice uses a professional service that can satisfy the requirement for secure transport and storage of those media.

The practice should regularly check that it is possible to retrieve and restore the systems to a safe working state. It is recommended that the practice does this when the backup method is first established and at other times when more than a minor change is made to that scheme.

Consider planning the backup and restore test in conjunction with a third-party IT provider. The practice would normally test the restoration process into an environment outside of the normal practice system (to simulate what may happen in a disaster situation). This test may require some time. For most small businesses this task would only be undertaken sporadically.

Independent auditing of the electronic data systems and policies
It is recommended that the practice provides evidence of independent auditing of the electronic data systems and policies. If the practice uses a third-party IT support provider, the provider should be able to provide some independence in terms of audit and identifying information issues. Having a specialist IT provider can help maintain the system and ensure security of the system.

The third-party IT specialist should be external to the practice. This excludes family or friends. The practice should have a contract with the third-party IT provider. The contract can be on an as-needed basis or a retainer.

Impacts on management of heath information in an evolving environment

Elements to consider when developing a process for video/telephone consultations:

• Find your digital platform which has end to end encryption and is endorsed by established health providers who have completed both Privacy Impact Assessment (PIA) and Cloud Risk Assessment (CRA) and easy for patients and providers to use
• Prior to video consult – A phone call from practice team member, such as a nurse to establish whether the consult can be done by video or telephone and ensure the patient understands:
  
  • How to connect with the platform 
  • To set themselves up in a private room/space 
  • Be aware of anyone able to listen in, especially if on speaker phone or speaker
  • Having another person or whānau present during the consult is acceptable and to let the provider know. 
  • They have options, i.e., would the patient prefer a telephone or video consultation? (if applicable)
  • That during the consult, the provider may decide they need an ‘In Person” consultation and request they visit the medical centre.
  • What the fees are, including if the consultation is split between video/telephone and ‘in person’

Practices need to: 

• Establish how is informed consent obtained and attached to the patients file in the PMS
• Ensure health providers know to document in the patient notes (PMS) the type of consult undertaken
• Ensure health providers know to document in notes if patient refuses to come for an ‘In person’ appointment
• Establish how any test or diagnostic results will communicated
• Ensure providers have training.

Privacy and health information policy 

A Privacy and health information policy and procedure should include: 

• Adherence to privacy legislation 
• A designated Privacy Officer 
• Training of practice team members according to role 
• Provisions for maintaining privacy in the practice’s physical environment (for example, a radio playing, front desk security, management of patient’s medical notes, etc)
• Adherence to the HIPC 
• A process around how practices collect, use, disclose, store, and give access to personal medical information.
• keeping the information safe from loss, as well as from unauthorised access, use, modification, or disclosure.
• How patients can approve third party access to records, results, or request/collect prescriptions 
• A process for maintaining patient privacy with video and telephone consultations. 
• Digital security - based on the baseline requirements discussed in the Health Information Security Framework.
• Identified areas where risks exist for patients’ health information and a plan to address those risks within the practice.
• Keeping medical information safe from loss 
• A process for managing a managing a privacy breach
• PMS safeguards (PW/screen savers, privacy screens etc) 
• Independent auditing from 3rd party IT technician
• Back up and retrieval system process

NB: Your practice policies/procedures, should adhere to the general structure suggested here and include document control measures.

2.2 Enrolling patients 

Although enrolment in a primary health organisation (PHO) is voluntary, most New Zealanders enrol through their general practice to receive cheaper doctors’ visits and other subsidies. 

Patient enrolment 

Practices must enrol patients consistent with current Ministry of Health guidelines, which includes using the correct enrolment form and privacy statement. 

Entering ethnicity data
The collection of ethnicity data at the time of enrolment is used to help in health research and develop new treatments for different ethnic groups. The ethnicity question must be worded as specified by the Ministry of Health. See the ethnicity data protocols for the health and disability sector.

With the transition from a manual to an electronic enrolment system, the National Enrolment Service provides:

• a real time enrolment process used by all general practices
• an up to date data set to ensure accuracy of Capitation Based Funding (CBF) calculations
• validated NHI and up-to-date patient demographics, supporting accurate identification of enrolled population and clinical safety
• validated addresses using eSAM service, supporting accurate assignment of funding
• health identity and enrolment web services integration with PMS, creating a seamless experience for the user when interacting with health services.

Ethnicity data capture 
Providing quality ethnicity data will ensure the government is able to track health trends by ethnicity and effectively monitor its performance to improve health outcomes and reduce health inequities. 

Ethnicity data must not be transferred from a previous enrolment form as it may have been incorrectly collected. When collecting ethnicity, self-identification must be the process used to identify a patient’s ethnic group(s). The registration form includes a field to capture ethnicity data.  

It is unacceptable for the collector to guess any patient’s ethnicity or to complete the questions on behalf of the patient based on what they perceive to be the respondent’s physical appearance. 

Ethnicity capture must align with enrolment requirements for providers and primary health organisations. The ethnicity question must be worded as specified in the Ministry of Health policy. See the ethnicity data protocols for the health and disability sector.  

2.3 Newly enrolled patient records

Tracking of clinical records to, from, and within the practice
Patients and practices need assurance that any hardcopy health information transferred between providers reaches the intended recipient. Information management to track health records may be in an electronic or hardcopy format. Electronic tracking may be done by checking the PMS to confirm the electronic file has been successfully sent, and documenting this in a transfer out logbook. 

The internal tracking of a new patient’s medical file may involve a combination of electronic and hard copy notes. Each team member has a role in this process and it is important the practice has a process whereby the notes are correctly assigned to a GP and triaged for any recalls or critical follow-ups that are due.

Examples of tracking the receipt of health records by another authorised agency may include the inclusion of a fax-back form, the use of registered mail or courier packs with a signature required to authorise release and confirm receipt. The transfer of hardcopy notes between practices should only take place using track and trace services such as courier. The use of standard postal services is not considered secure.

Using an electronic system to transfer records
A system like GP2GP, which has the capability to transfer a patient’s files electronically from one general practice system to another, allows the transfer of records reliably, securely and accurately.

Records transfer policy 

Records Transfer Policy and Procedure should include:

• How the practice manages the transfer of clinical records in and out of the practice
• The method for tracking hard copy health records, for example, hard copy transfers use track and trace services such as courier
• The method for confirming electronic records have been sent/acknowledged.
• Timelines for transfers ‘out’ of patients’ medical notes which adhere to legislation (20 days legally but 10 days is recommended by RNZCGP)
• A process for the efficient managing of new patients’ medical information
• Roles and responsibilities of key practice team members processing the medical notes internally
• Timelines for the processing of medical notes internally

NB: Your practice policies/procedures, should adhere to the general structure suggested here (and include document control measures.  

2.4 Patient test results notification

How the practice communicates results with patients

The Health and Disability Commissioner recommends clinicians discuss the notification of test results with patients in advance; obtain, where possible, the patient’s consent to the notification of only abnormal results and encourage patients to call if they want confirmation of a normal result or have any questions (NZGP 3 April 2002).

The Health and Disability Commissioner states it is acceptable for clinicians to have a clear arrangement that patients will only be notified when test results are of concern. However, unless there is clear evidence that such an arrangement has been made, patients need to be told of all their results. It must be clear to patients they are entitled to notification of all test results, and that even if they agree to be notified only of abnormal results, they are welcome to call the practice and check if their results have been received and what they are.

The practice should provide information regarding test results through messages in the waiting and consult room, patient information sheets and practice website.

Practices should follow the Health and Disability Commissioner guidance on managing patient test results.

2.5 Environmental/physical privacy considerations

Maintaining physical and environmental privacy for patients is important to retain a trusting relationship and is necessary under the Code of Rights, in particular, rights 1, 3, 4 and 5.

Measures to maintain patient privacy in general practice may include ensuring that: 

• Curtains around examination beds are not see through and there are no open gaps.
  
• Conversations with patients regarding health information are not held in open areas where other patients or people can hear - background radios can help obscure conversations in open areas, such as a nurse’s station. 
• Sheets/covers are available for patient modesty.
  
• When talking on the telephone in open areas, using names or identifying information is avoided
• Private or sensitive phone conversations are held away from public areas. 
• Consultation and clinic procedure rooms are soundproof.
• There are locks are on all consultation and clinical procedure rooms.