Privacy Policy

Policy Statement

Beechworth Health Service, as a provider of Health Care, is committed to respecting the privacy of personal information and will take all practicable steps to maintain the privacy of individual personal information that is entrusted to the organisation for the provision of Patient/resident/client care or for employment by Beechworth Health Service

Privacy - Health Records

Collection (HPP – 1)

Under the Health Records Act Beechworth Health Service may only collect health information that is necessary for its functions and must meet one of these requirements:  

Having the individual’s consent to collect the information; 

The collection is required or authorised by law; 

The information is necessary to provide a health service to an individual and if the client is not capable of consenting and it is not reasonably practicable to obtain the consent of that person’s authorised representative (or there is no authorised representative); 

Where there is a strong public interest, for example, where there is a serious and imminent threat to the life, health, safety or welfare of any person, or for research in the public interest; or 

If the collection is necessary for research or the compilation or analysis of statistics in the public interest.  If it is reasonable and practicable to do so, Beechworth Health Service staff must only collect health information about a client from that client; 

Staff must take steps that are reasonable in the circumstances to ensure that the client knows who is collecting their information, the purpose of collection, and the main consequences if the information is not provided; 

The staff member must also inform the client that they may have access to their health information; 

Where information is collected from a third party, the staff must take steps that are reasonable in the circumstances to ensure that the subject of the information is, or has been, made aware of this. 

Quality of Information (HPP – 3)

All reasonable efforts should be undertaken to ensure data collected and disclosed is correct, current and relevant to the purpose for which it was collected.

Information Given In Confidence (HPP – 1)

Where information has been provided confidentially to Beechworth Health Service, the staff must: –  

Confirm with the person giving the information that they wish the information be kept confidential; 

Only record information if it is relevant to the provision of the health services to the client about whom the information relates; 

Take reasonable steps to ensure that the information is accurate and not misleading; and 

Take reasonable steps to record that the information has been given in confidence and is to remain confidential.

Security of Health Records (HPP – 4)

Beechworth Health Service staff must take reasonable steps to protect the health information BHS holds from misuse and loss, as well as unauthorised access, modification or disclosure. eg hard-copy records are filed in a secure area (refer medical records policy and procedures), client information is removed from public view, computer work stations and fax machines removed from high-visibility areas. In addition, electronic records that may contain client information must be protected by lockable screen savers, security of passwords and careful IT management.

Only the relevant members of a treating team may have access to health information. Arguably, administrative or support staff will not usually require access to many of the details contained in a complete client record. 

Use and Disclosure of Information (HPP – 2)

Beechworth Health Service and therefore its staff must only use or disclose health information for the primary purpose for which it was collected.

Secondary use or disclosure of health information by a health service provider is allowed in very limited situations, including:  

With consent given by the client at the time BHS staff collected the information or subsequently; 

If it would reasonably be expected by the client and is for a purpose which is directly related to the purpose for which it was collected; 

With the consent of the client’s authorised representative such as a guardian where the client is incapable of consenting;  If there is a serious and imminent threat to the life, health, safety or welfare of a client; 

If the client is not capable of consenting and it is not reasonably practicable to obtain the consent of that person’s authorised representative (or there is no authorised representative), where the use or disclosure is reasonably necessary for the provision of the health service; 

Where there is a strong public interest, for example, where there is a serious and imminent threat to the life, health, safety or welfare of any person, or for research in the public interest; and 

For the purposes of activities such as quality assurance, and the funding and planning of health services (e.g. funding of public hospital services) in circumstances where the Beechworth Health Service has taken reasonable steps to de-identify the information. It also applies where the purpose cannot be served by using de- identified information and it is impracticable for the Beechworth Health Service to obtain the patient/resident/client’s consent.

Note Disclosure of whether a person is an in-patient or not is outside the Health Records Act but included in the Health Services Act, Section 141. Nevertheless, staff should elicit whether or not a client wishes to have their in-patient status disclosed in ‘general terms’ (eg in ward ‘x’ and comfortable) to relatives/friends at the time of admission and their response and any exclusions should be documented. (DHS circular 22.7.2002) 

Disclosure to a Family Member (HPP – 2)

In some circumstances it will be appropriate to disclose information to an immediate family member. These are:  

Where disclosure is necessary to provide appropriate care for the client or made for compassionate reasons; and 

Disclosure is limited to the extent reasonable for the purposes mentioned above; and 

Where a client is incapable of giving consent, disclosure is not contrary to any wishes expressed by the client on a prior occasion, where the provider could reasonably be aware of this situation; and 

Where a family member is under the age of 18 years, after consideration has been given to the maturity of the family member.

Where it is unclear as to whether or not a staff member may disclose information to a family member, guidance must be sought from the staff member’s supervisor and if necessary the BHS Privacy Officer who is the Chief Nursing Officer. 

Disclosure to another Health Service Provider (HPP – 2 & 11)

If a client requests that their health information is transferred to another health service provider, then a copy or written summary of that information must be transferred as soon as practicable.

Where a client does not request that information be transferred to another provider, information may still be disclosed where it is in accordance with the primary purpose for which information was collected. The primary purpose of most data collection will usually be the treatment or care of the patient/resident/client’s health. Therefore, transferring information to a specialist for further treatment would naturally fall within the primary purpose of collection.

Where it is unclear as to whether or not a staff member may disclose information to another health service provider, guidance must be sought from the staff member’s supervisor and if necessary the BHS Privacy Officer. 

Accessing of Medical Records by Clients (HPP – 6)

The Health Records Act provides rights of access to clients to their health information and to make corrections to it, where necessary. In the case of public sector agencies, which include BHS, the Freedom of Information Act will continue to be the only enforceable method of access. 

Exercising the Right of Access (Data post July 2002) (HPP – 6)

In relation to information collected after the commencement of the Health Records Act, the right of access can be exercised in the following ways: –  

Inspecting the health information and having an opportunity to take notes of the contents; or 

By receiving a copy of the health information; or 

By viewing the health information and, if it is held by a health service provider, having its content explained. 

Access to Information collected before the commencement of the Health Records Act (Pre July 2002) (HPP – 6)

There is a more restricted right of access to information that has been collected prior to the commencement of the Health Records Act. This recognises that existing records have been prepared with the expectation that the patient/resident/clients in question would not be able to access them.

The following is a list of the health information to which patient/resident/clients have a right to access, even if this information was collected before the commencement of the Health Records Act:  

The history of the health of the client, an illness or a disability; 

Any results of examinations or investigations; 

Any diagnosis, or preliminary diagnosis of an illness or disability; 

Management plans; 

Services provided; 

Personal information collected in connection with the donation of body parts, organs or substances; and 

Genetic information which could be predictive of health.

In these circumstances, Beechworth Health Service may agree to provide the client with any of the previously mentioned forms of access. However, without such an agreement, the organisation is only required to provide the client with an accurate summary of the health information listed above. 

Denying Access (HPP – 6)

Beechworth Health Service is required to provide access to health information unless the Health Records Act states otherwise. The following are some of the provisions allowing denial:  

Providing access would pose a serious threat to the life or health of any person; or 

Providing access would have an unreasonable impact on the privacy of other patient/resident/clients ; or

The information relates to existing legal proceedings between the organisation and the client and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege; or 

The information is subject to confidentiality; or 

Providing access would be likely to prejudice an investigation of possible unlawful activity or would be likely to prejudice a law enforcement function; or 

The request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or 

The client has been provided with access to the health information and is making an unreasonable, repeated request for access to the same information in the same way. 

Notice of Refusal to Allow Access (HHP – 6)

Where access is denied to a client on the basis that the Beechworth Health Service believes, on reasonable grounds, that the provision of health information may pose a serious threat to the health of that client or any other person, a notice of refusal may include an offer to:  

Discuss the health information with the individual, or 

Arrange for a suitably qualified health service provider from another service (who may be nominated by the individual) to discuss the information with the individual.

If the nominated provider is satisfied that granting access does not constitute a serious threat to the life or health of the individual, the nominated provider may then allow the individual to inspect, or obtain a copy of the information. 

Processing a Request for Health Information (HHP – 6)

A request should be made in writing with details of the information required and how the individual would like to access the information.

If a request is not made in writing to Beechworth Health Service through its staff, BHS may ask the individual to do so.

In the first instance, the Privacy Officer will arrange for an access form to be sent to the client and assist with any enquiries about the process.

All requests for access to client information must be made in writing to the Freedom of Information Officer of Beechworth Health Service who is the CE incumbent.

Beechworth Health Service will respond to all requests for access to client information as soon as possible but no later than 45 days from receipt of a written request. The response will include detail of the results of the request eg. If access has been granted including the conditions under which it has been granted or if access has not been granted, reasons for the denial of access.

In cases where the Health Service provider is happy to provide the individual with access, it must indicate this fact and explain any applicable fees to the individual. Access should be provided within 7 days of receiving payment. 

Corrections to data (HHP – 6)

The client must make requests to correct information in writing and address this to the Privacy Officer for consideration.

The Privacy Officer will, where practicable, discuss requests to correct information with the person/s who have recorded the information prior to filing any corrections.

When making a correction, the original data must not be deleted or removed. A written statement from the individual with the corrected version of the information is filed in the Health Record.

If there is doubt as to the veracity of the data in the correction statement, these doubts should be discussed with the Chief Executive who will determine the management process of the individual’s request. This may require consultation with the Health Complaints Commissioner’s office. 

Fee for Access

Fees, to cover costs associated with allowing access to records, will be set in accordance to Government guidelines. The Chief Executive has the authority to waive the fee. 

Identifiers (HPP – 7)

Identification numbers will only be applied for the purposes of effective management of client care and health records. 

Transborder Data Flows (HPP – 9)

Client personal and/or health information will only be transferred interstate or overseas where it is lawful to do so and where it meets the requirements of the Health Record Act 2001. 

Storage (HPP – 4)

Storage of records will be in accordance with BHS policy. Destruction of Medical Records may only occur as detailed in the BHS Medical Records Policy and Procedures and in accordance with Law.

Personnel Files & Data

PRIVACY – PERSONNEL FILES/DATA

The Health Records Act does not apply to Human Resource, Finance or Administration documents. However the Information Privacy Act 2001 does apply to these documents.

Paid Staff & Volunteers

Paid staff and volunteers’ information must be handled in a similar manner to client information. Where information has been provided confidentially to Beechworth Health Service, the staff must: –

Confirm with the employee or volunteer giving the information that they wish the information be kept confidential;

Only record information if it is relevant to the employment of the staff member or engagement of the volunteer;

Take reasonable steps to ensure that the information is accurate and not misleading; and

Take reasonable steps to record that the information has been given in confidence and is to remain confidential.

 Storage of Staff and Volunteer Information

Documents and electronic data must be stored in a secure manner at all times. This pertains to all information regarding staff and volunteers such as rosters, phone numbers etc as well as to employee personnel records.

Accessing Staff / Volunteer Personnel Files

 Staff – 

The staff member, on request, has the right to view their personnel file. This will be undertaken in the presence of the Human Resources Officer (or delegate). The personnel file must not leave the Human Resources Office.

The Human Resource Officer, the Chief Executive and, for Nursing Division staff only the Chief Nursing Officer is authorised to have access to a staff member’s file for the purposes of management of BHS. Access to the personnel files for the Chief Nursing Officer  and Chief Accountant  (however titled) is restricted to the Human Resource Manager, the Chief Executive and the President of the Board.

The Human Resource Officer is responsible for ensuring staff personal information is not accessible to unauthorised persons. All requests by an employee for access to their employee information must be made to the Human Resource Officer who will arrange appropriate access as soon as is practicable.

 Volunteers –

Similarly to staff, a volunteer’s personnel file may be composed of a wide range of documents that contain personal information that is not restricted to application forms and references.

The volunteer coordinator (however named) is responsible for ensuring Volunteer information is not accessible to unauthorised persons.

All requests by a volunteer for access to their volunteer information must be made to the Volunteer Coordinator (however named) who will arrange appropriate access as soon as is practicable.

 References re Staff or Volunteers

Requests for references in regard to employment/volunteering at BHS will not be granted unless the staff member/volunteer has authorised BHS to do so. Refer also HR policies.

Concerns Re: Privacy - Client, Staff & Volunteers

Patient/resident/client

Patient/resident/client who are concerned that Beechworth Health Service may have handled their personal information inappropriately will be able to discuss this with the Privacy Officer. Where there is a perceived/actual conflict of interest, then the matter will be referred to the CE and managed by the CE.

Employees

Employees who are concerned that Beechworth Health Service may have handled their personal information inappropriately will be able to discuss this with the Chief Executive.

Volunteers

Volunteers who are concerned that Beechworth Health Service may have handled their personal information inappropriately will be able to discuss this with the Volunteer Coordinator in the first instance and if the issue is not resolved to the volunteer’s satisfaction, the Chief Executive.

Information Re: Client

Patient/resident/client

Information on BHS privacy practices will be available from the Privacy Officer who will ensure that information is widely disseminated throughout the Beechworth Health Service and be readily available to all patient/resident/clients. Information for patient/resident/clients will include a ‘Collection Statement’ that complies with the Health Records Act requirements.

Staff and Volunteers

Information regarding privacy will form a part of orientation programs. It will also be included in the Beechworth Health Service Code of Conduct.

Exemptions

Patient/resident/client Records

All client health records are subject to the Health Records Act and thus only disclosures approved under the Act may be made.

Disclosure of General Information re patients/residents/clients

Disclosure of whether a person is an in-patient or not is outside the Health Records Act but it is included in the Health Services Act, Section 141. Nevertheless, staff should elicit whether or not a client wishes to have their in patient status disclosed in ‘general terms’ (eg in ward ‘x’ or ‘comfortable’) to relatives/friends at the time of admission and their response and any exclusions should be documented. (DHS circular 22.7.2002)

Outcome:

Patient/resident/client and staff information will be collected and handled in a responsible manner.

Patient/resident/client and staff rights to privacy and confidentiality are recognised and respected at all times.

Patient/resident/client and staff rights of access to personal information are managed in accordance with the relevant Acts.

Quality and Risk Management

An organisation-wide risk management program helps ensure that safe and/or appropriate practice is considered in all activities across BHS. This policy and its directly associated issues will be integrated into these processes.

There are developed continuous quality improvement systems and activities to demonstrate a commitment to improving performance in care and service delivery.

Issues and resulting actions identified through the auditing and risk analysis processes are to be linked into the various Quality processes (e.g Quality Cycle, Annual Business Plans, Continuous Improvement Plans and Quality Activity Proposals/Reports etc).

Definitions

Privacy Act 1988 (Cwlth)

The Commonwealth Privacy Act operates to regulate privacy in relation to Federal public sector organisations.

Amendments to the Privacy Act came into effect on 21 December 2001. They operate to regulate the way private sector organisations in Australia will handle personal information.

Health information, for the purposes of the Privacy Act, is seen as a subset of personal information and subject to more stringent guidelines. Included in the Act are ten National Privacy Principles (NPPs) which outline the obligations of holders of personal information.

Information Privacy Act 2000 (Vic)

The Victorian State Government introduced the Information Privacy Act to regulate personal information that is held by public sector organisations in Victoria.

The Information Privacy Principles (IPPs) contained within this Act are closely aligned with the NPPs. The Information Privacy Act came into effect 1 September 2001 and compliance is required after twelve months. This Act does not apply to health information.

 Health Records Act 2001 (Vic)

The Health Records Act establishes a set of minimum privacy standards relating to the handling of health information held by both the Victorian public and private sectors. In addition, it provides patient/resident/client with an enforceable right of access to their own health information where a private sector body holds it.

The Victorian Freedom of Information Act continues to govern an individual’s right of access to public sector health information, although this Act has been amended in order to make the two regimes broadly consistent.

The Health Records Act 2002 contains eleven Health Privacy Principles (HPPs) which are largely in harmony with the NPPs. These principles apply to health information and are restricted to that information that is physically recorded in some form whether written, electronically stored or in some other record such as an X-ray.

The Health Records Act applies to all Victorian businesses (profit and non- profit, public and private sectors) and persons that handle health information.

Interaction between the Health Records Act and Other Legislation

If a provision made in the Health Records Act is inconsistent with a provision made by or under any other Act then the other provision prevails. Therefore, laws that require the mandatory reporting of a medical condition, e.g. the Health Act 1958, or release of information, e.g. the Evidence Act 1958, and legislation that restricts disclosure, e.g. the Mental Health Act 1986, will continue to apply.

This is a unique website which will require a more modern browser to work!

Please upgrade today!