To outline how Queen Street Doctors will ensure the confidentiality and privacy of personal and health information. The Privacy Act 2020 promotes and protects the privacy of information collected from and about an individual and the Health Information Privacy Code 2020 (HIPC), regulates how health agencies (such as general practices, pharmacists, health insurers, hospitals, Primary Health Organisations, ACC, and the Ministry of Health) collect, hold, use and disclose identifiable health information about their patients.

All practice staff employees, contractors, locums, trainees and students working in or for Queen Street Doctors.

• Under the Privacy Act 2020, agencies must follow a set of rules when handling personal information.
• The Health Information Privacy Code 2020 sets specific rules for agencies handing health information.
• Section 201 of the Privacy Act 2020 requires agencies to appointment a Privacy Officer who is responsible for dealing with access requests and other privacy matters.
• The practice will ensure all staff undertake training in the Privacy Act 2020 and the Health Information Privacy Code. New staff members must show evidence of previous training or undertake training during induction to the practice, and they must complete training updates where necessary from the Privacy Officer.
• All staff need to complete Health ABC and Privacy ABC online training from the Privacy Commissioner website. If training was completed prior to Dec 2020 then Privacy 2020 will need to be completed. (Frequency of training required – once only).

The practice staff will understand, comply with, and implement the requirements of the Privacy Act 2020 and Health Information Privacy Code 2020. The two key concepts are:

Purpose: Agencies must know why they are collecting health information and collect only the information they need. Once health information has been collected from a patient for a particular purpose, it can be used or disclosed for that purpose without additional consent.

Openness: Agencies need to let patients know how their information is going to be used and disclosed so the patients can make decisions about whether to provide it.

The Code’s 13 Health Information Privacy Rules substitute for the 13 Principles of the Privacy Act, which can be summarized as below:

1. Purpose of collection of health information
   Only collect health information if you really need it.
2. Source of health information
   Get it straight from the people concerned where possible.
3. Collection of health information from individual
   Tell them what you’re going to do with it.
   3A. Collection of information from another source
   What to tell the individual.
4. Manner of collection of health information
   Be considerate when you’re getting it.
5. Storage and Security of Health Information
   Take care of it once you’ve got it.
6. Access to personal health information
   People can see their health information if they want to.
7. Correction of health information
   They can correct it if it’s wrong.
8. Accuracy of health information
   Make sure health information is correct before you use it.
9. Retention of health information
   Get rid of it when you’re done with it.
10. Limits on health information
    Use it for the purpose you got it.
11. Limits on disclosure of health information
    Only disclose it if you have a good reason.
12. Disclosure of health information outside of New Zealand
    Can disclose if going to a place with comparable privacy safeguards to NZ
13. Unique identifiers – NHI
    Only assign unique identifiers where permitted.

The practice complies with the 13 key principles and rules including collection, disclosure, access requests, storage, security, retention and disposal of health information specifically:

1. Collection of health information
   a. Only collect information we need for a specific purpose.
   b. Collect information directly from the person concerned, where possible.
   c. Tell the person concerned why the information is needed, who else will see it, where it will be stored, and that they have rights to access and seek correction.
   d. Not be unfair, misleading, or unnecessarily intrusive in collecting that information. Care must be taken when collecting information from children or young persons.
   e. Refer to Patient Data Sharing & “Opt-Off” (see below) for information when a patient does not want to share their health information
   f. Notify patients when personal information is collected indirectly from someone other than the person themselves. One of the exceptions to this is if the patient is already aware or has been informed that information will be sent to the practice.
2. Disclosure of health information
   a. The Code prohibits disclosure except for when the person concerned, or their representative (if the individual is dead or is unable to give their authority), has given their permission or where disclosure was one of the purposes for which the information was originally obtained.
   b. Anonymised or statistical information is allowed to be disclosed, but there is close regulation on who may obtain information about identifiable individuals.
3. Dealing with access requests to health information
   a. People have a right to access information about themselves, and requests must be dealt with promptly (within 20 working days).
   b. Parents or guardians of a child under 16 are their ‘representatives’ and have a limited right to access health information about their child. The request may be refused if it is against the child’s wishes or interests.
   c. Refer to practice ‘Patient Record Transfer Policy’ for information on transferring records to another practice.
4. Correction of health information
   a. People have a right to request correction of information that the practice holds about them. They can provide a statement of correction and request that this is added to their health information on record (e.g. patient medical notes in the PMS).
   b. If the practice is not willing to amend the information in accordance with the request, the practice must append their statement of correction to the patient’s health information so it will be read along with this information.
5. Confidentiality & security of health information – provisions for maintaining privacy in the practice’s physical environment
   a. Filing cabinets, storage areas and unattended rooms will be locked when not in use and access restricted to authorised personnel.
   b. The off-site storage used for storing records will be secure and records retrievable.
   c. All information displaying or containing patient information will be kept securely, away from or out of view of unauthorised people.
   d. Verbal information relating to an identified patient’s health history and/or results will not be relayed in public areas.
   e. Written documentation should be placed face down on desktops.
   f. Staff must ensure that any information displayed on PMS screens is not visible to the public, or in consulting rooms relates to the patient who is present.
   g. Emails sent from the practice will contain a privacy caution in the footer.
   h. Identifiable information no longer required by the practice will be destroyed or deleted in a secure manner e.g., secure document destruction bins.
6. Retention of health information
   a. In accordance with the Health (Retention of Health Information) Regulations 1996, the minimum retention period of 10 years begins from the day after the date shown in the health information as the most recent date on which a provider provided services to that individual.
7. Patient Data Sharing and “Opt-Off”
   a. Personal health information (patient data) is collected in the Practice Management System (PMS). In the enrolment process patients review documentation on the use and confidentiality of their health information and provide consent to sharing some of their data.
   b. Patient data can include:
   • Name, date of birth, gender, address, ethnicity, citizenship, NHI number
   • Medical conditions and measurements
   • Health services being provided e.g., medications, immunisations, health screening, lab results
   • Financial transactions
   c. Patient data does NOT cover the information from the consultation notes (progress notes the GP makes on the patient file).
   d. Sharing patient data helps to improve care for individuals. Collecting patient data from many people can be used to improve health services, care for other patients and future generations as well as community wellbeing. It also assists in allocating subsidies which reduce the cost of GP visits.
   e. Patient data can be shared with the Ministry of Health; the Primary Health Organisation (PHO) and “Your Health Summary” which provides access to a summary health record for emergency services.
   f. There is an “opt-off” option in the MedTech; My Practice and Indici PMS systems that practices can use for those patients that choose not to share their data. They do need to be aware it may impact on some of their healthcare services e.g., recalls, and the cost of their visit.
   g. Refer to the ProCare Members Website for more information and forms/templates to use.

Responsibilities of the Privacy Officer include:

1. The Privacy Officer shall have completed necessary training
   Health 101, Privacy 101 and Privacy 2020 https://elearning.privacy.org.nz/
   Privacy Breach Reporting training is highly recommended.
2. Ensuring staff training records are up to date and all staff have completed training, Health ABC & Privacy ABC.
   If privacy training was completed prior to 1st December 2020, then Privacy 2020 is also to be completed.
   https://elearning.privacy.org.nz/
3. Ensuring that the practice has the required privacy policies and procedures up to date and stored in a readily accessible format.
4. Ensuring that all team members have read and understood the policies and procedures and have updated their personnel training record to that effect.
5. Ensuring that the practice complies with the Privacy Act in relation to employees, and the Health Information Privacy Code in relation to patient information.
6. Dealing with requests made to the practice about personal or employment information.
7. Briefing the practice team on changes to practice processes.
8. Alerting the practice team to privacy complaints received and what will be done to prevent the same thing happening again.
9. Up skilling the practice team on workshop information / case studies i.e., providing training in practice team meetings.
10. Overseeing the orientation/induction privacy process.
11. Overseeing privacy breach management and the Contain/Assess/Notify/Prevent process.
12. Ensuring that the privacy complaints are dealt with in the correct manner, are tabled as an agenda item at practice team meetings and working with the Privacy Commissioner or investigating officer should the need arise.
13. Ensuring that there are clear guidelines on which practice roles can access patient information,
    (e.g. PMS access), and that handling of health information is performed according to practice policies and procedures.

• All practice team members will have signed confidentiality agreements which are held in the staff member’s personnel file. A confidentiality clause in their signed employment agreements is also acceptable.
• All contractors will have signed a confidentiality agreement.
• All healthcare students working in the practice for a defined time will have signed a confidentiality agreement.

A privacy breach occurs when there has been either intentionally or accidentally:

• Unauthorised or accidental access to personal or identifiable health information.
• Disclosure, alteration, loss, or destruction of personal or identifiable health information.
• A situation where access to personal or identifiable health information is blocked e.g., hacking.

Personal information is any piece of data about an identifiable individual. The information does not necessarily need to name someone if they are identifiable in other ways, such as through their contact details or NHI number.

This is also applicable for staff, and the practice needs to be cognizant of what personal information is appropriate for general release e.g., staff mobile phone numbers.

Common privacy breaches include:

• Personal information being sent to the wrong postal or email address/’es.
• Employees accessing or sharing personal information without authorisation (known as employee browsing).
• Computers, removable storage devices or documents containing personal information being lost or stolen.
• Organizations losing the ability to access personal information on its systems.

The Privacy Officer needs to be notified when there is an awareness of any privacy breach or even a near miss. This will provide an opportunity through the incident management process to examine how practice processes of handling personal or patient health information can be improved.

The Privacy Act 2020 has introduced a privacy breach notification regime. Under this Act, if your organization or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

The expectation is that a breach notification should be made to the Office of the Privacy Commissioner (OPC) within 72 hours. The Act clarifies that liability for breach notifications sits with the business or organisation, and not the individual employees.

It is important to note that not all privacy breaches need to be reported to the OPC. The threshold for a notifiable breach is ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters.

NotifyUs on the Privacy Commissioner website is for organisations and businesses to work out if privacy breaches are notifiable and can then be reported.

The practice Privacy Officer is to lead the response as quickly as possible. This will help minimise any harm caused to the affected people and the practice.

These are four key steps in dealing with a privacy breach:

1. Contain
2. Assess
3. Notify
4. Prevent

• Complete the first three steps either at the same time or in quick succession.
• Use step four to come up with longer-term solutions and prevention strategies.

Each situation will need to be assessed separately, before actions are taken, and practices should follow their incident management system to document the process.

General Practitioners can also involve their indemnity providers for further information.

Privacy Act 2020

Health Practitioners Competence Assurance Act 2003

Health (Retention of Health Information) Regulations 1996