Privacy Policy

Purpose

This document outlines the practice policy related to the Privacy, in line with the Privacy Act 2020, which promotes and protects the privacy of individual personal information and the Health Information Privacy Code (HIPC), which specifically relates to the management of health information.

Scope

All staff must comply with the following rules when collecting, using, storing, or disclosing information about patients’ personal or health or the treatment that they are receiving.

Policy

The practice team members will understand, comply with and implement the requirements of the Privacy Act 2020 and the Health Information Privacy Code 2020, as outlined in this document which state the processes to be followed by the staff in handling personal and health information.

• The practice Privacy Officer is Dwayne Stewart. They have received training and are aware of their responsibilities.
• The practice will collect personal and health information in a manner that complies with the Privacy Act and the Health Information Privacy Code.
  • only collect the information for the purpose of treating the patient or for some other legal purpose;
  • collect the information directly from the patient unless they have consented to you collecting the information from someone else or one of the other exceptions to this rule applies; and
  • collect information from children and young people in a fair manner
  • let the patient know why you are collecting the information, who will have access to the information and that the patient is entitled to access and correct the information. You will not need to tell patients this if you have collected the same type of information from them before.
  • Collect information in an unidentifiable way if appropriate
• The practice complies with the Privacy Act and Health Information Privacy Code requirements when using personal and health information.
  • When we have collected personal information from an individual for one purpose, it cannot used for any other purpose without the individual’s consent.
  • There are some exceptions to this principle. These exceptions include where the information is publicly available, or where you use the information in a way that does not identify the individual. You will find a full list of the exceptions to this principle in the Privacy Act .
  • Before using individuals’ personal information, you must do what you can to make sure that the information is accurate and up to date.
• The practice complies with the Privacy Act and Health Information Privacy Code when storing and destroying personal and health information.
  • You must ensure that the personal information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people.
  • When you transfer patients’ health information to someone else, you must do what you can to prevent unauthorised people from accessing or using the information.
  • Our practice can keep patients’ health information for as long as we need the information to treat patients and must keep patients’ health information for a minimum of 10 years from the date that treatment was last provided.
  • Our practice must destroy patients’/clients information in a way that ensures the confidentiality of the information. [Individual practices can state how patients’ health information should be destroyed e.g. documents should be put in a document shredding box]
  • Patients/clients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
  • Patients/clients are also entitled to ask our practice to correct the information that we hold about them.
  • You must assist patients/clients who ask to access their information.
• The practice complies with the Privacy Act and Health Information Privacy Code requirements when disclosing health information. You must not disclose a patient’s information without their consent (or the consent of their representative) unless you reasonably believe that it is not possible for you to get the patient’s consent and:
  • the disclosure is for the purposes of the patient’s treatment (e.g. a referral);
  • the disclosure is to the patient’s caregiver and the patient hasn’t objected to the disclosure;
  • it is necessary for you to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
  • the disclosure is made for the purposes of a criminal proceeding;
  • the patient is, or is likely to become dependent on a drug that you need to report under the Misuse of Drugs Act or the Medicines Act;
  • the disclosure is to a social worker or the police and concerns suspected child abuse;
  • the disclosure is made by a clinician to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.
• You must consult with our practice’s Privacy Officer before disclosing a patient’s health information without his/her consent.
• The practice complies with the Privacy Act and Health Information Privacy Code when correcting health information.
• The practice has a process to deal with data privacy breaches and notification in-line with the requirements under the Privacy Act.
• The practice will follow the process outlined when dealing with requests for information.

Request For Information Procedure

i)    Make contact with the patient requesting access and determine the legitimacy of the request.

ii)   Agree a timeframe within which a decision on providing access to the information will be made.  This must be as soon as practicable and no later than 20 working days after the request was made¹.

iii)  Advise the patient’s general practitioner of the request.

iv)  In consultation with the general practitioner, establish if there are any grounds on which to withhold any information and if so, take appropriate action.

v)  Contact the patient and agree when, where and in what format information will be provided.  Where possible this should be in the format preferred by the patient and may include:

• Inspection of the documents
• Providing a copy of the document.  N.B. Patients are not entitled to demand original documents
• Hearing or viewing audio or video tapes
• Supplying transcripts
• Supplying a summary of information
• Orally

Patients or their authorised agents may only be charged for making information available in extraordinary circumstances, e.g. if they have requested the same information within the preceding 12 months. Information may not be withheld, nor any charge made, on the grounds that the patient has an outstanding account with the practice.

• The practice will ensure confidentiality of information.
• The practice will follow the process outlined to deal with transferring patient’s information.

Procedure For Transferring Records

1. Patients records will be transferred to other providers on receipt of a written request. The request must include the written or documented verbal consent of the patient.
2. Requests for the transfer of notes will be forwarded to Reception who will:
   • Document in the Patient notes that the request is received.
   • Advise the patient’s general practitioner of the request.
   • Organise the transfer, ensuring copies of all notes are retained.
   • Scan a copy of the request to the Patients File
   • Ensure the transfer is completed within 10 working days of receipt of the request.2
3. Patients transferring into this practice will complete a form requesting their notes are transferred in. Reception staff will be responsible for ensuring the patient understands that the purpose of this is to facilitate the provision of effective primary care and give the patient all information they require to allow them to give their informed consent to this request.
4. Reception Staff must ensure the request for the transfer of notes is forwarded within 5 working days of the patient giving their informed consent to the request.2
5. On receipt of the notes: Administration will make up a file, ensure all details are correct on the PMS and pass file to Nurse for classification
   • The practice displays a privacy poster in the waiting room.
   • The practice has brochures relating to the Privacy Act and HIPC available for patients. These can be found at the front desk
   • The Privacy Act and HIPC will be covered in the practice induction process.

Security of Information Within the Practice

1. Anything displaying or containing health information will be kept away from or out of view of unauthorised people i.e. patient notes and results.
2. Patient history and results will be relayed out of public areas.
3. Filing cabinets containing confidential documents and storage areas are locked when not in use and access restricted to authorised personnel.
4. When a staff member leaves keys are returned and alarm codes will be changed.
5. Any patient or staff identifying information no longer required by the practice will be destroyed in a manner which prevents identification of the patient or staff member by shredding.

Privacy officer

The Privacy Officer has overall responsibility for privacy issues in the practice, but all staff are responsible for ensuring they keep up to date with their obligations under this legislation.

Privacy Officer role:

• Ensure that the practice has a current privacy policy and procedures and that all staff can easily access these documents.
• Ensure that all staff members have read and understood the policy and procedures, and this has been documented.
• Ensure that the practice complies with the Privacy Act, both in regard to personal patient information and employee information.
• Deal with requests made to the practice about personal or employment information.
• Ensure compliance with the Health Information Privacy Code in relation to patient information.
• Brief the practice team on changes to legislation and/or practice processes.
• Use team meetings to discuss privacy complaints received, the part of the procedure that failed and ways to improve the process.
• Continuous improvement process and education.
• Induction of new staff on Privacy and HIPC.
• Source suitable training opportunities.
• Ensure that any complaints received are dealt with in accordance with legislation. If referred to Privacy Commission work with them to resolve.
• Provide clear guidelines to staff around who has access to health information and how it is handled.

Privacy Breaches

Agencies are now legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:

• People cannot protect themselves from the impact of privacy breaches if they do not know a breach has occurred
• The speed at which data can be transferred and copied means the potential for harm is much greater
• Sharing the lessons from privacy breaches that have already occurred can help to prevent similar beaches in the future

If a notifiable privacy breach occurs the business should notify the affected people. If the breach poses a risk of serious harm or causes serious harm to an individual or group, the Privacy Commissioner must be notified. The Privacy Commission has developed a Notify Us tool which will help you to identify if the breach meets the notification threshold. Failure to notify could result in a penalty of up to $10,000.

Examples of likelihood of serious harm being caused by a breach include:

• Physical harm or intimidation 
• Financial fraud including unauthorised credit card transactions or credit fraud 
• Family violence
• Psychological, or emotional harm

When assessing whether a privacy breach is likely to cause serious to decide whether the breach is a notifiable privacy breach, you must consider the following:

• any action taken by the agency to reduce the risk of harm following the breach:
• whether the personal information is sensitive in nature:
• the nature of the harm that may be caused to affected individuals:
• the person or body that has obtained or may obtain personal information as a result of the breach (if known):
• whether the personal information is protected by a security measure:
• any other relevant matters.

If you think a data breach has occurred

1. Inform the Privacy Officer/management as soon as you are aware of a data breach
2. Privacy Officer/Management will notify the Privacy Commissioner and potentially affected individuals of the privacy breach, where the breach caused or is likely to cause serious harm
3. The breach notice made by Privacy office/management must contain:
   • Information around the breach itself

Confidentiality

All staff members have understood and signed a confidentiality agreement as part of their employment agreement or contract of service. The obligations under this clause extend after the agreement or contract has ended.

Destruction of Confidential material

All confidential material is either shredded on site or placed in secure destruction bin.

IT Security

Each staff member should have their own unique login name and it is protected by at least 8 characters passwords mixed of letters and numbers. There will be an automatic reminder to change your password every 3 months

Patient Portal Access/Security

MyIndici is hosted in a secured offsite sever by the company. (See IT policy)

Patient registration for MyIndici is consented on enrolment form or written consent form. This is usually done during first time enrolment visit or any other clinic visit, with patient identity check.

Patient then provides a login email address. An activation code and instruction will be sent to the nominated email. Once patients have read and agreed with registration instruction, they will click on the link to activate the registration. This completes the consent to use MyIndici as online portal to check their own clinical records, request repeat prescription and send secured email message to communicate to the clinic team.

Staff access to MyIndici is through secured PMS login.

Staff login password is automatically reminded to change every 90 days by system.

Health information privacy rules

Cover:

1. The purpose of collection of health information
2. Source of health information Collection of health information from an individual
3. Manner of collection of health information
4. Storage and security of health information
5. Access to personal health information
6. Correction of health information
7. Accuracy of health information to be checked before use
8. Retention of health information
9. Limits on use of health information
10. Limits on disclosure of health information
11. Disclosure of health Information outside New Zealand
12. Unique identifiers

Staff Training

1. All staff will undergo training on the need for security of patient records, when information is accessed, used and disclosed.  Initial training will occur as part of the staff orientation programme.  Ongoing training is provided to meet practice and individual staff member’s needs.
2. Staff should be aware of current security policies such as disclosure of passwords or usernames on the telephone to unidentified persons.
3. Vigilance will be applied re people using practice computers.
4. The Privacy Officer must be consulted before any information identifying staff or patients is copied to a portable media.

Complaints

Any complaint relating to this privacy of information will be received and managed in accordance with the practice’s complaints policy and procedure.

Policy Review

This policy will be reviewed by February 2026.

Document History