RCH logo

Policies and Procedures

Personal information - confidentiality

  • 1. Procedure statement

    The Royal Children's Hospital (RCH) upholds strict confidentiality of personal information for the benefit of patients and staff. Confidentiality of personal information provides a secure environment for the provision of quality care and service for patients.

    2. Persons Affected

    All employees, contractors, honorary appointments, board members, students, observers, and volunteers of the RCH.

    3. Definition of terms

    Confidentiality is the right of an individual to not have personally identifiable information disclosed to others without that individual's express informed consent.

    Medical Record is a manual or electronic record containing a patient’s health and personal information, status, and treatment.

    IBA WebPAS is the hospitals’ patient administration system.

    EMR is the electronic medical record system that was implemented at RCH in April 2016. 

    4. Responsibility

    Staff who come into contact with or have access to patient /staff / other information have a responsibility to maintain the confidentiality of that information.

    Department Heads are responsible for taking appropriate action where confidentiality has been or may be breached.

    5. Criteria

    From 8th August 2020, a shared Electronic Medical Record (EMR) between RCH, the Royal Melbourne Hospital, The Royal Women’s Hospital and Peter MacCallum Cancer Centre (the Parkville Health Services) allows the Parkville Health Services to access a patient’s record if that patient has been treated at any of the Parkville Health Services. Staff at each of the Parkville Health Services are required to adhere to their health service’s policies and /procedures regarding the collection, use, and disclosure of patient information, including this procedure. Staff must only access records contained in the EMR as required as part of their role (e.g. if involved in or supporting care and treatment of that patient). Access to the EMR is audited regularly to monitor staff compliance. The records may not be retained locally or deleted. They may not be printed, disclosed, used, or amended for reasons other than patient care and treatment and only in accordance with RCH policies and procedures.

    What is the legal basis of my obligation to maintain privacy/confidentiality?

    The legal obligation of the hospital and its staff to maintain patient privacy/confidentiality is detailed in:

    • Section 141 Health Services Act 1988;
    • The Health Privacy Principles contained in Schedule 1 to the Health Records Act 2001;
    • Section 120A of the Mental Health Act 1986, and.
    • The Information Privacy principles in the Privacy and Data Protection Act(Vic) 2014. and
    • Part 6A of the Child Safety and Wellbeing Act 2005 (Vic) supported by:
      • Child Legislation Amendment (Information Sharing) Act 2018 (Vic)
      • Child Wellbeing and Safety (Information Sharing) Regulations 2018 (Vic).  

    The legal obligation to maintain privacy/confidentiality applies to the collection, use and disclosure of personal information.  

      What is the RCH's policy on patient privacy/confidentiality?

        All staff must not use or disclose information of a personal nature, except to the extent that it is required, authorised or permitted under law.

        Health Privacy Principle 1 under the Health Records Act 2001 requires that health services before, at or near, the time of collection, notify the individual of certain details including the organisation's contact details, the purpose of collection, the individual's right to access health information, and the usual disclosures.

        All patients should be provided with the "Privacy of your Personal Information" brochure on presentation to the hospital.  In accordance with the requirements of the Health Records Act, this brochure:

        1. Explains to the patient why their information is collected, what it is used for and when and to whom it may be disclosed
        2. Provides a means of obtaining a patient's consent to the disclosure of information unless the patient specifically elects not to disclose certain information.

        Unless a patient chooses not to disclose certain information, the patient's consent to the use of their health information as outlined in the brochure is implied and further written consent is not required.  This arrangement is known as an "opt out" arrangement.

        Where a patient chooses not to consent to the disclosure of information to their GP hospital staff need to ensure the consent for info release flag is set correctly on IBA.  Patients can change their mind at any time.

        When, legally, can I breach patient privacy/confidentiality?

        Under section 141 of the Health Services Act 1988, staff must not disclose identifying information about a patient, unless that information is:

        1. Given with the patient's prior consent, or if the patient has died, with the consent of the senior available next of kin;
        2. Given to a court in the course of criminal proceedings;
        3. About the condition of a patient and is given in general terms;
        4. Given by medical staff to the next of kin or a near relative of the patient, who is not a patient under the Mental Health Act 1986, in accordance with recognised customs of medical practice;
        5. Given to a guardian, family member or primary carer of a person who is a patient under the Mental Health Act 1986 and that information is required for the patient's ongoing care, and that guardian, family member or primary carer is involved in providing that care;
        6. Given to the Red Cross for the purpose of tracing blood infected with any disease or the donor or recipient of that blood;
        7. Required for the further treatment of a patient;
        8. When information is going to be shared with health care provider's external to the RCH, the patient should consent before the information is released. For example, if copies of pathology results are going to be sent to the patient's GP, the patient should be informed when the tests are ordered.
        9. Where requests for patient information must be dealt with immediately to provide emergency patient care, information can be given without specific patient consent. Section 141 of the Health Services Act governs disclosure by public hospitals, and persons who work in hospitals, to those outside the hospital environment.
        10. Given in accordance with an agreement under section 53(1) or 69B(1) of the Health Services Act 1988;
        11. For a purpose other than the primary purpose for which the information was collected, where that other purpose is directly related to the primary purpose, and the individual would reasonably expect the Health Service to use or disclose the information for that purpose;
        12. For funding, management, planning monitoring or evaluation of the health services or the training of employees provided that steps have been taken to de-identify that information, or the purposes require identifiable information and it is not practical to obtain consent;
        13. Necessary to be used or disclosed to lessen or prevent either a serious and imminent threat to an individual's life, health, safety or welfare; or a serious threat to public health, safety or welfare;
        14. Necessary to be used or disclosed for the establishment, exercise or defence of a legal or equitable claim;
        15. Used or disclosed in prescribed circumstances;
        16. Necessary to identify or locate an individual known or suspected to be dead, missing or involved in some accident or adventure and incapable of consenting to the use or disclosure, and that use is not contrary to any wish of the individual;
        17. Provided to an insurer in relation to a notification, claim or potential claim;
        18. Given to the Australian Statistician;
        19. Given for the purpose of medical or social research but only on condition that that the use of the information has been approved by the RCH Research & Ethics Committee;
        20. Given for the purpose of a Casemix audit;
        21. Given to or by persons engaged by a public hospital or denominational hospital, or a multi-purpose service or community health centre in the course of carrying out support functions as designated by the Governor in Council by Order published in the Government Gazette, or
        22. Given to or by an information sharing entity in accordance with Part 5A f the Family Violence Protection Act 2008 (Vic)
        23. Given to or by an information sharing entity or a restricted information sharing entity in accordance with Part 6A of the Child Wellbeing and Safety Act 2005 (Vic),
        24. Given to or by a Child Link user or the Secretary to the Department of Education and training in accordance with Part 7A of the Child Wellbeing and Safety Act 2005 (Vic),or 
        25. Provided to a person whom in the opinion of the Minister is in the public interest. 

        If you are unsure whether your situation is covered, or if you have any queries, you should speak with your manager, RCH Privacy Officer or Legal Services before giving out any information.

        What are my obligations when information is given "in confidence"?

        When information is given "in confidence" to the RCH about a patient by a person other than the patient (that is a request that it not be communicated to the patient to whom it relates) staff must:

        •  In the patient's medical record, record only information if it is relevant to the provision of health services to, or the care of, the patient in a separate EMR note template;
        •  Take reasonable steps to ensure that the information is accurate and not misleading; and
        •  Take reasonable steps to record that the information is given in confidence and it is to remain confidential.

          What strategies can I take to maintain personal privacy/confidentiality?

          Only access information if it is relevant to your work.

          Do not divulge, copy, release, sell, loan, review, alter or destroy any personal information unless it is part of your job. If it is part of your job to do any of these tasks, staff are to follow the correct RCH procedure (such as putting confidential papers in appropriate security bins).

          Verbal information must be protected. All staff need to be mindful of where they carry out discussion of patient care. Conversations regarding patients must not be conducted in the presence of, or be heard by, unauthorised persons.

          Patient and staff information (e.g. addresses or diagnosis) must never be discussed with friends or relatives without the appropriate consent.

          Patient information should only be discussed between -clinical staff involved in the care and treatment of the patient.

          Confidentiality of information may be breached when communicating personal information. Staff should be aware of and follow the RCH procedure when using the fax or phone to communicate personal information. Refer to procedure: Personal Information - Security .

          Staff should be aware of situations involving young persons, whereby the patient may not want information or details of their condition relayed to their parent/guardian.

          All personal information for patients and staff is protected according to the RCH procedure. In certain circumstances patients or staff may request additional measures to protect their personal information. Refer to procedure: EMR - Privacy Functionality in the EMR.

          Nothing in this procedure shall prevent an employee from supplying appropriate personal information to the Union/Professional Body in relation to probable, threatened or actual grievance or industrial dispute.

          The highest standards of confidentiality are expected within the RCH. Any violations of the confidentiality procedure will be addressed through the Department Manager, Human Resources and the Privacy Officer and could result in termination of employment.

          Examples of “breaches of confidentiality" include:

          • Divulging personal information without consent.
          • Telling a relative or friend about a patient or staff member at the RCH.
          • Gossiping about patients or staff.
          • Reading medical records when it is not in the course of work duties.
          • Discussing patient information in lifts or corridors.
          • Accessing pathology results of family, friends or co-workers.
          • Accessing a medical record or components of the patient record that are not required for you to do your work.
          • Accessing electronic systems that you are not authorized to do so through password sharing. 

          6. Special provisions/reference documents (which may be referred to)

          • Child Wellbeing and Safety Act 2005 (Vic)
          • Children and Young Person's Act 1989
          • Family Violence Protection Act 2008 (Vic)
          • Health Records Act 2001
          • Health Services Act 1988
          • The Privacy and Data Protection Act (Vic) 2014