1. Procedure statement
The
Royal Children's Hospital (RCH) upholds strict confidentiality of
personal information for the benefit of patients and staff. Confidentiality of
personal information provides a secure environment for the provision of quality
care and service for patients.
2. Persons Affected
All employees, contractors, honorary appointments, board members, students, observers, and volunteers of the RCH.
3. Definition of terms
Confidentiality
is the right of an individual to not have personally identifiable information
disclosed to others without that individual's express informed consent.
Medical
Record is a manual or electronic record containing a patient’s health and
personal information, status, and treatment.
IBA WebPAS is the hospitals’ patient administration system.
EMR
is the electronic medical record system that was implemented at RCH in
April 2016.
4. Responsibility
Staff
who come into contact with or have access to patient /staff / other information have a responsibility to maintain the confidentiality of that information.
Department Heads
are responsible for taking appropriate action where confidentiality has been or may be breached.
5. Criteria
From
8th August 2020, a shared Electronic Medical Record (EMR) between RCH, the
Royal Melbourne Hospital, The Royal Women’s Hospital and Peter MacCallum Cancer
Centre (the Parkville Health Services) allows the Parkville Health Services
to access a patient’s record if that patient has been treated at any of the
Parkville Health Services. Staff at each of the Parkville Health Services are
required to adhere to their health service’s policies and /procedures regarding
the collection, use, and disclosure of patient information, including this
procedure. Staff must only access records contained in the EMR as required as
part of their role (e.g. if involved in or supporting care and treatment of
that patient). Access to the EMR is audited regularly to monitor staff
compliance. The records may not be retained locally or deleted. They may not be
printed, disclosed, used, or amended for reasons other than patient care and
treatment and only in accordance with RCH policies and procedures.
What is the legal basis of my obligation to maintain privacy/confidentiality?
The legal obligation of the hospital and its staff to maintain patient privacy/confidentiality is detailed in:
- Section 141 Health Services Act 1988;
- The Health Privacy Principles contained in Schedule 1 to the Health Records Act 2001;
- Section 120A of the Mental Health Act 1986, and.
- The Information
Privacy principles in the Privacy and
Data Protection Act(Vic) 2014.
and
- Part 6A of the Child
Safety and Wellbeing Act 2005 (Vic) supported by:
- Child Legislation Amendment (Information Sharing)
Act 2018 (Vic)
- Child Wellbeing and Safety (Information Sharing) Regulations 2018
(Vic).
The legal obligation to maintain privacy/confidentiality applies to the collection, use and disclosure of personal information.
What is the RCH's policy on patient privacy/confidentiality?
All
staff must not use or disclose information of a personal nature, except to the
extent that it is required, authorised or permitted under law.
Health
Privacy Principle 1 under the Health Records Act 2001 requires that health
services before, at or near, the time of collection, notify the individual of
certain details including the organisation's contact details, the purpose of
collection, the individual's right to access health information, and the usual
disclosures.
All
patients should be provided with the "Privacy of your Personal
Information" brochure on presentation to the hospital. In accordance
with the requirements of the Health Records Act, this brochure:
-
Explains to the
patient why their information is collected, what it is used for and when and to
whom it may be disclosed
-
Provides a means
of obtaining a patient's consent to the disclosure of information unless the
patient specifically elects not to disclose certain information.
Unless
a patient chooses not to disclose certain information, the patient's consent to
the use of their health information as outlined in the brochure is implied and
further written consent is not required. This arrangement is known as an
"opt out" arrangement.
Where
a patient chooses not to consent to the disclosure of information to their GP
hospital staff need to ensure the consent for info release flag is set
correctly on IBA. Patients can change their mind at any time.
When, legally, can I breach patient privacy/confidentiality?
Under section 141 of the Health Services Act 1988, staff must not disclose identifying information about a patient, unless that information is:
- Given with the patient's prior consent, or if the patient has died, with the consent of the senior available next of kin;
- Given to a court in the course of criminal proceedings;
- About the condition of a patient and is given in general terms;
- Given by medical staff to the next of kin or a near relative of the patient, who is not a patient under the Mental Health Act 1986, in accordance with recognised customs of medical practice;
- Given to a guardian, family member or primary carer of a person who is a patient under the Mental Health Act 1986 and that information is required for the patient's ongoing care, and that guardian, family member or primary carer is involved in providing that care;
- Given to the Red Cross for the purpose of tracing blood infected with any disease or the donor or recipient of that blood;
- Required for the further treatment of a patient;
- When information is going to be shared with health care provider's external to the RCH, the patient should consent before the information is released. For example, if copies of pathology results are going to be sent to the patient's GP, the patient should be informed when the tests are ordered.
- Where requests for patient information must be dealt with immediately to provide emergency patient care, information can be given without specific patient consent. Section 141 of the Health Services Act governs disclosure by public hospitals, and persons who work in hospitals, to those outside the hospital environment.
- Given in accordance with an agreement under section 53(1) or 69B(1) of the Health Services Act 1988;
- For a purpose other than the primary purpose for which the information was collected, where that other purpose is directly related to the primary purpose, and the individual would reasonably expect the Health Service to use or disclose the information for that purpose;
- For funding, management, planning monitoring or evaluation of the health services or the training of employees provided that steps have been taken to de-identify that information, or the purposes require identifiable information and it is not practical to obtain consent;
- Necessary to be used or disclosed to lessen or prevent either a serious and imminent threat to an individual's life, health, safety or welfare; or a serious threat to public health, safety or welfare;
- Necessary to be used or disclosed for the establishment, exercise or defence of a legal or equitable claim;
- Used or disclosed in prescribed circumstances;
- Necessary to identify or locate an individual known or suspected to be dead, missing or involved in some accident or adventure and incapable of consenting to the use or disclosure, and that use is not contrary to any wish of the individual;
- Provided to an insurer in relation to a notification, claim or potential claim;
- Given to the Australian Statistician;
- Given for the purpose of medical or social research but only on condition that that the use of the information has been approved by the RCH Research & Ethics Committee;
- Given for the purpose of a Casemix audit;
- Given to or by persons engaged by a public hospital or denominational hospital, or a multi-purpose service or community health centre in the course of carrying out support functions as designated by the Governor in Council by Order published in the Government Gazette, or
- Given to or by
an information sharing entity in accordance with Part 5A f the Family Violence
Protection Act 2008 (Vic)
- Given to or
by an information sharing entity or a restricted information sharing entity in
accordance with Part 6A of the Child Wellbeing and Safety Act 2005 (Vic),
- Given to or by a
Child Link user or the Secretary to the Department of Education and training in
accordance with Part 7A of the Child Wellbeing and Safety Act 2005 (Vic),or
- Provided
to a person whom in the opinion of the Minister is in the public interest.
If you are unsure whether your situation is covered, or if you have any queries, you should speak with your manager, RCH Privacy Officer or Legal Services before giving out any information.
What are my obligations when information is given "in confidence"?
When
information is given "in confidence" to the RCH about a patient
by a person other than the patient (that is a request that it not be
communicated to the patient to whom it relates) staff must:
- In the patient's
medical record, record only information if it is relevant to the provision
of health services to, or the care of, the patient in a separate EMR note
template;
- Take reasonable
steps to ensure that the information is accurate and not misleading; and
- Take reasonable
steps to record that the information is given in confidence and it is to remain
confidential.
What strategies can I take to maintain personal privacy/confidentiality?
Only
access information if it is relevant to your work.
Do
not divulge, copy, release, sell, loan, review, alter or destroy any personal
information unless it is part of your job. If it is part of your job to do any
of these tasks, staff are to follow the correct RCH procedure (such as putting
confidential papers in appropriate security bins).
Verbal
information must be protected. All staff need to be mindful of where they carry
out discussion of patient care. Conversations regarding patients must not be
conducted in the presence of, or be heard by, unauthorised persons.
Patient
and staff information (e.g. addresses or diagnosis) must never be discussed
with friends or relatives without the appropriate consent.
Patient
information should only be discussed between -clinical staff involved in the
care and treatment of the patient.
Confidentiality
of information may be breached when communicating personal information. Staff
should be aware of and follow the RCH procedure when using the fax or phone to
communicate personal information. Refer to procedure: Personal
Information - Security .
Staff
should be aware of situations involving young persons, whereby the patient may
not want information or details of their condition relayed to their parent/guardian.
All
personal information for patients and staff is protected according to the RCH
procedure. In certain circumstances patients or staff may request additional measures
to protect their personal information. Refer to procedure: EMR - Privacy Functionality in the EMR.
Nothing
in this procedure shall prevent an employee from supplying appropriate personal information to the Union/Professional Body in relation to probable, threatened
or actual grievance or industrial dispute.
The
highest standards of confidentiality are expected within the RCH. Any
violations of the confidentiality procedure will be addressed through the
Department Manager, Human Resources and the Privacy Officer and could result in
termination of employment.
Examples
of “breaches of confidentiality" include:
- Divulging personal information without consent.
- Telling a relative or friend about a patient or staff member at the RCH.
- Gossiping about patients or staff.
- Reading medical records when it is not in the course of work duties.
- Discussing patient information in lifts or corridors.
- Accessing pathology results of family, friends or co-workers.
- Accessing a medical record or components of the patient record that are not required for you to do your work.
- Accessing electronic systems that you are not authorized to do so through password sharing.
6. Special provisions/reference documents (which may be referred to)
- Child Wellbeing and Safety Act 2005 (Vic)
- Children and
Young Person's Act 1989
- Family Violence Protection Act 2008 (Vic)
- Health Records
Act 2001
-
Health Services
Act 1988
- The Privacy and
Data Protection Act (Vic) 2014