1. Procedure statement
All reasonable measures must be taken to protect personal health information from unauthorised access, improper use, disclosure, unlawful destruction, or accidental loss. This procedure outlines guidelines for The Royal Children's Hospital (RCH) staff to protect personal health information and the roles and
responsibilities involved in managing a data breach
2. Persons Affected
All persons and entities - including staff, clients and their families, visitors, members of the public and external organisations.
3. Definition of terms
Personal information is factual data or opinion about an individual who may be identified directly or indirectly, by the material. It can be in any medium including electronic or paper records, video or audio recordings, clinical photography, x-rays, pathology samples, etc.
Security
is the right of an individual to expect that personal information once given in confidence for approved use by third-parties, will thereafter be maintained safely against unauthorised disclosure, intrusion, modification or destruction.
4. Responsibility
Staff
who come into contact with or have access to patient/staff/other information
have a responsibility to maintain the security of that information.
Department
Heads are responsible for continuing education of staff
and taking appropriate action where this procedure has been or may be breached.
Information
and Communication Technology (ICT)
have policies on the issuing of email addresses, and when a person leaves the organisation ICT has an automated process in place to disable their accounts. ICT ensure that all new applications contain the capability for user access to
be administered according to security requirements of the organisation, these
may be different dependent upon the application.
5. Criteria
From
8th August 2020, a shared Electronic Medical Record (EMR) between RCH, the
Royal Melbourne Hospital, The Royal Women’s Hospital and Peter MacCallum Cancer
Centre (the Parkville Health Services) allows the Parkville Health Services
to access a patient’s record if that patient has been treated at any of the
Parkville Health Services. Staff at each of the Parkville Health Services are
required to adhere to their health service’s policies and /procedures regarding
the collection, use, and disclosure of patient information, including this
procedure. Staff must only access records contained in the EMR as required as
part of their role (e.g. if involved in or supporting care and treatment of
that patient). Access to the EMR is audited regularly to monitor staff
compliance. The records may not be retained locally or deleted. They may not be
printed, disclosed, used, or amended for reasons other than patient care and
treatment and only in accordance with RCH policies and procedures.
The
highest standards of security are expected within the RCH. Any violations of
security procedure will be addressed through the RCH Performance Management
and Disciplinary
Procedure . Examples of breaches of security includes but
are not limited to:
-
Staff accessing
information that is not part of their job (eg. browsing patient information
systems).
-
Telling a
co-worker your password so that s/he can log into secure information
system.
-
Unauthorised use
of a log-in code to access employee files or patient information.
-
Leaving a hard
copy medical record or patient paperwork unattended in any public area.
-
Discussing
personal health information in a public space (lifts or corridors) where it may
be overheard by others.
-
Emailing patient
information to an external organisation.
-
Faxing personal
information without including a fax cover sheet that includes an
appropriate confidential note as per guideline below.
5.1 Data Breach
A
data breach is an unauthorised access or disclosure of personal information, or
loss of personal information. It may be caused by a deliberate action (external
or internal), human error, or a system or information handling failure.
Examples
of data breaches include:
-
loss or
theft of physical devices (such as laptops, USBs and other storage devices) or
paper records that contain personal information
-
unauthorised
and inappropriate access to personal information by an employee
-
disclosure
of personal information due to ‘human error’, for example a fax or email sent
to the wrong person
-
disclosure
of an individual’s personal information to a scammer, as a result of inadequate
identity verification procedures.
Data Breach Plan
A data breach may occur
at the local hospital level e.g. an email or fax sent to the wrong person, loss
or theft of a device or unauthorised access by an employee, or across the Parkville
Health Services e.g. Cybersecurity attack on the EMR.
(a) Hospital
level data breach
- If there is a data breach or suspected data breach
at the local level staff are to report it to their line manager. The line
manager should escalate to the Privacy Officer and complete a VHIMS. The Privacy Officer will be responsible for
managing and assessing the breach, notifying and escalating to internal and
external stakeholders where appropriate, and identifying any changes required
to minimise the chance of the breach occurring again.
- The Privacy Officer may refer to relevant local
policy and procedures for next steps and escalation to appropriate General
Counsel and Executive Director for advice.
(b) Parkville
Health Services level data breach
- A data breach involving the Parkville Health
Services will require activation of business continuity plans and a joint
response with key individuals from each hospital. These individuals would
include the chief information officers, executive, and members of the Hospital
Incident Management Team (HIMT). The joint response team would be responsible
for managing and assessing the breach, notifying and escalating to internal and
external stakeholders including the Department of Health, and conducting an incident review.
Actions
taken following a data breach should follow four key steps:
-
Step 1: Contain the data breach to prevent any
further compromise of personal information.
-
Step 2: Assess the data breach by gathering the
facts and evaluating the risks, including potential harm to affected
individuals and, where possible, taking action to remediate any risk of harm.
-
Step 3: Identify if a cross-precinct data breach has occurred. If so, the relevant PHS Privacy Officers should be notified as soon as practicable.
- Step 4: If a cross-precinct breach is identified, the relevant Privact Officers must formulate a coordinated response, which may include engaging internal stakeholders to assist e.g., General Counsel, Executive, People & Culture etc.
- Step 5: Determine if the Health Complaints Commissioner, the Office of the Victorian Information Commissioner, the Department of Health or any other external body should be notified of the breach.
- Step 6: Review the incident and consider what
actions can be taken to prevent future breaches
5.2. Disclosure of Personal Information - disclosure via
electronic messaging, fax, email, phone or verbally
All
disclosures should be documented/recorded in the patient's medical record and
include date, name and signature of staff member disclosing information, detail
of information disclosed, and name and contact number of requestor.
Fax guidelines
Patient
information may be transmitted via the Electronic Medical Record (EMR) using
autofax or manually by facsimile machine (fax). Details of the release of
information by fax must be recorded in the patient's medical record.
A
standard RCH fax cover sheet that clearly identifies our organisation must be
included in the transmission. This cover sheet must include the following
details:
- date and time of transmission, and total number of pages;
- destination, name of institution, fax and telephone numbers, person and department nominated as recipient;
- name, department and telephone number of person sending/authorising fax.
The word "CONFIDENTIAL" must be included along with the following notice.
Notice:
This facsimile transmission and any documents attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and destroy the original.
To minimise risks associated with faxing personal information also:
- Where possible, before sending a fax, ring the intended recipient to confirm their number and inform them the fax is being sent.
- Set the fax machine to print transmission reports if possible.
- Send only the minimum amount of information necessary. For example, if only one paragraph of a report is relevant send only that paragraph and not the whole report.
- Double check to ensure the correct fax number has been dialled and connected.
- Where possible, telephone recipient immediately to confirm that the information has been received in full.
- When autofaxing, using faxing software combined with a database of fax numbers to transmit confidential information, the contact information particularly the fax number must be validated. Validation involves contacting persons on the database and ensuring their fax details are correct prior to commencing faxing. Validation of the information in the database should occur periodically thereafter for example once or twice a year.
Email guidelines
The email system is not secure. The security risks include: misdirection due to error in typing address; lack of confidentiality of Internet traffic, email may be scanned and copied when it passes through nodes; it is simple for the sender to purport to be someone else; and receiving information in electronic form makes it easy for the recipient to copy, amend and disclose it to others.
Therefore, at RCH personal health information must not be sent externally by email. Externally refers to email addresses other than "rch.org.au" or "mcri.edu.au".
To minimise risks associated with emailing personal information internally staff should:
- State clearly in the message if you do not want all or part of it forwarded to others and set the email footer to include the following notice.
- Notice:
This email transmission and any documents attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and destroy the original.
- Before forwarding messages from others, it may be necessary to remove sensitive parts. However, never edit and re-send a message from someone else without indicating that changes have been made to the original.
- If you receive a message intended for someone else, don't ignore it, return it to the sender and then delete.
- If you doubt the authenticity of a message, return it to the sender and ask for confirmation that they sent it.
- Assume that any message you send could be modified and forwarded anywhere without your knowledge or consent.
For
complete information on using email refer to the Email
Usage Procedure.
Phone guidelines
Depending on factors such as the sensitivity of the information, the purpose for which it is being conveyed and the complexity of the details, all or some of the following steps may be appropriate safeguards for reducing the risk to privacy when using the telephone:
- Ensure that other staff or patients cannot overhear the conversation. Move to another room, or time the call when others are not present.
- If someone is asking for sensitive information over the phone, and it is reasonable to disclose it, ask if you can call back (so you can check the number against your records or confirm that they are from the organisation they purport to represent).
- If you are asking the other party to give sensitive information over the phone, check that they are able to discuss it privately (and are not, for example, speaking on a mobile phone in a public place)
- Keep a note of the conversation in the medical record, to record what information was given and to whom.
Verbal guidelines
All
staff need to be mindful of where they carry out discussions regarding patient
care. It is unacceptable to discuss personal health information in public areas
such as lifts and corridors. The risk associated with personal information
being inappropriately overheard is high. To minimise risks when verbalising
personal information staff should:
-
Not discuss
patient information in hospital lifts, corridors and public areas.
-
Be aware of who
can overhear conversations on wards and other clinical areas.
-
Seek adequate privacy prior
to discussing sensitive information with staff or patients.
Medical Records
Paper-based
medical records are the property of RCH and are not to be removed from the
organisation under any circumstance, unless authorised by the Manager, Health
Information Services.
Medical
records, patient lists or reports must not be left in areas where the general
public or unauthorised staff can access them.
When
staff are transporting medical records around the organisation every effort
should be made to keep patient details covered. For example, if carrying a
bundle of records in a lift turn the last one over so that only the back of the
medical record cover is exposed.
When
records or information are sent with or without a patient outside the RCH the
information must be secured in a sealed envelope or container labelled
"Confidential" and addressed to the specific person at the receiving
facility (e.g. Admissions Nurse). Records must be securely transported to the
receiving facility and not left unattended at any stage until delivered to the
authorised receiving person.
Records
when required at a Court of Law under subpoenas must be copied before they
are sent outside the RCH. This copy will be kept at the RCH if required for
patient care.
Any paper-based information
containing patient or private information that requires destruction should be
placed in the secure destruction bins located throughout the Hospital
5.4. Secure information systems, passwords and screensavers
Staff
access to secure information systems is determined via Department Heads
authority. Department Heads need to ensure that access to systems is granted on
a "need to know" basis. Access should only be provided to staff that
require access to carry out their work. When staff are terminated, ICT must be
notified to have access removed.
Passwords
for all information systems are to be kept secure.
No
password should be shared unless authorised by the Chief Information Officer.
Staff
are responsible for any access to secure information systems using their
password.
All
computer screens in patient or public contact areas must have the screensavers
wait period set at 3 minutes maximum. This will reduce the chance unauthorised
viewing of information left on computer screens by patients, public or
unauthorised staff.
6. Special provisions/reference documents (which may be referred to)