Privacy Policy

Purpose

Moyne Health Services (MHS) respects and is committed to protecting the privacy of every individual. We are required by law to ensure that all personal and health information pertaining to patients, residents and staff, remains confidential. Moyne Health Services complies with all legislation relating to privacy and confidentiality including the Health Services Act 1988 (Vic), Privacy and Data Protection 2014, Freedom of Information 1982 (Vic), and the Health Records Act 2001 (Vic). The existing provisions of the Mental Health Act still apply.

Moyne Health Services cannot use or disclose personal or health information without the consent of the individual, except if it is required, authorised or permitted under law.

Staff are bound by a strict code of confidentiality; details are outlined in the Confidentiality and Security of Information Policy

Scope

This policy relates to staff, patients, residents and their families, service users, visitors, members of the public and external organisations

Key Definitions

Health information:
The Health Records Act 2001 applies to health information, as information or opinion about:

• The physical, mental or psychological health of a person or a disability of a person; or
• A health service provider or to be provided to a person; or
• A person’s expressed wishes about the future provision of health services to him or her.

Many MHS functions require us to handle health information, which is covered by the Health Records Act 2001. This requires the organization to Protect Information; provide individuals the right to access to their information; and provide a framework for resolution of complaints in relation to the handling of personal information.

Personal (Staff) Information:
Privacy and Data Protection 2014 defines personal information to mean:
“…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”

• Other personal information collected to provide, or in providing, a health service; or
• Other personal information about an individual; collected in connection, with the donation or intended donation, by the individual of his or her body parts, organs or body substances; or
• Other personal information that is generic information about an individual in a form which or could be predictive of the health (at any time) of the individual or any of his or her descendants

What documents and information are covered?

• Documents in writing, such as files and reports
• Books, maps, graphs and drawings
• Photographs
• Audiotapes
• Videotapes
• Information stored on computer discs
• Diagnostic results(eg x-ray pathology)
• Emails

Use
The sharing, utilisation, examination or analysis of information, that identifies or reasonably can be used to identify, a person within MHS.

Disclosure
The release, transfer, or divulging in any other manner of information outside MHS.

Treatment
The provision, coordination, or management of health care related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient, resident or client; or for the referral of a patient, resident of client for health care from one health care provider to another.

Policy statement

Moyne Health Services (MHS) will manage the privacy of patient and staff information to prevent inappropriate access, distribution and use.

MHS is committed to the Information Privacy Principles contained within the Privacy and Data Protection 2014(Cth) and as such MHS has developed this Privacy Policy Statement.

• MHS will only collect, by lawful means, information needed to effectively perform its obligations and role.
• MHS will only use collected information for the purpose for which it was collected, unless authorised to do so by the information provider or MHS is allowed to do so or is bound to do so by law.
• MHS will make reasonable efforts to ensure the information provider is informed of the purpose for which the information is required and that the information gathered is correct and up to date both at the time of collection and before use.
• MHS will take all reasonable steps to ensure the information is kept secure with access restricted to authorised personnel only.
• MHS will keep a record of the information contained in its files and the authorised personnel who have access to the information. The record will also state the purpose for which the information has been gathered.
• MHS will grant reasonable access to a person’s records that contain their personal information upon request.
• Incorrect information or information that is no longer needed by MHS will be returned to the provider or destroyed by MHS.
• A record of visitor information is kept for safety and security purposes.

Procedure

The following statements outline strategies for the management of privacy of health information at Moyne Health Services.

1. We will not use or disclose information of a personal nature, except to the extent that this is required, authorised or permitted under law. All staff are required to be trained and understand their obligations under the laws relating to safeguarding this information.

2. We will only collect information that is necessary for us to perform our functions. We will do so in a fair, lawful and non-intrusive way. Wherever possible, we will collect information directly from individuals rather than from third parties.

3. When information is requested the reasons that it is required will be explained, along with any law that requires it to be collected, the organisations or type of organisations to whom we usually would disclose it and the consequences if the information is not provided.

4. Generally, we collect and use information for the purpose of providing care and treatment, and for purposes directly related to providing such care and treatment. We may disclose information to other health care providers for the purpose of providing further treatment.

Moyne Health staff will only use or disclose information for:

• the primary purpose for which it was collected
• directly related for the secondary purpose that would reasonably be expected,
• there has been consent provided to the disclosure of the information or
• where permitted under law to prevent a serious threat to the public health, welfare or safety risk,

Patients are to be informed that information is transferred to the GP or referring doctor on discharge, emergency or outpatient attendance, and are able to request that this does not occur.

De -identified information (data where an individual’s identity cannot be ascertained) may be used and disclosed without consent.

MHS is required by Health Services Act, Health (Infectious Diseases) Regulations 1960, Coroners Act (2008) Vic or Mental Health Act 2014 to disclose Information to registries and databases maintained by the Department of Health (DoH) and other organisations. Department of Health (DoH) dataset collections for:

• admitted, (Victorian Admitted Episode Data [VAED]) and Non-admitted – HACC Minimum Dataset
• Cancer Registry, managed by the Anti-Cancer Council of Victoria
• Infectious Disease Registry
• Child Protection – Mandatory Reporting

We may also use information for other purposes permitted under the privacy laws. Examples of such uses include: release of information to a court in compliance with a summons or court order or where there is a serious and imminent threat to an individual’s life, health, safety or welfare; a serious threat to public health, or in research or quality improvement studies.

5. We endeavour to ensure that the information we hold is accurate, complete and up to date. We are required under the Public Records Act to hold some records for extended periods. We will not keep information longer than we need to. From time to time we conduct audits of our records and databases to ensure that the information we hold is accurate and up to date.

6. The right to use our record keeping and computer systems is controlled and monitored. Staff and authorised external users only have access to systems that their duties require. There are comprehensive auditing procedures to prevent and detect unauthorised access and fraud. All physical or paper records are securely stored and can be accessed only by authorised personnel. Computer systems uniquely identify individual users to ensure that access is appropriately authorised. All transactions involving information of a personal nature that can be audited are traceable to an individual Moyne Health Services staff member.

7. Access to records in a public hospital/organisation is legislated under the Freedom of Information Act (1982) Victoria.

8. Every individual, for whom information is held, has the right to request access to and amendment of their information. There are however, some conditions when access can be restricted or withheld. For example, access to personal /health information is not provided where doing so would disclose information given in confidence, where disclosure might pose a serious threat to the life or health of any person, or where the information would otherwise be exempt from disclosure by law. The methods of access to personal/health information are prescribed and a reasonable fee can be levied.

9. If an individual wishes to access and/or request amendment to their personal/health information, they should be advised to contact the Freedom of Information Officer at Moyne Health Services. Refer to Freedom of Information Policy for more details.

10. We may, from time to time, transfer health information to organisations outside Victoria for the purpose of the provision of care or treatment. This will only occur with the individual’s consent, when we believe that the recipient organisation is subject to binding privacy obligations substantially similar to those under which we operate or where it is considered to be in their best interest.

We ensure that any suspected infringements of privacy are thoroughly investigated. We have strategies in place to identify procedural and systems weaknesses and continually review these strategies. Disciplinary action is taken in cases where investigations or suspected infringements of privacy are proven.

A Privacy Officer has been appointed to assist with the administration of this policy. This includes:
gaining access to health information we hold;

• concerns that information we hold may be inaccurate, and subsequent requests that it be
  amended;
• inquiries about the type of information we hold, for what purposes and how we deal with that information; and/or
• any concerns that we may have infringed your privacy rights,

The Privacy Officer can be contacted on 03 5568 0100

References

• Privacy and Data Protection Act 2014 (Vic) (‘PDPA’) 7 September 2014
• Health Records Act 2001
• Freedom of Information Act 1982 (Vic)
• Health Records Act 2001
• Mental Health Act 2014
• Barwon Health – Privacy Policy
• Bendigo Health – Privacy of Personal Records Policy
• Department of Human Services Web site – Health Records
• FOI Solutions, Freedom of Information Procedures Manual, 7th Edition, July 2011 Monash Health – Privacy
• Privacy Act 1988 – Privacy Amendment (Privacy Sector) ACT (Cwlth)
• Public Records Act 1973 (Vic)

Key Aligned/ Linked Documents

• MHS Confidentiality and Security of Information Policy.
• MHS FOI Policy
• MHS Disposal of Personnel Records and Patient Information Policy