‘Whatever, in connection with my professional practice or not in connection with it, I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.’ Confidentiality In roads: reporting requirements of funders the increasing size of medical practices patient’s rights of support sharing of health information between health care professionals ease of access to health records on electronic databases insurers’ insistence on full access to patient records
Privacy v Confidentiality Privacy – Principles to guide the amount of control which an individual can exercise over his or her personal data – Collection, storage, use and disclosure of personal information and the right of access and correction Confidentiality – akin to secrecy – fundamental to trust relationship/promotes full disclosure – ability to disclose information received in confidence is limited to authorisation or public interest.
Privacy Act v Health Information Privacy Code Privacy Act – Data protection – 12 privacy principles: collection, storage, use and disclosure of personal information and the right of access and correction Health Information Privacy Code – Health Information & Health Agency – 12 rules: collection, storage, use and disclosure of personal information and the right of access and correction
Health Information Privacy Rules… 1.Only collect health information if you really need it. 2.Get it straight from the people concerned. 3.Tell them what you’re going to do with it. 4.Be considerate when you’re getting it. 5.Take care of it once you’ve got it. 6.People can see their health information if they want to.
Health Information Privacy Rules… 7.They can correct it if it’s wrong. 8.Make sure health information is correct before you use it. 9.Get rid of it when you’re done with it. 10.Use it for the purpose you got it. 11.Only disclose it if you have a good reason. 12.Only assign unique identifiers where permitted.
Purposes: lawful and necessary From person concerned: unless an exception applies Transparency: fact of collection, purposes, who sees the information, where it is held, compulsory/optional questions, right to access and request correction Lawful and fair collection Rules 1 - 4 COLLECTION
Storage & Security An agency that holds personal/health information must take reasonable security safeguards to protect against: loss unauthorised access, use, modification, disclosure other misuse Rule 5
Access If information is readily retrievable people have a right to: confirmation whether the agency holds* information about them; AND have access to the information. * holds includes info received from other agencies Rule 6
Correction Individuals have a right to request correction; or have a statement of correction added. Agency must either: make the changeattach statement inform the individual and any recipients of the information Rule 7
Accuracy Before using personal or health information, an agency must take reasonable steps* to ensure it is: accurate up to date complete relevant not misleading *what is reasonable will depend on the proposed use Rule 8
Retention Personal/Health information must not be retained for longer than is required for the purposes for which it may lawfully be used. Note: Health (Retention of Health Information) Regulations 1996 Health Information to be retained for at least 10 years from last date of treatment or care Does not prevent agencies from transferring information to individual or to personal representative where individual is deceased Rule 9
Limits on the use Personal/Health information obtained for one purpose must not be used for another purpose unless the agency believes, on reasonable grounds: Other use authorised by individual or their representative Other purpose is directly related purpose for which information was collected initially *many exceptions mirror principle/rule 11 Rule 10
Statute Common Law/Equity Contract/Agreements/policies & procedures Personal decision making Legal Framework
Health Information s22F Health Act Treat as Rule 6 request Individual does not want the information disclosed Disclosure contrary to individual’s interests Individual does not want information disclosed Privacy Act withholding grounds apply (see Rule 6) Individual Representative Health Provider May refuse in some circumstances) May also refuse for a lawful excuse which does not include non payment, prejudice to commercial position, disclosure not allowed by Privacy Act On request, must disclose to
Health Information Who is a representative? where individual is dead: personal representative where individual is under the age of 16 years: parent or guardian where individual is not in above categories & is unable to give consent or authority or exercise his/her rights – a person appearing to be lawfully acting on the individual’s behalf or in his/her interests Parents / guardians DO NOT have automatic right of access to children’s information consider requests under section 22F or OIA People can appoint agents eg. lawyer, friend, parent written authority, properly authorised
Disclosure of health information A health agency must not disclose health information, unless it believes, on reasonable grounds, that disclosure is: to the individual/representative authorised by individual/representative purpose of publicly available info general information: presence, location, condition, progress of patient (not contrary to express request) fact of death by registered health professional or by auth person to specified people advice to principal caregiver of individ’s release under Mental Health[Compulsory Assessment and Treatment] Act Rule 11
Disclosure of health information rule 11 When it is not desirable or practicable to obtain the individual’s authorisation, a health agency may disclose where the disclosure is: Directly related purpose By registered health professional to specified people (not contrary to Express request) Statistical (no id) to prevent/lessen serious & imminent threat to public or individual Health and/or safety Necessary to facilitate sale of business Of brief description of nature of injuries in accident & individuals id by auth person in hosp to media (not contrary to express request) To id individuals for health education related to accreditation, quality assurance or risk management (no id) To avoid prejudice to law/drug dependency authorised by PC. Rule 11
Unique Identifiers What is it? A code or number that is assigned to a person by an agency which uniquely identifies the person in relation to the agency. An agency may only assign one if: Necessary to carry out its functions Person’s identity is clearly established *Must not use identifier assigned by another agency. *The NHI number is an exception – see HIPC Rule 12
“But most people had probably sent an email or text message in error” Prime Minister John Key says the big privacy breach at EQC was "distressing" but most people had probably sent an email or text message in error. "We do live in a world where these things are possible." The Christchurch Press: March 2013
staff interest in health information CDHB staff interest in the health records of the New Zealand cricket player Jesse Ryder. ADHB staff interest in the health records of a man with an eel ….
Setting the Standard: Independent Review of ACC’s Privacy and Security of Information Clear policies creating a positive mindset as part of building customer trust & establishing a “firm but also seen as fair” image in public minds Coherent strategy & process to mitigate privacy risks Monitor performance for compliance Ensure adequate resources & capacity to respond to incidents
Setting the Standard: Independent Review of ACC’s Privacy and Security of Information Importance of privacy and protection of personal data at Board governance level Privacy vision, strategy and programme Role of privacy officer and use of privacy champions Education and Training Culture Reporting Audit, review and evaluation Retrospective or prospective?
See OPC voluntary guidelines: http://www.privacy.org.nz/news-and-publications/guidance- notes/privacy-breach-guidelines-2/ Breach containment and preliminary assessment; Evaluation of the risks associated with the breach; Notification; and Prevention Data Breach