Australian medical practices must routinely deal with sensitive patient information. To protect patient privacy, the Australian Privacy Act outlines a series of privacy principles that anyone who deals with this data must adhere to. Failure to stick to these principles could ultimately lead to million-dollar fines, so it's in everyone in the records management storage facility's interests to do everything they can to support the rules. Here are three examples of how things could go wrong.
Failure to gain and record patient's consent
There are lots of ways to capture patient information, ranging from new patient registration forms to updated medical records and notes. However, in any case, before you record and store patient information, you must get the person's consent to do so. The authorities will take a dim view of a medical business that holds customer information without consent.
The authorities accept explicit or implied consent. For example, if a doctor writes something down in front of a patient, there is often implied consent that it is OK for him or her to do so and to keep a record of the information. However, implied consent is sometimes difficult to prove at a later date. If a patient cannot see or read what the doctor says, he or she could argue that he or she did not give his or her consent.
Ideally, you should always record explicit, written consent to record patient data, and keep the evidence in your database and/or within customer document storage. What's more, make sure all the forms and paperwork you use on a regular basis contain a consent statement and signature, so you can show how you regularly check patients' consent..
Failure to adequately protect stored patient information
Practice managers must take steps to adequately protect patient information, irrespective of the storage method. This would include:
Appropriate security and encryption on electronic data storage.
Adequate security measures in document storage rooms and facilities.
Access levels that make sure employees only see the information they need to do their job.
It's sometimes the less obvious habits or practices that can land people in hot water. For example, a facility is secure when locked with a key, but if all staff members can get hold of a single key, the information is not adequately protected.
What's more, staff members must consider any habits that could lead to accidental disclosure. For example, when speaking to somebody on the phone or talking to somebody in the surgery, it's vital that staff members consider who could overhear the conversation. The right training and guidance is vital to make sure employees always consider the privacy principles.
Failure to accurately recognise health information
Legally, health information covers an increasingly diverse range of sources. Most staff members will realise and understand that medical records and paperwork fall within this definition, but the rules apply to other media. For example, practice managers must protect clinical images, including photos, videos and audio recordings. Even though it's often not possible to identify a patient with these things alone, the Privacy Act treats these media the same.
This is particularly problematic for medical staff and doctors who use these media during research and education. It may seem harmless enough to email an image to colleagues for discussion or consideration, but this activity must still comply with the Privacy Act.
An ongoing staff education programme is often the best way to maintain awareness of these issues. Educate employees about the definition of the Act, asking people to carefully consider and identify sources of health information. What's more, you should make sure that secure storage arrangements include these media, as well as paper records.
Practice managers play a vital role in the protection of patient information. Talk to a professional records management company for more specialist advice.