Privacy considerations – continued
Use and disclosure of personal information
Does your practice have a process for patients to opt in or out of marketing communications?
Ensure you communicate marketing options to your patients clearly and transparently.
Does your practice have procedures for conducting health research, including participant consent and notification?
This includes procedures for how to deal with requests for the secondary use of data. Refer to the RACGP’s Secondary use of general practice data resource for guidance and a decision-making support tool.
Quality improvement and continuing professional development
Does your practice have procedures to record occurrences of patient information use for quality improvement and continuing professional development?
Information security and data retention
Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?
Does your practice have a process for document classification, retention, destruction and de-identification of patient information?
This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.
Healthcare provider identification
This occurs when sharing information identifies the practice even though the patient health information might be de-identified.
Do your practice staff understand the restrictions on use of healthcare identifiers?
Educate staff on the requirements of the Health Identifiers Act 2010 and other government initiatives that your practice is engaged in.
Mandatory data breach notification plan
Does your practice have a data breach response plan?
Your practice should have a regularly tested emergency response plan to deal with data breaches and a plan outlining how to, and who should, communicate a data breach.