Waikiki Private Hospital policy and procedure
Privacy policy
Policy
1.
Waikiki Private Hospital respects and upholds individual’s rights to privacy protection under the Australian Privacy Principles (APPs) contained in The Privacy Act (1988, as amended).
2.
This privacy policy explains how personal information is collected, held, used, disclosed, secured and otherwise managed, including patient health information. It describes the types of information collected and held and why, how to access and correct the information and how to make a privacy complaint. References in this policy to personal information include sensitive information.
3. Definitions
- Personal information means ‘information or an opinion about an identifiable individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’.
- Sensitive information is a type of personal information that is afforded a higher level of protection by the Privacy Act. It includes health, genetic and biometric information as well as information about race or ethnic origin, political opinions, membership of political, professional or trade associations or trade unions, religious beliefs, sexual orientation or practices and criminal record.
- Health information, a subset of personal information is considered to be sensitive information and includes information or an opinion:
- about an individual’s health or disability at any time (that is, past, present or future);
- about an individual’s expressed wishes regarding future health services;
- regarding health services provided, or to be provided, to the individual;
- collected whilst providing a health service; or
- collected in connection with the donation or intended donation of body parts and substances
- information about physical or biological samples, where it can be linked to an individual (for example, where they have a name or identifier attached); and
- genetic information, when this is collected or used in connection with delivering a health service, or genetic information when this is predictive of an individual’s health.
- Collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
- De identified: personal information is de identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
- Employee record: in relation to an employee of the hospital, means a record of personal information relating to the employment of the employee.
- Holds: the hospital is considered to ‘hold’ personal information if it has possession or control of a record that contains the personal information.
- Responsible person for an individual is:
- a parent of the individual; or
- a child or sibling of the individual if the child or sibling is at least 18 years old; or
- a spouse or de facto partner of the individual; or
- a relative of the individual if the relative is:
- at least 18 years old; and o a member of the individual’s household; or
- a guardian of the individual; or
- a person exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or
- a person who has an intimate personal relationship with the individual; or
- a person nominated by the individual to be contacted in case of emergency.
4.
A copy of the Patient Privacy Information Sheet (based on this policy) is to be made available to patients who wish to obtain details about the hospital’s information management practices.
5. Anonimity
6. Collection of personal information
The information collected by Waikiki Private Hospital will depend on who the individual is, such as a patient admitted to hospital, a health service provider, an employee, a supplier or contractor, a next of kin, a guardian or other responsible person, an emergency contact or person responsible for paying an account, and may include:
- name, address (postal and email) and telephone numbers
- gender
- date of birth
- marital status
- employment status
- occupation
- country of birth
- indigenous status
- Next of kin
- Payment information such as credit card details
- Health fund and health insurance cover details
- Workers compensation or other insurance claim details
- Medicare details
- Department of Veterans Affairs details
- Department of Defence details
- Concession card details
- Medical history and other health information collected or received by the hospital in the course of providing a health service
- any additional information provided to the hospital by the patient
- information provided to the hospital by medical practitioners during the application for hospital accreditation/credentialing process
- information provided to the hospital by individuals during the employment process
- personal information collected from contractors used by the hospital
- personal information collected from suppliers used by the hospital
- Waikiki Private Hospital collects personal information directly from the individual concerned where it is reasonably practicable to do so. This may take place when the individual completes documents such as an admission, health insurance claim or other form, provides information over the telephone, is treated at the hospital or applies for a job, accreditation rights or service contract. However, depending on who the individual is, personal information may be collected from third parties such as:
- a responsible person or representative (e.g. guardian)
- a health professional who has treated the individual
- pathology laboratories
- medical imaging providers
- an individual’s health insurer or other insurer
- an individual’s nominated referee in relation to a job application
- other sources when processing job applicants such as police checks, working with children checks and pre-employment screening.
- Sensitive information about an individual is collected either directly from the individual or from a third party, with the individual’s consent (which may be implied or express, depending on the circumstances).
7. Use and disclosure of personal information
- Waikiki Private Hospital uses the personal information it collects and holds to:
- to assist treating doctors, nursing staff and other health care professionals in providing medical treatment and care to patients in a team based environment;
- to assist with any calls made by the patient;
- to inform the ‘person responsible’ for a patient of appropriate care or treatment when the patient is incapable of giving or communicating consent;
- funding, planning, evaluation and complaint-handling
- to effectively administer, manage, monitor and improve services
- for charging, billing and processing health fund insurance claims on the patient’s behalf
collecting debts, - to provide information to Medical Practitioners, Registered Nurses and other Health Professionals who provide necessary follow up treatment and ongoing care;
- to enable the provision of education and training to students of the health profession
- to assist in providing practical training and education to Nursing staff;
- to comply with quality and clinical audit activities including benchmarking and clinical indicator reporting in a de-identified form;
- to assist authorised external surveyors during hospital accreditation, certification, private hospital licensing and health fund billing audits;
- to provide data in both an identified and de-identified form in compliance with legislative requirements;
- to assess job applications
- to assist in a health professional’s hospital accreditation application including verification of APHRA registration details
- to assist in the engagement of external service providers
- to verify an individual’s identity
- to address liability indemnity arrangements and reporting
- to prepare the defence for anticipated or existing legal proceedings
- conduct patient experience surveys with the aim of evaluating and improving services; and
- enable our hospital and service providers to comply with their legal and regulatory obligations.
- Personal information is also used in circumstances where required or authorised by Australian law or where the hospital otherwise has consent of the individual or their representative.
- Unless allowed for by the APPs, Waikiki Private Hospital will not disclose personal information about patients without their consent, except on a confidential basis to agents that are used in the ordinary operation of its business. Waikiki Private Hospital does not disclose personal information to overseas recipients. Refer to Policy – Use and Disclosure of Patient Information.
8. Storage and security of personal information
- Waikiki Private Hospital stores personal and health information in both paper and electronic form and takes all reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
- Waikiki Private Hospital stores personal information contained in paper based and other hard copy documents in a dedicated secure storage area located at the hospital and off-site at a reputable and certified document storage facility.
- Personal information is contained in databases in a secure environment; and such records are only accessible by authorised persons who require access to the personal information for the purpose of carrying out their duties of employment. Refer to Policy – Security of Patient Information.
- The hospital uses technologies and processes such as access control, network firewalls, centralised antivirus systems, encryption and physical security measures to protect individuals’ privacy.
- Personal information and health information is retained for the period of time determined by applicable Australian laws after which it is de-identified or disposed of in a secure manner.
9. Access to and correction of personal information
- Individuals may request access to the personal information the hospital holds about them. The individual’s identity needs to be verified prior to granting access. Patients are required to complete a ‘Request to Access Patient Information’ form. Refer to Policy – Access to and Correction of Patient Information.
- Access may be denied to some or all of the personal information in certain circumstances allowed by the Privacy Act or other applicable laws. If Waikiki Private Hospital refuses a request for access, the individual is to be provided with written notice of the decision, including reasons for denial and how to complain if the individual is not satisfied with the decision.
- The hospital endeavours to give access to an individual’s personal information in the form they request. However if that is not possible an alternative means of access will be provided. A fee may be charged for collating and providing access to personal and health information.
- Personal information the hospital gives access to, will be disclosed to the individual’s authorised representative or legal adviser where the hospital has been given written authority to do so.
- Waikiki Private Hospital takes reasonable steps to correct the personal information it holds if it is satisfied that it is inaccurate, incomplete and out of date, irrelevant or misleading. If a patient believes that the personal information the hospital holds needs to be corrected, a ‘Request to Amend Patient Information’ form is to be completed. Refer to Policy – Access to and Amendment of Patient Information. It is hospital policy to take all steps to record the corrections and place them with the patient’s record.
- There may be circumstances in which corrections may have to be refused. If this happens, the individual is to be notified in writing of the reasons for the refusal and an explanation provided detailing how they can complain if they are not satisfied.
10. Complaints
- Individuals who have any questions about privacy, this policy or the way personal information is managed at Waikiki Private Hospital or who believe that their privacy rights have been breached should contact the Executive Director with their question or complaint. (Chief Executive Officer, Waikiki Private Hospital, PO Box 810, Rockingham, 6168)
- Waikiki Private Hospital will endeavour to acknowledge receipt of a written complaint within 7 days and provide a written response to the complaint within a reasonable time frame. It may be necessary to request further information from the complainant before the matter can be resolved. Any such request will be made in writing. If the individual is not satisfied that Waikiki Private Hospital has resolved their complaint, they have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). If they wish to make a complaint or to find out any more information about their privacy rights the OAIC can be contacted as follows:
Website: www.oaic.gov.au
Telephone number: 1300 363 992
In writing: Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001
Appendices
A – Patient Privacy Notice
B – Patient Privacy Information Sheet
References
Australian Government, Privacy Act (1988) As Amended
Australian Government Office of the Australian Information Commissioner (1988) Privacy Act 1988. Canberra, OAIC.
Australian Government Office of the Australian Information Commissioner (2014) Australian Privacy Principles Poster. Canberra, OAIC.