Ballarat Health Services (BHS) has both a legal and ethical obligation to protect the privacy and maintain confidentiality of information relating to patients, clients, residents and staff.

The legal obligation is specifically mandated by the following legislation:

• Health Records Act 2001
• Privacy and Data Protection Act 2014
• Health Services Act 1988
• Mental Health Act 2014
• Privacy Act 1988
• My Health Record Act 2012

BHS supports, promotes and complies with these obligations.

Clinical staff are also obligated by their professional codes of conduct to maintain patient confidentiality.

That information relating to the patients, clients, residents and staff of BHS be fully protected and managed in accordance with privacy legislation.

All reasonable measures are taken to protect health and personal information from unauthorised access, improper use, disclosure, unlawful destruction or accidental loss.

Collection

• Collection of personal and health information will be limited to that which is necessary for delivery of health care and the effective functioning of Ballarat Health Services.

Access, use and disclosure

• Personal and health information may be accessed, used and/or disclosed only for the primary purpose for which the information was collected; ie. the delivery of healthcare to the patient.

  • In practical terms, confidential information held by BHS about an individual may only be accessed by BHS staff for a valid work related purpose.

  • BHS staff must not access their own information/clinical record or that of family, friends or persons known to them.

  • If a BHS staff member wishes to access their own information, which is their right, such access must be via the processes available to all patients; in discussion with the treating clinician or via the Freedom of Information Act process.

• Use and/or disclosure of personal and health information is permitted with the individual's consent.

• Use and/or disclosure of health information is permitted to support the further treatment of the patient (continuity of care).

• BHS staff may disclose information for a quality and safety purpose to the Secretary of the Department of Health and Human Services or to a quality and safety body i.e. External accreditation standards staff

• The BOSSnet Regional Electronic Medical Record (REMR) provides a shared medical record between member agencies (Grampians region hospitals). BHS staff must only access confidential information from another hospital for a valid work related purpose (as for point 2 above).

• Access to a patient's My Health Record is available via the BOSSnet Digital Medical Record. Access to the patient's My Health Record is only permitted for the purpose of delivering care to that patient (NCG0067 My Health Record Protocol).

• Confidential personal and health information must not be emailed to an external email address. Electronic transfer of confidential personal and health information shall be via established secure messaging such as Argus, RIMS and Connecting Care only. Accepted methods of transfer of confidential information are mail and fax (see NCP0063 Use & Disclosure of Personal Information for guidelines).

• Where disclosure of personal/health information is requested, the requester identity and their right to receive the information must be verified.  Refer to Release of Information Protocols:  NCP0063 and CPP0632.

• Where health information is disclosed, a note regarding the disclosure must be made in the patient clinical record, detailing what information has been released and to whom.

• Use of health information is permitted for training, quality and research purposes subject to conditions within the Health Records Act including seeking consent where practicable and de-identifying the information where practicable.

• De-identification of information means removal of identifying details such that an individual may not be identified from the remaining information, considering that an individual may be identified not only by their name or demographic information but also by their circumstances.

• Disclosure of personal/health information is permitted where required by legislation.

• Staff must ensure that conversations regarding confidential patient information are necessary, factual, conducted with authorised personnel and conducted with discretion away from the public arena.

Protection of confidential information

• Staff shall comply with systems in place to protect personal and health information from unauthorised access and disclosure, misuse, loss, modification and wrongful deletion or destruction.

• Confidential paper records and documents must be secured away from unauthorised access and public view.

• Computer sessions containing confidential information should be visible only to the authorised user and sessions must be closed at the conclusion of use.

• Staff must not share logons and passwords to systems containing personal or health information. These access codes are for the use of the individual staff member only.

• If confidential information (paper) is of a temporary nature and may be discarded, place in labeled and locked Confidential Disposal bins. Do not place in general recycle bins or general rubbish.

• Clinical and non clinical records and their content may not be modified, deleted or destroyed except in accordance with Public Record Office of Victoria (PROV) Retention and Disposal Authorities (RDA).

Informing individuals

The BHS brochure "Protection and Use of Your Health Information" (CID0024) informs patients about how BHS manages their personal and health information, including:

• what information is collected and why it is collected

• how it is accessed and used and by whom

• to whom it may be disclosed and why

• our obligation to protect the information

• methods of access to information

• the availability of this policy upon request

• the opportunity for correction of information

• how to make a complaint about privacy, either to BHS or to the Health Complaints Commissioner

Managers of clinical areas should ensure that this brochure is available to patients.

Responsibility

• All staff, clinical and non-clinical, are responsible for maintaining the confidentiality of personal and health information of patients, clients, residents and other staff members. All personal and health information should be treated as confidential.

• Managers are responsible for ensuring that staff receive adequate training relating to this policy and related protocols and for ensuring compliance.

• Staff shall read and acknowledge the Privacy, Confidential & Information Security Agreement on commencement at BHS as part of the onboarding process.  

• Failure to comply with this policy may result in disciplinary action or prosecution, if in breach of any section of the relevant Acts.

• Note: Some Commonwealth funded services delivered by BHS may be subject to the Commonwealth Privacy Act 1988. The Australian Privacy Principles (APPs) are very similar to the Health Privacy Principles (HPPs) in the Victorian Health Records Act.

• Patient records are classified as Confidential within the BHS Information Security Classification Policy. Access is restricted to limited staff on a need-to-know basis. Users require logon authentication. Data encryption is required for electronic transmission. Information may only be released with consent or authority. These requirements are consistent with principles within this policy.

Privacy Breach

A privacy (data) breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.

Examples of privacy (data) breaches include:

• loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal/health information

• unauthorised access to personal/health information by an employee

• inadvertent disclosure of personal/health information due to human error, for example an email sent to the wrong person or a letter/document handed or mailed to the wrong patient

• disclosure of an individuals personal/health information to a scammer, as a result of inadequate identity verification procedures.

• loss of confidential paper information such as a BOSSnet unit list or handover list
  
  

• A privacy breach may involve small or large amounts of information.

• A privacy breach involving technology or electronic information may be a Cybersecurity incident.

• A privacy breach may be potentially harmful to the individual(s) and may require open disclosure and/or notification to external agencies such as the Health Complaints Commissioner (HCC), Office of the Victorian Information Commissioner (OVIC) and the Australian Health Practitioner Regulation Agency (AHPRA).

How to report a Privacy Breach

1. Report suspected/alleged privacy breach to manager.

2. Manager or reporter to complete a VHIMS incident report.

3. Contact Privacy Officer for advice, if appropriate.

4. Contact People & Culture, if staff misconduct is suspected/alleged.  People & Culture will investigate and manage the incident with the manager of the staff member(s) involved per POL0247 Discipline & Dismissal Policy.

5. If a cybersecurity incident, contact IT, who may enact the Cybersecurity Incident Response Plan.

6. Maintain confidentiality around the incident/breach, including protecting the privacy of individual staff members involved.

7. Depending on the nature and severity of the privacy breach/incident, the incident may be escalated to senior or Executive management and may be reported to external agencies as above.