270 likes | 485 Views
Privacy and Confidentiality ???. Kathryn Dalziel. I’m going to talk about …. A legal framework: Confidentiality Privacy Privacy Breach Policy & Procedures Trust and Confidence. Issues…. You tell me!. In roads : reporting requirements of funders
E N D
Privacy and Confidentiality ??? Kathryn Dalziel
I’m going to talk about … • A legal framework: • Confidentiality • Privacy • Privacy Breach • Policy & Procedures • Trust and Confidence
Issues…. You tell me!
In roads: • reporting requirements of funders • the increasing size of medical practices • patient’s rights of support • sharing of health information between health care professionals • ease of access to health records on electronic databases • insurers’ insistence on full access to patient records Confidentiality ‘Whatever, in connection with my professional practice or not in connection with it, I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.’
Privacy v Confidentiality • Privacy • Principles to guide the amount of control which an individual can exercise over his or her personal data • Collection, storage, use and disclosure of personal information and the right of access and correction • Confidentiality • akin to secrecy • fundamental to trust relationship/promotes full disclosure • ability to disclose information received in confidence is limited to authorisation or public interest.
Privacy Act v Health Information Privacy Code • Privacy Act • Data protection • 12 privacy principles: collection, storage, use and disclosure of personal information and the right of access and correction • Health Information Privacy Code • Health Information & Health Agency • 12 rules: collection, storage, use and disclosure of personal information and the right of access and correction
Health Information Privacy Rules… Only collect health information if you really need it. Get it straight from the people concerned. Tell them what you’re going to do with it. Be considerate when you’re getting it. Take care of it once you’ve got it. People can see their health information if they want to.
Health Information Privacy Rules… They can correct it if it’s wrong. Make sure health information is correct before you use it. Get rid of it when you’re done with it. Use it for the purpose you got it. Only disclose it if you have a good reason. Only assign unique identifiers where permitted.
Rules 1 - 4 COLLECTION • Purposes: lawful and necessary • From person concerned: • unless an exception applies • Transparency: • fact of collection, purposes, who sees the information, where it is held, compulsory/optional questions, right to access and request correction • Lawful and fair collection
Rule 5 Storage & Security An agency that holds personal/health information must take reasonable security safeguards to protect against: • loss • unauthorised access, use, modification, disclosure • other misuse
Rule 6 Access If information is readily retrievable people have a right to: • confirmation whether the agency holds* information about them; AND • have access to the information. * holds includes info received from other agencies
Rule 7 Correction Individuals have a right to request correction; or have a statement of correction added. Agency must either: make the change attach statement inform the individual and any recipients of the information
Rule 8 Accuracy Before using personal or health information, an agency must take reasonable steps* to ensure it is: • accurate • up to date • complete • relevant • not misleading *what is reasonable will depend on the proposed use
Rule 9 Retention Personal/Health information must not be retained for longer than is required for the purposes for which it may lawfully be used. • Note: Health (Retention of Health Information) Regulations 1996 • Health Information to be retained for at least 10 years • from last date of treatment or care • Does not prevent agencies from transferring information • to individual or to personal representative where • individual is deceased
Rule 10 Limits on the use Personal/Health information obtained for one purpose must not be used for another purpose unless the agency believes, on reasonable grounds: • Other use authorised by individual or their representative • Other purpose is directly related purpose for which information was collected initially *many exceptions mirror principle/rule 11
Legal Framework • Statute • Common Law/Equity • Contract/Agreements/policies & procedures • Personal decision making
Health Information s22F Health Act On request, must disclose to Health Provider Individual Representative May refuse in some circumstances) • Disclosure contrary to • individual’s interests • Individual does not want • information disclosed • Privacy Act withholding • grounds apply (see Rule 6) Individual does not want the information disclosed Treat as Rule 6 request May also refuse for a lawful excuse which does not include non payment, prejudice to commercial position, disclosure not allowed by Privacy Act
Health Information • Who is a representative? • where individual is dead: personal representative • where individual is under the age of 16 years: • parent or guardian • where individual is not in above categories & is unable • to give consent or authority or exercise his/her rights – • a person appearing to be lawfully acting on the • individual’s behalf or in his/her interests • People can appoint agents eg. • lawyer, friend, parent • written authority, properly authorised • Parents / guardians DO NOT have automatic right of • access to children’s information • consider requests under section 22F or OIA
Rule 11 Disclosure of health information • A health agency must not disclose health information, unless it believes, on reasonable grounds, that disclosure is: • to the individual/representative • authorised by individual/representative • purpose • of publicly available info • general information: presence, location, condition, progress of patient (not contrary to express request) • fact of death by registered health professional or by auth person to specified people • advice to principal caregiver of individ’srelease under Mental Health[Compulsory Assessment and Treatment] Act
Rule 11 Disclosure of health informationrule 11 • When it is not desirable or practicable to obtain the individual’s authorisation, a health agency may disclose where the disclosure is: • Directly related purpose • By registered health professional to specified people (not contrary to Express request) • Statistical (no id) • to prevent/lessen serious & imminent threat to public or individual Health and/or safety • Necessary to facilitate sale of business • Of brief description of nature of injuries in accident & individuals id • by auth person in hosp to media (not contrary to express request) • To id individuals for health education related to accreditation, quality assurance or risk management (no id) • To avoid prejudice to law/drug dependency • authorised by PC .
Rule 12 Unique Identifiers What is it? A code or number that is assigned to a person by an agency which uniquely identifies the person in relation to the agency. An agency may only assign one if: • Necessary to carry out its functions • Person’s identity is clearly established *Must not use identifier assigned by another agency. *The NHI number is an exception – see HIPC
“But most people had probably sent an email or text message in error” Prime Minister John Key says the big privacy breach at EQC was "distressing" but most people had probably sent an email or text message in error. "We do live in a world where these things are possible." The Christchurch Press: March 2013
staff interest in health information • CDHB staff interest in the health records of the New Zealand cricket player Jesse Ryder. • ADHB staff interest in the health records of a man with an eel ….
Setting the Standard:Independent Review of ACC’s Privacy and Security of Information • Clear policies creating a positive mindset as part of building customer trust & establishing a “firm but also seen as fair” image in public minds • Coherent strategy & process to mitigate privacy risks • Monitor performance for compliance • Ensure adequate resources & capacity to respond to incidents
Setting the Standard:Independent Review of ACC’s Privacy and Security of Information • Importance of privacy and protection of personal data at Board governance level • Privacy vision, strategy and programme • Role of privacy officer and use of privacy champions • Education and Training • Culture • Reporting • Audit, review and evaluation Retrospective or prospective?
Data Breach • See OPC voluntary guidelines: • http://www.privacy.org.nz/news-and-publications/guidance-notes/privacy-breach-guidelines-2/ • Breach containment and preliminary assessment; • Evaluation of the risks associated with the breach; • Notification; and • Prevention