Privacy health check: Diagnosing for law reform

Similar documents
Policy No. AD I1 ** Information from collection to retention shall be managed according to relevant legislation.

Privacy Policy - Australian Privacy Principles (APPs)

Precedence Privacy Policy

Informed consent practice standard

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

Being a Nominated Supervisor SIMPLE GUIDE. of a NSW Long Day Care Centre or Preschool. April 2017

RELATIONSHIP PATIENT-DOCTOR THE IMPORTANCE OF CLEAR SEXUAL BOUNDARIES IN THE. A guide for patients

How we use your information. Information for patients and service users

POLICY STATEMENT PRIVACY POLICY

COLLECTION STATEMENT

DRAFT Guidelines for Client Records

Data Breach Notification Guide Policies and Procedures

St George Private Radiology

Compass Privacy Compliance

I SBN Crown copyright Astron B31267

DURABLE POWER OF ATTORNEY FOR HEALTH CARE (Missouri Revised Statutes to )

REPORTING ABUSE ACTUAL OR SUSPECTED: FREQUENTLY ASKED QUESTIONS

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Rights and Responsibilities. A guide for patients, carers and families

Compliance with Personal Health Information Protection Act

What information does Genome.One collect about you and why?

TABLE OF CONTENTS. Assistance offered by The Leila Rose Foundation. Guidelines for Assistance. LRF Privacy Policy. Patient Advocate Disclaimer

HEALTH PRACTITIONERS COMPETENCE ASSURANCE ACT 2003 COMPLAINTS INVESTIGATION PROCESS

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Code of Ethics and Professional Conduct for NAMA Professional Members

NOTICE OF PRIVACY PRACTICES

DATA PROTECTION POLICY

MEDICAL COUNCIL OF NEW ZEALAND

Dealing with difficult families rights, obligations, strategies

TANZANIA NURSING AND MIDWIFERY COUNCIL CODE OF ETHICS AND PROFESSIONAL CONDUCT FOR NURSES AND MIDWIVES IN TANZANIA

Policy Number: Disclosure of Personal. Health Information to Police Approval Signature: Original signed by A. Wilgosh.

I have attached one of the following forms of identification to confirm these details (please specify)

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Page 1 CHAPTER 31 SCREENING OUTREACH PROGRAM. 10: Screening process and procedures

Addendum 1 Compliance indicators for the Australian Privacy Principles

The NHS Constitution

ACC Privacy Policy. Policy Statement. Objective. Scope. Policy system. Policy standards. Collection

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

Handout 8.4 The Principles for the Protection of Persons with Mental Illness and the Improvement of Mental Health Care, 1991

THE HEALTH PROFESSIONS COUNCIL OF SOUTH AFRICA GUIDELINES FOR GOOD PRACTICE IN THE HEALTHCARE PROFESSIONS

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

Printed from the Texas Medical Association Web site.

The Code Standards of conduct, performance and ethics for chiropractors. Effective from 30 June 2016

General Policy. Code of Conduct

Date last amended: (refer Version Control Table) Director, Governance and Legal Division

Healthcare Identifiers Service Information Guide

Fair Processing Notice or Privacy Notice

Notice of Privacy Practices

CHAPTER 1 Good medical practice

CHC30113 Certificate III in Early Childhood Education and Care

PRIVACY AND NATURAL MEDICINE PRACTITIONERS

Mandatory Reporting A process

Personal Identifiable Information Policy

The Code of Ethics applies to all registrants of the Personal Support Worker ( PSW ) Registry of Ontario ( Registry ).

Office of the Australian Information Commissioner

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Sheffield. Juventa 4 Care Ltd. Overall rating for this service. Inspection report. Ratings. Good

Addiction Counselor Certification Board of Oregon

Health (National Cervical Screening Programme) Amendment Act 2004

Welcome to LifeWorks NW.

RHODE ISLAND DECLARATION

GUIDE TO SERVICES Service Coordination

(A Guide to Consumer Rights under HIPAA)

Angel Care Tamworth Limited

Discharge Planning for Patients Hospitalized for Mental Health Treatment Interpretative Guidelines for Oregon Hospitals

Catholic Education Commission of Victoria Legal Issues in Schools, Revised Edition, 2003

The Code. Professional standards of practice and behaviour for nurses and midwives

Registration and Renewal Policy

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

HEALTH LAW SEMINAR. Dealing with Unexpected Death in Health & Aged Care

EAST CALDER & RATHO MEDICAL PRACTICE YOUR INFORMATION

General Chiropractic Council. Guidance consultation: Consent

Rules. gen[in] Student Innovation Challenge

Application for registration in New Zealand for orthodontic auxiliaries with prescribed qualifications

Standards of Practice for Optometrists and Dispensing Opticians

PRIVACY POLICY. 1. Privacy Statement

GPs as data controllers under the General Data Protection Regulation

NOTICE OF PRIVACY PRACTICES

Minnesota Patients Bill of Rights

The Code Standards of conduct, performance and ethics for nurses and midwives

HIPAA Privacy Rule and Sharing Information Related to Mental Health

Lawful basis for processing personal and special category data guidance

Trafford Housing Trust Limited

Information Privacy and Security

Your Guide to the proposed NHS Constitution

Implementing the Revised Common Rule Exemptions with Limited IRB Review

Minnesota Patients Bill of Rights

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

Code of professional conduct

CARE, CARERS, DOCTORS AND THE LAW?

Practice Review Guide

Community Child Care Fund - Restricted non-competitive grant opportunity (for specified services) Guidelines

Consumer Complaints Management and Resolution Policy

Standards of conduct, ethics and performance

Mencap - Dorset Support Service

MEDICAL POWER OF ATTORNEY DESIGNATION OF HEALTH CARE AGENT.

Guide to registration for children s social care services

Major Features of the Legislation 3 The Health Care Consent Act, 1996 (HCCA) 3 The Substitute Decisions Act, 1992 (SDA) 4

JOINT NOTICE OF PRIVACY PRACTICES

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

Transcription:

Privacy health check: Diagnosing for law reform PMAANZ Conference 10 September 2016 Daimhin Warner Director (Auckland), Simply Privacy Ltd

Law reform is coming: Time to get your house in order What is privacy and why s it important? What s coming in the law reform? Privacy health check: What s your prognosis? Protecting health information Sharing health information Consequences of a privacy breach Health case studies

Privacy is about preserving individual control protecting autonomy and dignity giving people meaningful choices

The Privacy Act & Health Information Privacy Code Promote and protect individual privacy 12 Health Information Privacy Rules (a roadmap for compliance) Health agencies have obligations (purpose and openness) Patients have rights (access and correction) Privacy law focuses on awareness rather than consent It s all about reasonableness

What information does it cover? Health information is information about a patient s: medical history disabilities health services used administration with a health agency So, it s really everything you hold about a patient

Why does privacy matter? Health information is a key asset and risk High public (and media) interest in privacy: The public cares Recent high profile privacy breaches driving change Becoming a point of difference for agencies Getting it wrong will impact Patient trust Reputation Your ability to collect the health information you need Staff loyalty and morale

And don t forget You re liable for the actions of your employees You re liable for the actions of third party contractors and service providers The Privacy Act applies to information you hold overseas You cannot contract this liability out! Personal affairs are excluded (but note the Harmful Digital Communications Act)

Health Information Privacy Rules 1. Only collect the information you need 2. Get it from the person concerned 3. Tell them what you're doing 4. Be ethical when you're doing it 5. Take care of the information once you've got it 6. They can see it if they want to 7. They can correct it if it's wrong 8. Make sure it's accurate before you use it 9. Get rid of it when you're done with it 10. Only use it for the purpose you got it for 11. Only disclose it if that's why you got it 12. Be careful with unique identifiers

The Privacy Act is growing some teeth

Privacy law reform Mandatory breach notification Material breaches = notify the OPC Serious breaches (real risk of harm) = notify the OPC and affected customers Offence for failure to notify = fine of up to $10,000 Increased powers for the Privacy Commissioner Enhanced own motion inquiry powers Power to issue compliance notices (cease and desist!) Power to make access determinations

Privacy law reform New cloud computing accountability provisions Will make explicit that agencies are responsible for information held in cloud Will require more openness with customers about use of third parties Harmful Digital Communications Act Creates new avenue of complaint about social media activities Limits publicly available exceptions to principles 10 and 11 if unfair or unreasonable Should inform any social media policy for agencies and staff

Privacy Health Check Who s your Privacy Officer? What personal information do you collect and hold? How is information being used, and who is it being disclosed to? What are patients and whanau told about this? Where is information stored, and is a third party involved? How long is information retained for? Do you have a breach management plan? Do all staff know what s expected of them?

Privacy is everyone s responsibility

Information security You must take reasonable steps to protect personal information against: Loss; Unauthorised access, use, modification or disclosure; or Other misuse What s reasonable depends on the context

Information security Remember: Privacy is everyone s responsibility Training and awareness System access and protection (employee browsing risk) Responsible transmission of information Precautions when dealing with the public Clear desks Sound B.O.D. and work from home policies

Retention Health information must not be retained for longer than it s needed Think about: Lawful purposes Statutory requirements (Health (Retention of Health Information) Regulations 1996) 10 years from last contact with patient

Everyone makes mistakes. It s how you manage them that counts

Privacy breach management Contain What has happened? Is there anything you can do to retrieve or secure the information? Evaluate What harm could result from the breach? Is there anything you can do to minimise this?

Privacy breach management Notify Should the affected people be made aware of the breach? How will you notify them (be personal) Should the Privacy Commissioner be notified? Prevent How did the breach occur? What lessons can be learned from it? Are there steps that can be taken to prevent a repeat?

Every patient has the Right to Know

Access: The Right to Know Patients have a strong right to know Remember section 22F of the Health Act requests can come from: The patient The patient s representative Where patient is dead, a personal representative Where patient is under 16, a parent or guardian Where patient is unable to consent, a person acting lawfully on their behalf or in their interests The patient s new health provider

Access: The Right to Know Records can be owned, information cannot Precautions must be taken to verify identity Requests don t have to be in writing You can provide assistance to the requester You should transfer the request if you don t hold the information or feel uncomfortable releasing it Patient can veto representative access

Access: The Right to Know A decision must be made as soon as possible, and no later than 20 working days later Information must then be released without undue delay You cannot charge, unless: The info was already released within last 12 months The info is expensive to reproduce There can be good reasons for refusing a request

Access: The Right to Know You can withhold information from students, but only for certain reasons, like: It s mixed information and releasing it would breach someone else s privacy (section 29(1)(a)) Releasing the information would endanger safety (section 27(1)(d)) Releasing the information would be contrary to an under 16 s interests (section 29(1)(d)) The information is not readily retrievable or does not exist (section 29(2))

The Privacy Act is an enabler, not a barrier

Disclosure of information: When you must Some laws require disclosure (these override the Privacy Act) Land Transport Act 1998 Cancer Registry Act 1993 Court Order (search warrant)

Disclosure of information: When you re asked Some laws require disclosure on request (these override the Privacy Act) Official Information Act 1982 (but only if you re public sector) Rule 6 of the Health Information Privacy Code Sections 22F or 22C of the Health Act 1956

Disclosure of information: When you want to Some laws permit disclosure (these override the Privacy Act) Children, Young Persons and Their Families Act 1989 Medicines Act 1981 & Misuse of Drugs Act 1975 Protected Disclosures Act 2000

Disclosure of information: When you want to Does rule 11 of the HIPC permit disclosure? authorised by the patient/representative purpose for collection (check your privacy statement) fact of death Or where authorisation is not possible: directly related purpose statistical or research purposes to prevent or lessen serious threat maintenance of the law/conduct of court proceedings

Disclosure of information: Things to consider Ethical obligations Privacy outlasts death Patient veto Patient s best interests Requests from family Privacy statement

Trust is harder to regain than it is to lose

What if it all goes wrong? Complaint to health agency from patient Privacy complaint to OPC Referral to Director of Human Rights Proceedings Human Rights Review Tribunal and beyond Naming Potential for media interest

Health case studies The nosey employee Employee browsing Settled $$ The stamp on the envelope Mental health stamp Settled $$ A promotional photo Online photo linked to name of patient Settled $$

Stay in touch! simplyprivacy.co.nz @Simply_Privacy info@simplyprivacy.co.nz Practical advice Privacy impact assessments Privacy health checks Training Breach investigations Privacy Officer services

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback