The purpose of this policy is to inform staff of Auckland Eye Limited (Auckland Eye) and Oasis Surgical Limited (Oasis) (together, the companies) about requirements under the Privacy Act 2020 and the Health Information Privacy Code (HIPC) 2020; the companies’ policies and procedures in relation to the Privacy Act 2020 and HIPC; and the companies’ requirements in relation to confidential information.
It is the responsibility of all staff, clinicians, and contractors to ensure they comply with all legislation and regulations related to privacy arising from their role in the companies.
Auckland Eye means Auckland Eye Limited.
Companies means Auckland Eye and Oasis.
Confidential information means health information, personal information, and information regarding the companies’ businesses, including payroll figures, personal data such as employee home addresses, or Auckland Eye’s or Oasis’ financial information.
Health information means the following information or classes of information about an identifiable individual:
- (a) information about the health of that individual including their medical history; or
- (b) information about any disabilities that individual has, or has had; or
- (c) information about any health services or disability services that are being provided, or have been provided, to that individual; or
- (d) information provided by that individual in connection with the donation, by that individual, of any body part or any bodily substance of that individual or derived from the testing or examination of any body part, or any bodily substance of that individual; or
- (e) information about that individual, which is collected before or during, and incidental to, the provision of any health service or disability service to that individual.
HIPC means the Health Information Privacy Code 2020 and its amendments.
Oasis means Oasis Surgical Limited.
Privacy Act means the Privacy Act 2020 and its amendments.
Personal information means information about an identifiable individual.
Health Information Privacy Code
The companies are health agencies covered by the HIPC. The HIPC sets specific rules for agencies in the health sector. It covers health information collected, used, held, and disclosed by health agencies and takes the place of the information privacy principles for the health sector. The HIPC information privacy principles set out rules for dealing with health information. The rules are structured as general principles, along with authorised exceptions to those general principles. Almost all the personal information that the companies will be dealing with (except for employees, clinicians, and contractors’ personal information) is “health information” because it is information collected before or during, and incidental to, the provision of any health service or disability service to individuals.
In summary, the rules are:
Rule 1: Health information can only be collected when it is necessary for a lawful purpose connected with the health agency’s functions or activities.
Rule 2: Health information should only be collected from the person whose health information it is, unless there is a good reason why not.
Rule 3: At the time health information is collected from a person, that person should be made aware of the following:
- that the information is being collected;
- why it is being collected;
- who will be able to see that information;
- the details of who is collecting and storing the information;
- if the person must provide the information or can choose not to;
- what might happen if the person does not provide the information;
- the person’s right to see, and if necessary, correct, the information.
Rule 4: Health information should not be collected in a way which is unfair or unnecessarily intrusive.
Rule 5: Reasonable steps must be taken to protect the information against loss, unauthorised access, or other misuse.
Rule 6: A person can see the health information that is held about them unless there is a very good reason why not.
Rule 7: A person can request that corrections be made to their health information. If their request is refused (e.g., because there is a difference of opinion about what is correct), the person can put their own point of view on the file.
Rule 8: Reasonable steps must be taken to check health information, before it is used, to make sure it is accurate, up-to-date, complete, and relevant.
Rule 9: Health information should not be kept any longer than is necessary. Health records must be retained for 10 years. At Auckland Eye they are retained for at least 10 years.
Rule 10: Health information should generally only be used for the reason it was collected and not used in other ways, unless there is a good reason.
Rule 11: Health information will generally not be given to anyone else without the agreement of the person whose health information it is, unless this is one of the reasons for collecting the health information or unless there is a good reason for doing so.
Rule 12: Health information can only be sent to someone overseas if the information will be adequately protected. For example:
- the receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand
- the information is going to a place with comparable privacy safeguards to New Zealand
- the receiving person has agreed to adequately protect the information – through model contract clauses, etc. If there aren’t adequate protections in place, you can only send personal information overseas if the individual concerned gives you express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety
Rule 13: ‘Unique identifiers’ (e.g., patient numbers) on health information should only be used for health-related purposes.
Release of Information to patients
The HIPC, Rule 6, says that if an agency holds health information in a way that it can readily be retrieved, it should confirm to the person asking for the information that it holds that information
and give the person access to the information. The person requesting their information does not have to give a reason why they want access to it.
Points of Note
- If a patient rings to request a copy of a letter that was addressed to them, the staff member is to identify the patient by asking them to verify their name, date of birth and address.
- When a patient requests their notes be sent to themselves or a third-party, a Release of Patient Information form (doc_162) must be completed after the staff member has asked the patient to verify their name, date of birth, and address.
- If the requester is a third party, it is to be documented who they are in patient notes on VIP. They must verify the patient’s details, and a Release of Patient Information form is completed, which must be signed by the patient and Auckland Eye manager before any documents are released.
- The Release of Patient Information form request should be sent via a task to the Doctor for approval and communication of any special instructions.
- Once approval received, the applicable notes as requested/instructed are to be copied and letters that are FINAL in the PMS printed. All to be stamped as COPY. All originals are kept by Auckland Eye Limited, and the Release of Patient Information form is filed into the chart/scanned into patient record.
- Email – ensure email is correct, with password encryption (give to receiver over phone – do not put in email), and then email with disclosure on the end at signature.
- Tracked Courier – on the patients’ instructions they may the collect the notes or have them couriered. If they wish to have the notes couriered this can be done at a cost to them.
- Unless authorised by the patient on Release of Patient Information Form in writing, no medical notes are to be collected by a third party. If a patient or third party is collecting, they need to have valid ID (i.e., drivers’ licence), for staff to identify authorised person is receiving notes.
- No verbal information can be given without the written consent of the patient.
Storage And Security of Health Information
- All personal and health information is confidential and must be protected by the companies against loss, access, use, modification, unauthorised disclosure, or misuse.
- Only staff members involved in the care or treatment, or management of that person may have access to their clinical or personnel records.
- Transportation of clinical or staff records should be under a secure and unidentifiable cover and transported by a credentialed carrier.
- Information no longer required is offered to the individual or disposed of in a manner that preserves privacy i.e., via the confidential rubbish bin company document destruction.
No employee shall, during the period of their employment, or at any time, thereafter, disclose to any unauthorised person any confidential information (as defined in this policy), including knowledge that is confidential to the companies, its patients and/or its suppliers.
The companies’ employees, clinicians, and contractors shall not:
- Make unauthorised use of any information in files maintained, stored or processed by the companies, or permit anyone else to make unauthorised use of such information;
- Make unauthorised copies of any such information;
- Seek personal benefit or permit others to benefit personally from any confidential information that has come to them by virtue of their work assignment;
- Exhibit or divulge the contents of any record or report to any person except in the conduct of their work assignment and in accordance with the companies’ policies;
- Knowingly include or cause to be included in any record or report a false, inaccurate, or misleading entry;
- Divulge personal IDs or passwords to anyone including other employees, clinicians, or contractors of the companies;
- This policy shall not prevent employees, clinicians, or contractors of the companies disclosing information where they are authorised to do so, or there is a legal requirement for them to do so.
The companies will:
- have a Privacy Officer who has received training and is aware of their responsibilities under the Privacy Act and the HIPC;
- comply with HIPC requirements when collecting, storing, using, disclosing, correcting, and retaining health information;
- comply with Privacy Act requirements when collecting, storing, using, disclosing, correcting, and retaining personal information which is not health information;
- ensure confidentiality of information;
- follow process outlined when dealing with requests from patients for health information held by the companies;
- ensure staff have adequate training to understand their roles in relation to the Privacy Act and HIPC.
All employees, clinicians, and contractors subject to this policy will:
- undertake training on the Office of the Privacy Commissioner’s website, as follows:
- Privacy ABC – on induction and biennial
- Health ABC – on induction and biennial
- Privacy 2020 – on induction
- Privacy breach reporting – on induction for all managers.
- Contractors will acknowledge in their Contractor Induction Form2 that they have read and understood this policy.
The Privacy Officer will:
- be familiar with the information privacy principles in the Privacy Act 2020 and HIPC 2020;
- work to ensure that the companies comply with the Privacy Act 2020 and HIPC 2020;
- deal with any complaints from the companies’ clients about potential privacy breaches;
- deal with requests for access to personal information, or correction of personal information;
- act as the companies’ liaison with the Office of the Privacy Commissioner.
The Privacy Officer may also:
- train other staff at the companies to deal with privacy matters;
- advise the companies on compliance with privacy requirements;
- advise the companies on the potential privacy impacts of changes to the companies’ business practices;
- advise if improving privacy practices might improve the business;
- be familiar with any other legislation regarding personal information.
Breach of Privacy
Under the Privacy Act and HIPC, if the companies have a privacy breach that is likely to cause anyone serious harm, the companies are legally required to notify the Office of the Privacy Commissioner, and any affected people as soon as they are practicably able to.
In the event of a potential privacy breach, the person who becomes aware of the potential privacy breach will:
- immediately report the breach to their manager and on LOGIQC as follows:
- contain the breach and assess the seriousness of the breach;
- evaluate the risks;
- notify the patient(s)/person(s) involved (the person managing the incident will be the one contacting the patient(s)/person(s) involved);
- notify the Privacy Officer if it is considered a high-level breach;
- take steps to prevent the breach being repeated.
In the event of a potential privacy breach in research, refer to doc_848.
- Health and Disability Commissioner (Code of Health and Disability Services Consumers’ Rights) Regulations 1996, Schedule: https://www.legislation.govt.nz/regulation/public/1996/0078/latest/096be8ed81b7759a.pdf
- Medical Council of New Zealand http://www.mcnz.org.nz/
- NZS 8153: 2002 – New Zealand Standard: Health Records
Office of the Privacy Commissioner, NotifyMe tool: https://www.privacy.org.nz/responsibilities/privacy-breaches/notify-us/
This policy should be reviewed on an annual basis.