Privacy Policy – Zed3

Privacy and Security of Personal Health Information

Policy

 

This practice is bound by the Federal Privacy Act 1998, Health Records (Privacy and Access) Act 1997 and National Privacy Principles.

 

‘Personal health information’ is a particular subset of personal information and can include any information collected to provide a health service.

 

This information includes medical details, family information, name, address, employment and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, accounts details and any health information such as a medical or personal opinion about a person’s health, disability or health status.

 

It includes the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.

 

Our Security policies and procedures regarding the confidentiality of patient health records and information are documented and our practice team are informed about these at induction and when updates or changes occur.

 

The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.

 

For each patient, we have an individual patient health record (electronic) containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required.

 

Procedure

 

Doctors, allied health practitioners and all other staff and contractors associated with this Practice have a responsibility to maintain the privacy of personal health information and related financial information. The privacy of this information is every patient’s right.

 

The maintenance of privacy requires that any information regarding individual patients, including staff members who may be patients, may not be disclosed either verbally, in writing, in electronic form, by copying either at the Practice or outside it, during or outside work hours, except for strictly authorised use within the patient care context at the Practice or as legally directed.

 

There are no degrees of privacy. All patient information must be considered private and confidential, even that which is seen or heard and therefore is not to be disclosed to family, friends, staff or others without the patient’s approval. Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Privacy Act 1998.

 

Any information given to unauthorised personnel will result in disciplinary action and possible dismissal. Each staff member is bound by his/her privacy clause contained with the employment agreement which is signed upon commencement of employment at this Practice.

 

Personal health information should be kept where staff supervision is easily provided and kept out of view and access by the public e.g. not left exposed on the reception desk, in waiting room or other public areas; or left unattended in consulting or treatment rooms.

 

Care should be taken that the general public cannot see or access computer screens that display information about other individuals. To minimise this risk automated screen savers should be engaged.

 

Members of the practice team have different levels of access to patient health information. To protect the security of health information, Specialists and other practice staff do not give their computer passwords to others in the team.

 

Reception and other Practice staff should be aware that conversations in the main reception area can often be overheard in the waiting room and as such staff should avoid discussing confidential and sensitive patient information in this area.

 

Whenever sensitive documentation is discarded the practice uses an appropriate method of destruction shredding (computer drive, memory sticks etc. are reformatted).

 

Correspondence

 

Where medical information is sent by post the use of secure postage or a courier service is determined on a case by case basis.

 

Incoming patient correspondence and diagnostic results are opened by a designated staff members.

 

Items for collection or postage are left in a secure area not in view of the public.

 

Facsimile

 

Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the Doctors and other authorised staff. Faxing is point to point and will therefore usually only be transmitted to one location

 

All faxes containing confidential information are sent to fax numbers after ensuring the recipient is the designated receiver.

 

Faxes received are managed according to incoming correspondence protocols

 

Patient Consultations

 

Patient privacy and security of information is maximised during consultations by closing consulting room doors.

 

When, consulting, treatment room or administration office doors are closed prior to entering staff should either knock and wait for a response or alternatively contact the relevant person by internal phone or email.

 

It is the doctor’s/health care professional’s responsibility to ensure that prescription paper, sample medications, medical records and related personal patient information is kept secure, if they leave the room during a consultation or whenever they are not in attendance in their consulting/treatment room.

 

Medical Records

 

The physical medical records and related information created and maintained for the continuing management of each patient are the property of this Practice. This information is deemed a personal health record and while the patient does not have ownership of the record he/she has the right to access under the provisions of the Commonwealth Privacy and State Health Records Acts. Requests for access to the medical record will be acted upon only if received in written format.

 

Our patient health records can be accessed by an appropriate team member when required.

 

Medical Records are located electronically and clinical and reception staff each have individual usernames and passwords to ensure the protection of all information contained in medical records.

 

Both active and inactive patient health records are kept and stored securely.

 

A patient health record is solely electronic.

 

Computerised Records

 

Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate staff members are trained in computer security policies and procedures.

Computer Information Security

Policy

 

Our practice has systems in place to protect the privacy, security, quality and integrity of the data held electronically. Doctors and staff are trained in computer use and our security policies and procedures and updated when changes occur.

 

The Receptionist has designated responsibility for overseeing the maintenance of our computer security and our electronic systems.

 

All clinical staff have access to a computer to document clinical care. For medico legal reasons, and to provide evidence of items billed in the event of a Medicare audit, staff, especially nurses always log in under their own passwords to document care activities they have undertaken.

 

Our practice ensures that:

· computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation.

· computers have screensavers or other automated privacy protection devices are enabled to prevent unauthorised access to computers.

· servers are backed up and checked at frequent intervals

· back up information is stored in a secure environment.

· computers are protected by antivirus software that is installed and updated regularly

· computers connected to the internet are protected by appropriate hardware/software firewalls.

 

This Practice reserves the right to check individual’s Computer System history as a precaution to fraud, workplace harassment or breaches of confidence by employees. Inappropriate use of the Practices Computer Systems or breaches of Practice Computer Security will be fully investigated and may be grounds for dismissal.

 

This practice has a sound backup system and a contingency plan to protect practice information in the event of an adverse incident, such as a system crash or power failure. This plan encompasses all critical areas of the practice’s operations such as making appointments, billing patients and collecting patient health information. This plan is tested on a regular basis to ensure backup protocols work properly and that the practice can continue to operate in the event of a computer failure or power outage.

Practice Privacy Policy

Policy

 

National Privacy Principle 5 requires our practice to have a document that clearly sets out its policies on handling personal information, including health information.

 

This document, commonly called a privacy policy, outlines how we handle personal information collected (including health information) and how we protect the security of this information. It must be made available to anyone who asks for it.

 

The collection statement informs patients about how their health information will be used including other organisations to which the practice usually discloses patient health information and any law that requires the particular information to be collected. Patient consent to the handling and sharing of patient health information should be provided at an early stage in the process of clinical care and patients should be made aware of the collection statement when giving consent to share health information.

 

In general, quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would be considered a directly related secondary purpose for information use or disclosure so we do not need to seek specific consent for this use of patients’ health information, however we include information about quality improvement activities and clinical audits in the practice policy on managing health information.

3rd Party Requests for Access to Medical Records/Health Information

Policy

 

Requests for 3rd Party access to the medical record should be initiated by either receipt of correspondence from a solicitor or government agency or by the patient completing a Patient Request for Personal Health Information Form. Where a patient request form or and signed authorisation is not obtained the practice is not legally obliged to release.

 

Where requests for access are refused the patient or third party may seek access under relevant privacy laws.

 

An organisation ‘holds’ health information if it is in their possession or control. If you have received reports or other health information from another organisation such as a medical specialist, you are required to provide access in the same manner as for the records you create. If the specialist has written ‘not to be disclosed to a third party’ or ‘confidential’ on their report, this has no legal effect in relation to requests for access under the Health Records (Privacy and Access) Act 1997. You are also required to provide access to records which have been transferred to you from another health service provider.

 

Requests for access to the medical record and associated financial details may be received from various 3rd Parties including:

1. Subpoena/court order/coroner/search warrant

2. Relatives/Friends/carers

3. External doctors & Health Care Institutions

4. Police /Solicitors

5. Health Insurance companies/Workers Compensation/Social Welfare agencies

6. Employers

7. Government Agencies

8. Accounts/Debt Collection

9. Students (Medical& Nursing)

10. Research /Quality Assurance Programs

11. Media

12. International

13. Disease registers

14. Telephone Calls

 

Where possible de identified information is sent

 

Procedure

 

The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, date of birth, address or gender to ascertain we have the correct patient record before entering, actioning or releasing anything from that record.

 

As a rule no patient information is to be released to a 3rd Party unless the request is made in writing and provides evidence of a signed authority to release the requested information, to either the patient directly or a third party. Where possible de identified data is released.

 

Written requests should be noted in the patient’s medical record and also documented in the practice’s Request Register. Requests should be forwarded to the designated person within the practice for follow-up.

 

Requested records are to be reviewed by the treating medical practitioner or principal doctor prior to their release to a third party. Where a report or medical record is documented for release to a third party, having satisfied criteria for release, (including the patients written consent and where appropriate written authorisation from the treating doctor), then the practice may specify a charge to be incurred by the patient or third party, to meet the cost of time spent preparing the report or photocopying the record.

 

The practice retains a record of all requests for access to medical information including transfers to other medical practitioners.

 

Where hard copy medical records are sent to patients or 3rd Parties copies are forwarded not original documentation wherever possible. If originals are required copies are made in case of loss.

 

Subpoena, Court Order, Coroner Search Warrant

 

Note the date of court case and date request received in the medical record. Depending on whether a physical or electronic copy of the record is required follow procedures as described above. Refer also to section “Management of potential Medical defence claims’

 

Relatives/Friends

 

A patient may authorise another person to be given access if they have the legal right and a signed authority. See 6.3 Patient Requests for Personal Health Information. See also NPP2 Use & Disclosure.

 

In 2008 the Australian Law Reform Commission recognised that disclosure of information to ‘a person responsible for an individual’ can occur within current privacy law. If a situation arises where a carer is seeking access to a patient’s health information, practices are encouraged to contact their medical defence organisation for advice before such access is granted.

 

Individual records are advised for all family members but especially for children whose parents have separated where care must be taken that sensitive demographic information relating to either partner is not recorded on the demographic sheet. Significant court orders relating to custody and guardianship should be recorded as an alert on the children’s records.

 

External Doctors and Health Care Institutions

 

Direct the query to the patient’s doctor and or the practice manager/principal doctor.

 

Police/ Solicitors

 

Police and solicitors must obtain a case specific signed patient consent (or subpoena, court order or search warrant) for release of information. The request is directed to the doctor.

 

Health Insurance Companies /Workers Compensation/ Social Welfare Agencies

 

Depending on the specific circumstances information may be need to be provided. It is recommended that these requests are referred to the Doctor.

 

It is important that organisations tell individuals what could be done with their personal health information and if it is within the reasonable expectation of the patient then personal health information may be disclosed. Doctors may need to discuss such requests with the patient and perhaps their medical defence organisation.

 

Exceptions to the Policies

 

It is important to know there are exceptions in which all Clinicians are required to break privacy/confidentiality. This can occur when:

 

1. The information you have given to your Clinician is subpoenaed (officially requested) by a court of law or tribunal.

 

2. Failure to disclose the information would place you or another person at serious risk of harm. When a client discloses intentions or a serious plan to harm another person we are required to warn the intended victim and report this information to the appropriate authorities. Additionally, when a client discloses or implies a serious plan for suicide we are required to notify the appropriate authorities and make reasonable attempts to safeguard life.

 

3. Your Clinician is made aware that a child or a vulnerable adult is being or has been abused. By law, they must report this information to the appropriate authorities.

 

4. Your prior approval has been obtained to (a) provide a written report to another professional or agency (e.g. a GP or lawyer); or (b) discuss the material with another person (e.g. a parent or employer).

 

5. You would reasonably expect your personal information to be disclosed to another professional or agency. For example, your Clinician must meet reporting obligations under Medicare or to third party agencies (e.g. insurance companies, workers’ compensation).

 

Employers

 

If the patient has signed consent to release information for a pre-employment questionnaire or similar report then direct the request to the treating doctor.

 

Government Agencies – Medicare/Dept. Veterans Affairs

 

Depending on the specific circumstances information may be need to be provided. It is recommended that doctors discuss such issues with the medical defence organisations.

 

State Registrar of Births, Deaths and Marriages

 

Death certificates are usually issued by the treating doctor.

 

Centrelink

 

There are a large number of Centrelink forms (treating doctor’s reports) which are usually completed in conjunction with the patient consultation

 

Accounts/ Debt Collection

 

The practice must maintain privacy of patient’s financial accounts. Accounts are not stored or left visible in areas where members of the public have unrestricted access.

 

Accounts must not contain any clinical information. Invoices and statements should be reviewed prior to forwarding to third parties such as insurance companies or debt collection agencies.

 

Outstanding account queries or disputes should be directed to the practice manager/bookkeeper or principal.

 

Researchers/Quality Assurance Programs

 

Where the practice seeks to participate in human research activities and/or continuous quality improvement (CQI) activities, patient anonymity will be protected. The practice will also seek and retain a copy of patient consent to any specific data collection for research purposes.

 

Research requests are to be approved by the Practice Principal/ practice partners and must have approval from a Human Research Ethics Committee (HREC) constituted under the NH&MRC guidelines. A copy of this approval will be retained by the practice.

 

Media

 

Please direct all enquiries to Practice Manger/ Principal. Staff must not release any information unless it has been authorised by the Practice Manager/ Principal and patient consent has been obtained.

 

International

 

Where patient consent is provided then information may be sent overseas however the practice is under no obligation to supply any patient information upon receipt of an international subpoena.

 

Telephone Calls

 

Requests for patient information are to be treated with care and no information is to be given out without adherence to the following procedure:

 

Take the telephone number, name (and address) of the person calling and forward this onto the treating doctor/principal or Practice Manager where appropriate,

Request for Access to Personal Health Information

Policy

 

Patients at this practice have the right to access their personal health information (medical record) under legislation. Commonwealth Privacy Amendment (Private Sector) Act 2000 and the Health Records (Privacy and Access) Act 1997 (ACT.) The HRA gives individuals a right of access to their personal health information held by any organisation in the private sector in Victoria in accordance with Health Privacy Principle 6 (HPP 6). This principle obliges health service providers and other organisations that hold health information about a person to give them access to their health information on request, subject to certain exceptions and the payment of fees (if any).

 

Public sector organisations continue to be subject to the Freedom of Information Act 1982.

 

This practice complies with both laws and the National and Health Privacy Principles (NPPs & HPPs) adopted therein. See summary headings of Principles in this section. Both Acts give individuals the right to know what information a private sector organisation holds about them, the right to access this information and to also make corrections if they consider data is incorrect.

 

National Privacy Principles

 

· NPP 1: Collection of personal information by an organisation.

· NPP 2: How an organisation may use and disclose personal information in its possession.

· NPP 3: Relates to the quality of the data held by an organisation.

· NPP 4: Organisation must take reasonable steps to make sure the personal information it holds is secure.

· NPP 5: Requires an organisation to be open about what personal information it holds and its policy on the management of personal information.

· NPP 6: Relates to access and correction of personal information held by an organisation about an individual, by that individual.

· NPP 7: The use of identifiers assigned by a Commonwealth Agency.

· NPP 8: Individuals have the option of not identifying themselves when entering transactions with organisations.

· NPP 9: Regulates the transfer of personal information held by an organisation in Australia.

· NPP10: Limits on when an organisation is permitted to collect sensitive information.

 

As adopted within Commonwealth Privacy Amendment (Private Sector) Act (2000):

We have a privacy policy in place that sets out how to manage health information and the steps an individual must take to obtain access to their health information. This includes the different forms of access and the applicable time frames and fees.

 

Reports by Specialists

 

This information forms part of the patient’s medical record, hence access is permitted under privacy law.

 

Diagnostic Results

 

This information forms part of the patient’s medical record, hence access is permitted under privacy law.

 

Note: Amendments to the Privacy Act 1998 apply to information collected after 21st December 2001, however they also apply to data collected prior to this date provided it is still in use and readily accessible.

 

We respect an individual’s privacy and allow access to information via personal viewing in a secure private area. The patient may take notes of the content of their record or may be given a photocopy of the requested information. A Specialist may explain the contents of the record to the patient if required. An administrative charge may be applied, at the Specialists discretion and in consultation with the Privacy Officer, e.g. for photocopying record, X-rays and for staff time involved in processing request.

 

Procedure

 

Release of information is an issue between the patient and the doctor. Information will only be released according to privacy laws and at doctor’s discretion. Requested records are reviewed by the medical practitioner prior to their release and written authorisation is obtained.

 

Request Received

 

When our patients request access to their medical record and related personal information held at this practice, we document each request and endeavour to assist patients in granting access where possible and according to the privacy legislation. Exemptions to access will be noted and each patient or legally nominated representative will have their identification checked prior to access being granted.

 

A patient may make a request verbally at the practice, via telephone or in writing e.g. fax, email or letter. No reason is required to be given. The request is referred to the patient’s doctor or delegated Privacy Officer.

 

A Request for Personal Health Information form is completed to ensure correct processing.

 

Once completed a record of the request is logged in the Access Register and the form filed/scanned in the patient record.

 

Request by another (not patient)

 

An individual may authorise another person to be given access, if they have the right e.g. legal guardian, and if they have a signed authority. Under NPP 2 Use & Disclosure, a ‘person responsible’ for the patient (including a partner, family member, care, guardian or close friend), if that patient is incapable of giving or communicating consent, may apply for and be given access for appropriate care and treatment or for compassionate reasons.

Identity validation applies.

 

The Privacy Act 1998 defines a ‘person responsible’ as a parent of the individual, a child or sibling of the individual, who is at least 18 years old, a spouse or de facto spouse, a relative (at least 18 years old) and a member of the household, a guardian or a person exercising an enduring power of attorney granted by the individual that can be exercised for that person’s health, a person who has an intimate relationship with the individual or a person nominated by the individual in case of emergency

 

Children

 

Where a young person is capable of making their own decisions regarding their privacy, they should be allowed to do so according to Federal Privacy Commissioner’s Privacy Guidelines. The doctor could discuss the child’s record with their parent. Each case is dealt with subject to the individual’s circumstances. A parent will not necessarily have the right to their child’s information.

 

Deceased Persons

 

A request for access may be allowed for a deceased patient’s legal representative if the patient has been deceased for 30 years or less and all other privacy law requirements have been met. Ref: Sec 28 Health Records Act. No mention is made of deceased patient’s access in Commonwealth privacy legislation.

 

Acknowledge Request

 

Each request is acknowledged with a letter sent to the patient, confirming request has been received. Send the letter within 14 days or sooner as recommended by the National Privacy Commissioner. Acknowledgment will include a statement concerning charges involved in processing the request.

 

Fees Charged

 

Discuss with the individual what information they want access to, and the likely fees, before undertaking their request for access.

 

The fees which an organisation can charge for providing access must not be excessive and must not apply to the mere lodgment of a request for access. National Privacy Principle (NPP) 6.4 aims to prevent organisations from using excessive charges to discourage individuals from making requests for access to their medical records.

 

If an organisation incurs substantial costs in meeting a request for access, then the organisation could charge a reasonable fee to meet the administrative costs involved. For example, an organisation could recover some of the costs of photocopying or of the staff time involved.

 

Collate & Assess Information

 

Retrieve patient’s hardcopy medical record or arrange for the treating doctor or practice principal to access the computer record. Refer to the patient request form to help identify what information is to be given to the patient.

 

Data may be withheld under privacy legislation NPP6 Access & Correction for the following reasons.

· where access would pose a serious threat to the life or health of any individual

· where the privacy of others may be affected

· if a request is frivolous or vexatious

· if information relates to existing or anticipated legal proceedings

· if access would prejudice negotiations with the individual

· if access would be unlawful

· where denying access is required or authorised by law

 

See National Privacy Principles in full for comprehensive list of exclusions.

 

Access Denied

 

Reasons for denied access must be given to the patient in writing. Note these on request form. In some cases refusal of access may be in part or full.

 

Use of Intermediary When Access Denied

 

If request for access is denied an intermediary may operate as facilitator to provide sufficient access to meet the needs of both the patient and the doctor.

 

Provide Access

 

Personal health information may be accessed in the following ways:

· view and inspect information

· view, inspect and talk through contents with the doctor

· take notes

· obtain a copy (can be photocopy or electronic printout from computer)

· listen to audio tape or view video

· information may be faxed to patient

· check Identity of Patient

· ensure a visible form of ID is presented by the person seeking access. E.g. driver’s licence, passport, other photo identification. Note details on request form.

· does the person have the authority to gain access? Check age, legal guardian documents; is person authorised representative?

 

If the patient is viewing the data, supervise each viewing so that patient is not disturbed and no data goes missing.

 

If a copy is to be given to the patient ensure all pages are checked and this is noted in the request form.

 

If the doctor is to explain the contents to a patient then ensure an appointment time is made.

 

Requests to Correct Information

 

A patient may ask to have their personal health information amended if he/she considers that is not up to date, accurate and complete. (NPP 6.5/6/6)

 

Our practice must try to correct this information. Corrections are attached to the original health record.

 

Where there is a disagreement about whether the information is indeed correct, our practice attaches a statement to the original record outlining the patients’ claims.

 

Time Frames

 

Acknowledge request – within 14 days. Complete the request – within 30 days

Medical Records Administration Systems

The practice team can describe how we correctly identify our patients using 3 patient identifiers, name and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.

 

Select the appropriate option for the medical records at your practice, throughout this section.

 

Our practice uses Genie for the storage or management of patient health information.

Creating a New Medical Record

Once patient name, address, date of birth and related demographic details are received by reception, enter this information into the patient record.

Retrieving a Medical Record for a Current Patient

Computerised patient records are only accessed by authorised doctors and staff via secure login/password.

Filing Reports (Pathology, X-Ray, Consultant’s etc)

Paper based diagnostic test results and other incoming patient correspondence must be dated and passed on to the patient’s treating doctor or Practice Principal, if the doctor is not in on the day, for follow-up.

 

Once the doctor has actioned and initialled the document it should be followed up accordingly.

 

This practice scans scan all patient paper based correspondence with copies of this data securely stored.

 

Original copes are not retained

 

If results are received electronically, they are to be checked by the referring doctor or Practice Principal daily, and the appropriate action box marked. The doctor will ensure that the action is completed.

Errors in Medical Record

If an error occurs in the paper medical record, then it is corrected by crossing through as a single line for the course of the entry, initialled and dated by the author with an explanatory note beside or below the original item. Thus, the reason for the incorrect entry is clearly documented with the new entry underneath or in the next available position. The new entry is signed or initialled and dated. Liquid paper/whiteout is not used in the medical record.

 

Corrections in the electronic record should be recorded by referring to the date of the original entry and the associated amendment.

Allergies & Alerts

Alert notification may be required for allergic responses, drug reactions, and previous aggressive behaviour or guardianship/custody arrangements.

 

It is practice policy to ensure that all patients have their allergic status recorded especially any allergies to medications to facilitate safer prescribing. In computer based records “no known allergies” is recorded in the absence of any allergies to note.

 

Alert notifications are documented in the electronic medical record Health Summary.

Back Up of electronic medical records

In order to avoid lengthy down time, disruption, and medico-legal issues frequent backups are essential and form a critical component of the practice disaster recovery plan. A formal policy for the back up of the practice computer systems must be in place. (Refer 6.1.1 Computer Information security)

Retention of Records and Archiving

Patient Health Records must be kept until the patient is 25 years of age, if a child, or a minimum of 7 years following the last year of the patients’ attendance, whichever is greater.

 

Inactive electronic patient records are retained indefinitely or as stipulated by the relevant national, state or territory legislation.

 

Patient accounts records are also retained for a minimum of 7 years.

 

Sterilisation Cycle records and evidence of vaccine fridge temperature monitoring are retained as per patient health records.

 

Where our patients have chronic conditions or genetic diseases, or at the doctor’s discretion their records are kept for 7years.

 

Records of patients that have been sought for legal purposes are retained for 7 years.

 

Records of deceased patients are kept indefinitely.

 

Paper based test results are scanned and kept indefinitely.

 

Procedure

 

Privacy will be maintained during the destruction process to ensure information contained in the records is not divulged or seen by unauthorised persons. Records will be destroyed by shredding or pulping, in a secure environment. Where an outside bureau undertakes this task, the Practice manager retains a copy of the contract with the bureau and any certificates of destruction.

 

We consult with our Specialists’ medical defence organisations when deciding on the practice’s policy with respect to the retention of records or when we are unsure about culling or archiving medical information.

Transfer of Medical Records

Policy

 

Transfer of medical records from this Practice can occur in the following instances:

· for medico-legal reasons e.g. record is subpoenaed to court.

· when a patient asks for their medical record to be transferred to another Practice, due to moving residence or for other reasons.

· where an individual medical record report is requested from another source.

· where the Doctor is retiring and the practice is closing.

 

Our practice team can describe the procedures for timely, authorised and secure transfer of patient health information to other providers and in relation to valid requests.

 

Procedure

 

Requests for Transfer of medical records for medico legal reasons

 

Receiving a request to transfer medical records to a patient’s new clinic

In accordance with state and federal privacy regulations, a request to transfer medical records must be signed by the patient giving us authority to transfer their records.

 

The request form should contain:

· the name of the receiving practitioner or practice.

· the name, address (both current and former if applicable) and date of birth the patient whose record is required.

· the reason for the request.

 

When fulfilling a request, this practice may choose to either

· prepare a summary letter (manually or via clinical software) and include copies of relevant correspondence and results pertinent to the ongoing management of the patient.

· make a copy of the medical record and dispatch the copy to the new Practice, retaining the original on site for a minimum of 7 years.

 

The requesting clinic is advised if we propose to transfer a summary or a copy of the full medical record. If they have a preference the format can be negotiated or they can choose not to proceed with the transfer and seek a copy through a separate access request.

 

If there is going to be any expenses related to the transfer the requesting clinic is advised prior to sending the medical records and once the fee has been paid we process the request as soon as possible.

 

Any charges must not exceed the prescribed maximum fee.

 

The patients signed request letter/form and a notation that the patient has transferred is made on the medical record. Include the name and address of the new Practice and the dispatch details (e.g. via priority mail or confidential courier or in an electronic form)

 

All reasonable steps are taken to protect the health information from loss and unauthorised disclosure during the transfer.

 

This practice does not allow individuals to collect the file and take it to their new provider. Making a request for a patient medical record from another source.

 

Access to a new patient’s previous record can assist with maintaining the continuity of care of the patent.

 

When requesting records from another clinic a standard request for transfer of medical records template (see sample below) should be used.

 

This should contain:

· the patient’s details, the patient should be identified by name address (both current and former if applicable) and date of birth.

· the reason for request including the name of the Doctor making the request.

· the request for transfer of patient files should be authorized by the patient.

 

If the files will be requested electronically, specific details of the format needs to be included such as HTML or XML

 

If the clinic advises you that the patients are likely incur out of pocket expenses related to transfer please advise the patient prior to accepting the transferred medical records when a Doctor is retiring and the practice is closing.