SPORTS DOCTORS LIMITED
Privacy Policy
Purpose
This document outlines the practice policy related to the Privacy, in line with the Privacy Act 2020, which promotes and protects the privacy of individual personal information and the Health Information Privacy Code, which specifically relates to the management of health information.
Policy
The practice team members will understand, comply with and implement the requirements of the Privacy Act 2020 and the Health Information Privacy Code 2020, as outlined in this document which state the processes to be followed by the staff in handling personal and health information.
The practice will collect personal and health information in a manner that complies with the Privacy Act and the Health Information Privacy Code.
o only collect the information for the purpose of treating the patient or for some other legal purpose;
o collect the information directly from the patient unless they have consented to you collecting the information from someone else or one of the other exceptions to this rule applies; and
o collect information from children and young people in a fair manner
o let the patient know why you are collecting the information, who will have access to the information and that the patient is entitled to access and correct the information. You will not need to tell patients this if you have collected the same type of information from them before.
o Collect information in an unidentifiable way if appropriate
The practice complies with the Privacy Act and Health Information Privacy Code requirements when using personal and health information.
o When we have collected personal information from an individual for one purpose, it cannot used for any other purpose without the individual’s consent.
o There are some exceptions to this principle. These exceptions include where the information is publicly available, or where you use the information in a way that does not identify the individual. You will find a full list of the exceptions to this principle in the Privacy Act .
o Before using individuals’ personal information, you must do what you can to make sure that the information is accurate and up to date.
The practice complies with the Privacy Act and Health Information Privacy Code when storing and destroying personal and health information.
o You must ensure that the personal information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people.
o When you transfer patients’ health information to someone else, you must do what you can to prevent unauthorised people from accessing or using the information.
o Our practice can keep patients’ health information for as long as we need the information to treat patients and must keep patients’ health information for a minimum of 10 years from the date that treatment was last provided.
o Our practice must destroy patients’/clients information in a way that ensures the confidentiality of the information.
o Patients/clients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
o Patients/clients are also entitled to ask our practice to correct the information that we hold about them.
o You must assist patients/clients who ask to access their information.
The practice complies with the Privacy Act and Health Information Privacy Code requirements when disclosing health information.
You must not disclose a patient’s information without their consent (or the consent of their representative) unless you reasonably believe that it is not possible for you to get the patient’s consent and:
o the disclosure is for the purposes of the patient’s treatment (e.g. a referral);
o the disclosure is to the patient’s caregiver and the patient hasn’t objected to the disclosure;
o it is necessary for you to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
o the disclosure is made for the purposes of a criminal proceeding;
o the patient is, or is likely to become dependent on a drug that you need to report under the Misuse of Drugs Act or the Medicines Act;
o the disclosure is to a social worker or the police and concerns suspected child abuse;
o the disclosure is made by a doctor to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.
You must consult with our practice’s Privacy Officer before disclosing a patient’s health information without his/her consent.
The practice complies with the Privacy Act and Health Information Privacy Code when correcting health information.
The practice has a process to deal with data privacy breaches and notification in-line with the requirements under the Privacy Act.
The practice will follow the process outlined when dealing with requests for information.
1. All requests from third parties will be saved into patient file.
2. Consent checked to make sure patient has signed and authorised release of information.
3. Information requested by third party collated and sent to third party via their nominated EDI or Email within 10 working days.
The practice will ensure confidentiality of information.
The practice will follow the process outlined to deal with transferring patient’s information.
1. Patients are asked to complete the transfer of notes form or email their request to reception at info@sportsdoctors.co.nz from their verified email (one they have put on their treatment consent form).
2. Once received the request is saved into their file.
3. Transfer is actioned and sent to address provided for transfer within 10 working days.
· The practice displays a privacy poster in the waiting room.
· The practice has brochures relating to the Privacy Act and HIPC available for patients. These can be found at reception.
· The Privacy Act and HIPC will be covered in the practice induction process.
Privacy Breaches
Agencies are now legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:
- People cannot protect themselves from the impact of privacy breaches if they do not know a breach has occurred
- The speed at which data can be transferred and copied means the potential for harm is much greater
- Sharing the lessons from privacy breaches that have already occurred can help to prevent similar beaches in the future
If a notifiable privacy breach occurs the business should notify the affected people. If the breach poses a risk of serious harm or causes serious harm to an individual or group, the Privacy Commissioner must be notified. The Privacy Commission has developed a Notify Us tool which will help you to identify if the breach meets the notification threshold. Failure to notify could result in a penalty of up to $10,000.
Examples of likelihood of serious harm being caused by a breach include:
Physical harm or intimidation
Financial fraud including unauthorised credit card transactions or credit fraud
Family violence
Psychological, or emotional harm
When assessing whether a privacy breach is likely to cause serious to decide whether the breach is a notifiable privacy breach, you must consider the following:
· any action taken by the agency to reduce the risk of harm following the breach:
· whether the personal information is sensitive in nature:
· the nature of the harm that may be caused to affected individuals:
· the person or body that has obtained or may obtain personal information as a result of the breach (if known):
· whether the personal information is protected by a security measure:
· any other relevant matters.
If you think a data breach has occurred
1. Inform the Privacy Officer/management as soon as you are aware of a data breach
2. Privacy Officer/Management will notify the Privacy Commissioner and potentially affected individuals of the privacy breach, where the breach caused or is likely to cause serious harm
3. The breach notice made by Privacy office/management must contain:
a. Information around the breach itself.
Confidentiality
All staff members have understood and signed a confidentiality agreement as part of their employment agreement or contract of service. The obligations under this clause extend after the agreement or contract has ended.
Destruction of Confidential material
All confidential material is either shredded on site or placed in secure destruction bin.
Policy review date:1 September 2022