Privacy HIPC 2014

Privacy and Confidentiality
Kathryn Dalziel
I’m going to talk about …
• A legal framework:
• Confidentiality
• Privacy
• Privacy Breach
• Policy & Procedures
• Trust and Confidence
You tell me!
In roads:
• reporting requirements of funders
• the increasing size of medical practices
• patient’s rights of support
• sharing of health information between health care professionals
• ease of access to health records on electronic databases
• insurers’ insistence on full access to patient records
‘Whatever, in connection with my professional practice or
not in connection with it, I see or hear in the life of men,
which ought not to be spoken of abroad, I will not divulge,
as reckoning that all such should be kept secret.’
Privacy v Confidentiality
• Privacy
– Principles to guide the amount of control which an
individual can exercise over his or her personal data
– Collection, storage, use and disclosure of personal
information and the right of access and correction
• Confidentiality
– akin to secrecy
– fundamental to trust relationship/promotes full disclosure
– ability to disclose information received in confidence is
limited to authorisation or public interest.
Privacy Act v Health Information
Privacy Code
• Privacy Act
– Data protection
– 12 privacy principles: collection, storage, use and
disclosure of personal information and the right of
access and correction
• Health Information Privacy Code
– Health Information & Health Agency
– 12 rules: collection, storage, use and disclosure of
personal information and the right of access and
Health Information Privacy Rules…
1. Only collect health information if you really need it.
2. Get it straight from the people concerned.
3. Tell them what you’re going to do with it.
4. Be considerate when you’re getting it.
5. Take care of it once you’ve got it.
6. People can see their health information if they want
Health Information Privacy Rules…
7. They can correct it if it’s wrong.
8. Make sure health information is correct before you
use it.
9. Get rid of it when you’re done with it.
10.Use it for the purpose you got it.
11.Only disclose it if you have a good reason.
12.Only assign unique identifiers where permitted.
Rules 1 - 4
• Purposes: lawful and necessary
• From person concerned:
unless an exception applies
• Transparency:
fact of collection, purposes, who sees the information,
where it is held, compulsory/optional questions, right to
access and request correction
• Lawful and fair collection
Rule 5
Storage & Security
An agency that holds personal/health
information must take reasonable security
safeguards to protect against:
• loss
• unauthorised access, use, modification,
• other misuse
Rule 6
If information is readily retrievable
people have a right to:
• confirmation whether the agency holds*
information about them;
• have access to the information.
* holds includes info received from other agencies
Rule 7
Individuals have a right to request correction; or
have a statement of correction added.
Agency must either:
make the change
attach statement
inform the individual and any
recipients of the information
Rule 8
Before using personal or health
information, an agency must take
reasonable steps* to ensure it is:
up to date
not misleading
*what is reasonable will depend on the proposed use
Rule 9
Personal/Health information must not
be retained for longer than is required
for the purposes for which it may
lawfully be used.
Note: Health (Retention of Health Information)
Regulations 1996
• Health Information to be retained for at least 10 years
from last date of treatment or care
• Does not prevent agencies from transferring information
to individual or to personal representative where
individual is deceased
Rule 10
Limits on the use
Personal/Health information obtained for
one purpose must not be used for another
purpose unless the agency believes, on
reasonable grounds:
• Other use authorised by individual or their
• Other purpose is directly related purpose for
which information was collected initially
*many exceptions mirror principle/rule 11
Legal Framework
• Statute
• Common Law/Equity
• Contract/Agreements/policies & procedures
• Personal decision making
Health Information
s22F Health Act
On request, must disclose to
Health Provider
May refuse in some circumstances)
Treat as
Rule 6
• Disclosure contrary to
individual’s interests
• Individual does not want
information disclosed
• Privacy Act withholding
grounds apply (see Rule 6)
does not
want the
May also refuse for a lawful excuse which does not include non payment,
prejudice to commercial position, disclosure not allowed by Privacy Act
Health Information
Who is a representative?
• where individual is dead: personal representative
• where individual is under the age of 16 years:
parent or guardian
• where individual is not in above categories & is unable
to give consent or authority or exercise his/her rights –
a person appearing to be lawfully acting on the
individual’s behalf or in his/her interests
People can appoint
Parents / guardians DO NOT
agents eg.
have automatic right of
lawyer, friend,
access to children’s
written authority,
consider requests under
section 22F or OIA
Rule 11
Disclosure of health information
A health agency must not disclose health
information, unless it believes, on reasonable
grounds, that disclosure is:
to the individual/representative
authorised by individual/representative
of publicly available info
general information: presence, location, condition,
progress of patient (not contrary to express request)
fact of death by registered health professional or by auth
person to specified people
advice to principal caregiver of individ’s release under
Mental Health[Compulsory Assessment and Treatment]
Rule 11
Disclosure of health information
rule 11
When it is not desirable or practicable to
obtain the individual’s authorisation, a health
agency may disclose where the disclosure is:
Directly related purpose
By registered health professional to specified people (not contrary to Express
Statistical (no id)
to prevent/lessen serious & imminent threat to public or individual Health
and/or safety
Necessary to facilitate sale of business
Of brief description of nature of injuries in accident & individuals id
by auth person in hosp to media (not contrary to express request)
To id individuals for health education related to accreditation, quality
assurance or risk management (no id)
To avoid prejudice to law/drug dependency
authorised by PC .
Rule 12
Unique Identifiers
What is it?
A code or number that is assigned to a person by
an agency which uniquely identifies the person in
relation to the agency.
An agency may only assign one if:
• Necessary to carry out its functions
• Person’s identity is clearly established
*Must not use identifier assigned by another agency.
*The NHI number is an exception – see HIPC
“But most people had probably sent
an email or text message in error”
Prime Minister John Key says the big privacy
breach at EQC was "distressing" but most people
had probably sent an email or text message in
error. "We do live in a world where these things
are possible." The Christchurch Press: March 2013
staff interest in health
• CDHB staff interest in the health records of the
New Zealand cricket player Jesse Ryder.
• ADHB staff interest in the health records of a
man with an eel ….
Setting the Standard:
Independent Review of ACC’s
Privacy and Security of
• Clear policies creating a positive mindset as part of
building customer trust & establishing a “firm but also
seen as fair” image in public minds
• Coherent strategy & process to mitigate privacy risks
• Monitor performance for compliance
• Ensure adequate resources & capacity to respond to
Setting the Standard:
Independent Review of ACC’s Privacy
and Security of Information
• Importance of privacy and protection of personal data
at Board governance level
• Privacy vision, strategy and programme
• Role of privacy officer and use of privacy champions
• Education and Training
• Culture
• Reporting
Retrospective or
• Audit, review and evaluation
Data Breach
See OPC voluntary guidelines:
• Breach containment and preliminary assessment;
• Evaluation of the risks associated with the breach;
• Notification; and
• Prevention
Be like me:

similar documents