1 / 55

Privacy matters – rules about use and disclosure

Privacy matters – rules about use and disclosure. May 2013. Holly Hedley . What we will cover today. Privacy in the news Your privacy obligations Rules about use and disclosure When you are required to disclose When you are permitted to disclose What to disclose and to whom

etana
Download Presentation

Privacy matters – rules about use and disclosure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy matters – rules about use and disclosure May 2013 Holly Hedley

  2. What we will cover today • Privacy in the news • Your privacy obligations • Rules about use and disclosure • When you are required to disclose • When you are permitted to disclose • What to disclose and to whom • Case studies • How to avoid a privacy breach and what to do if you think there has been one

  3. Privacy in the news.

  4. Privacy in the news • Privacy is a hot topic • Triggered first by the ACC breach and then by a series of other privacy "scandals"

  5. Privacy (still) in the news

  6. Privacy (still) in the news

  7. Privacy practice in the spotlight • The media focus on privacy puts all of our privacy practices into the spotlight • A timely reminder that both the DHB and all individual health providers must be aware of and adhering to their privacy obligations "There but for the grace of God go a lot of other agencies and companies."

  8. What are your obligations?

  9. What are your obligations? • Legal obligations – the Privacy Act and Health Information Privacy Code • Employee obligations – to adhere to DHB policies and procedures • Ethical obligations – for example under your professional code of conduct

  10. Trust and confidence • It is not just about avoiding trouble • The underlying principle = trust and confidence • Patients trust their health providers to look after their information and to treat it with respect • Distrust leads to poor communication and care "there are real people behind the information that government agencies hold"

  11. Your legal obligations.

  12. The Privacy Act and HIPC • Your legal obligations come from the Privacy Act and the Health Information Privacy Code • The HIPC sets out 12 key rules that apply to health information and health providers • Two key concepts in the HIPC • Purpose: you must know why you are collecting the information and only collect the information you need • Openness: you must let patients know how their information is going to be used so the patients can make decisions about whether to provide it

  13. The 12 Health Information Privacy Rules • Only collect health information if you need it • Get it from the person concerned, if possible • Tell them what you are going to do with it • Be considerate when you are getting it • Take care of it once you have got it • People can see their health information if they want to • People can correct it if it is wrong • Make sure the information is correct before you use it • Get rid of it once you are done with it • Use it for the purpose that you got it • Only disclose if you have a good reason • Only assign unique identifiers if permitted

  14. Privacy does not always mean secret • Privacy legislation does not require organisations to keep information "secret" – instead, it is about ensuring that information is used consistently with the purposes for which it was obtained and that individuals are aware of such purposes

  15. Use of information.

  16. Use of information • Rule 10 of the HIPC is about how you can use information • In summary • You can only use information for the purpose for which you collected it; or • For a directly related purpose; or • If one of the particular exceptions set out in rule 10 applies • This is why the purpose statement is so important • The exceptions generally mirror the exceptions that allow you to disclose information (set out in rule 11) – we will discuss these soon

  17. Disclosing information.

  18. Disclosing information • An individual has the right to control who may or may not see their health information • If patient authorises you can disclose to the whole world • If the patient does not authorise (or that is not practicable or desirable) you must have a lawful basis to justify disclosing

  19. Patient authorisation first • Before deciding whether to disclose the first question must always bewhether it is practicable to obtain patient authorisation

  20. Disclosing information • If you are trying to decide whether you can disclose without patient consent you should ask • Am I required to disclose this information? • Am I permitted to disclose this information? • Should I disclose the information? • What information and to whom?

  21. Am I required to disclose?

  22. Disclosure required by law • A number of statutes impose mandatory reporting on practitioners • For example • Land Transport Act– medical practitioners and optometrists have a duty to report conditions that affect a patient's capacity to drive • Civil Aviation Act – changes in medical condition of licence holder • Health Act – notifiable diseases • Venereal Diseases Regulations – STIs • Tuberculosis Act and Cancer Registry Act • Coroners Act

  23. Disclosure required by law • Supply of information pursuant to • search warrant • Court summons • request from CYFs (section 66) • request for a medical report by a Coroner (section 40) • request from officer appointed under the Food Act (section 12)

  24. Am I permitted to disclose?

  25. Disclosure permitted by law • Health Act • section 22C allows health information to be disclosed to specific people if required for their function • medical officers of penal institutions • probation officers • social workers or care and protection co-ordinators (CYF) • Police officers • CYPF Act • section 15 – anyone mayreport suspected child abuse or neglect to CYF or a police constable

  26. Disclosure permitted by law • Rule 11 of the HIPC • States that you cannot disclose unless an exception (set out in rule 11) applies • The exceptions only apply if it is not desirable or practicable to obtain authorisation • Exceptions permit disclosure in certain circumstances (and are quite detailed). Common examples include • if disclosure is necessary to prevent or lessen a serious and imminent risk of harm (Rule 11(2)(d)) • if disclosure is necessary to avoid prejudice to the maintenance of the law including the prevention, detection, investigation, prosecution, and punishment of offences (Rule 11(2)(i))

  27. Should I disclose?

  28. Discretion to disclose • You might decide not to disclose even though there might be an exception that allows you to • A number of factors may bear upon your decision • ethical codes and duties of confidentiality • professional standards/statements/guidance • DHB policies • Ministry of Health guidance "Ethical and professional obligations might impose stricter limits on disclosure than those of Rule 11"

  29. What information and to whom?

  30. Only to the extent necessary • You must also remember if you do disclose you may only do so to the extent necessary to achieve the purpose • This may limit • What information is disclosed • Who the information is disclosed to

  31. Case study 1

  32. Case study 1: Disclosing information • Lucy presents with a back injury and requests opiates for pain relief • Lucy refuses any other form of treatment that you suggest, and becomes agitated and abusive when you refuse to prescribe opiates • You are aware that Lucy is a caregiver at a local rest-home. Based on your interactions with her, you are concerned that she may obtain drugs by depriving patients of their medication

  33. To disclose or not to disclose? • What do you do? • What rule applies? • Is there an exception that allows you to disclose? • What things do you need to think about first? • What information do you disclose? To whom?

  34. Case study 1 cont • Rule 11(2)(d) - practitioner may disclose information if • Not practicable to obtain authorisation (includes Lucy refusing) and • Disclosure is necessary to prevent or lessen a serious threat to the life or health of an individual • Would you disclose?

  35. A note on the serious and imminent risk exception • There has been a very recent change to the Privacy Act and the HIPC whereby parliament has amended the serious and imminent exception so that the requirement for a threat to be "imminent" has been removed • A new definition of "serious threat" …a threat that an agency reasonably believes to be a serious threat having regard to all of the following: • The likelihood that the threat will occur • The severity of the consequences if the threat occurs • The time at which the threat may occur

  36. Case study 2

  37. Case study 2: Suspected child abuse • Anna is 7 years old and presents to ED with severe bruising • When her mother leaves the room briefly, Anna tells you that James hurt her, that it was a secret, and that you have to "pinky swear" not to tell anyone • Based on your interaction with the family you are concerned that discussing this with the mother would place Anna at risk

  38. To disclose or not to disclose? • What do you do? • Is there an exception that allows you to disclose? • What things do you need to think about first? • Do you have to tell Mum? • Is there a duty to take action? • What information do you disclose? To whom?

  39. Do you have to disclose information to mum? • Do you have to disclose information to mum? • Duties, powers, rights and responsibilities of a guardian include determining questions about important matters affecting the child (section 16 of the Care of Children Act) • Guardian would normally have a right to access child information (section 22F of the Health Act), but this is not automatic – request may be declined if disclosure is contrary to the interests of the child • Key principles in Care of Children Act, and CYPF Act is that the child's welfare and best interests are paramount

  40. Do you have to disclose? • Do you have to disclose this information to the police or CYFs? • No statutory obligation of mandatory reporting • BUT • DHB policies usually require suspected child abuse or neglect to be reported (after risk assessment) • Also consider your professional and ethical obligations • The new amendments to the Crimes Act mean there is a duty to take "reasonable steps"

  41. Are you permitted to disclose? • Are you permitted to disclose? "Any person who believes that any child or young person has been, or is likely to be, harmed (whether physically, emotionally, or sexually), ill-treated, abused, neglected, or deprived may report the matter to a Social Worker or a constable" Section 15 CYPF Act • Protection from civil, criminal or disciplinary action if in good faith (section 16)

  42. Case study 3

  43. Case study 3: Criminal offending • The Police contact you about Dennis. Dennis is your patient who regularly attends at your clinic • The Police have a warrant for Dennis' arrest, but have been unable to locate him • The Police inform you they have concerns about his mental health, and they have received reports of erratic behaviour. They request your help • You know that Dennis will be at the High Street Pharmacy at around 10am for his daily methadone prescription

  44. To disclose or not to disclose? • What do you do? • Is there an exception that allows you to disclose information? • What things do you need to think about first? • Is there a duty to take action? • What information do you disclose? To whom?

  45. Do you have to disclose? • No statutory duty to disclose (no search warrant or summons) • But must still consider • Your relevant policies • Public interests • Patient interest

  46. Are you permitted to disclose? • Are you permitted to disclose? • Rule 11(2)(i) HIPC may disclose if • Not practicable to obtain authorisation and • Disclosure is necessary to avoid prejudice to the maintenance of the law including the prevention, detection, investigation, prosecution, and punishment of offences

  47. Should you disclose? • If there is a discretion to disclose, should you exercise it? • A matter of balancing • Duties of confidentiality • Professional ethics • Public interest • Patient interest/ongoing relationship • What information are you disclosing? • Location? • Fact that he is on the methadone programme?

  48. How to avoid a privacy breach.

  49. How to avoid a privacy breach • Bear in mind the value of the patient's personal information and the reason behind the rules • Be familiar with the rules (and know where to go to get answers) • Seek help if you are unsure • Your DHB policies and guidelines • Ask your manager or privacy officer Marilyn Scott • The HIPC is a user friendly document – get yourself a copy off the Privacy Commissioner's website

  50. What if you have breached?

More Related