Frequently Asked Questions and Answers
Privacy Leaflet for PatientsSafeguarding personal health information
Sharing of personal health information
Patient access to their personal health information
Ambulance Service of NSW
Privacy Leaflet for Patients
The NSW Health Privacy Leaflet for Patients is available in 30 community languages on the privacy internet site. Health services are responsible for printing and distributing Privacy Leaflets. For further information, please contact the Privacy Contact Officer for your health service via the privacy internet site, at: http://www.health.nsw.gov.au/utilities/privacy/patient.asp
Q1: Is it the responsibility of the administrative staff or clinical staff to advise patients of the matters included in the Privacy Leaflet?
A: It is largely dependent on the health service facility as to how patients are made aware of information privacy matters, and it is for each facility to work out how patients are to be informed. Most important, is that the Privacy Leaflet is provided to all patients either before or as soon as practicable after personal health information has been collected about them by a health service.
It is advisable that both clinical and administrative staff work together to advise patients of information privacy matters. It may be the role of the administrative staff to ensure that all patients receive a Patient Leaflet. Wherever reasonable and practicable, the contents of the leaflet should be discussed during consultations between the patient and treating clinician as part of discussions relating to the health service the patient is receiving. In particular, clinical staff should advise patients if their information is likely to be shared with a treating team and to other parties involved in the patient’s ongoing care.
Privacy Manual Reference(s): Section 7.4.4, Appendix 5
Q2: Does the Privacy Leaflet need to be handed to all patients presenting to a hospital’s Emergency Department, including short stay patients?
A: Clearly, due to the nature of an Emergency Department, it may not be reasonable or practicable to provide patients with the Privacy Leaflet on admission. However, there are steps that should be taken to ensure that patients or their carer, have access to information about patient privacy.
The Privacy Leaflet must be clearly available to patients or carers preferably at the Emergency Department admissions counter and in public waiting areas. The Privacy Poster, which supports the Privacy Leaflet, should also be displayed and copies are available from the Better Health Centre, Tel. 9816 0452.
In addition and wherever practicable, Emergency Departments should provide a Privacy Leaflet to patients or carers when they are discharged from the Emergency Department.
Q3: In response to a verbal explanation of the patient leaflet, a mental health patient refuses for his information to be shared with his parents who are his primary carers. It is important for the parents to be provided with information to assist with the ongoing care and well-being of the patient, and avoid potential risk of harm to the patient. What information can be disclosed to the parents against the patient’s wishes?
A: A professional assessment of the patient’s capacity to make decisions regarding the disclosure of information to his carers must be made. If it is determined that the patient does not have this capacity, these decisions are delegated to the authorised representative or carer for the patient; in this case the patient’s parents.
Where practicable, it should be explained to the patient that disclosure of his information to his parents is part of the health service’s duty of care with regards to his safety and well-being.
Privacy law also allows for the disclosure of personal health information to lessen or prevent a serious and imminent threat to the life, health or safety of any person. This exemption may apply to this scenario depending on the scale of the risk of harm to the patient.
Privacy Manual Reference(s): Section 11.2.1, 11.2.3
Safeguarding personal health information
Q1: What are the protocols for faxing patient information? Does personal information have to be de-identified prior to sending the fax?
A: Personal health information can be contained in a fax as long as reasonable steps are taken to safeguard the information.
The following steps are recommended when sending a fax:
- Only include personal health information, which you know to be required for the purpose.
- Include a privacy notice on the cover sheet of all faxes (see Appendix 4)
- Store regularly used fax numbers in the fax machine’s memory.
- If the number is not stored in the fax machine’s memory, prior to sending a fax, call the recipient to check the fax number.
- Call the recipient to advise them that you are about to send a fax and that they should call you back if they do not received the fax.
Privacy Manual Reference(s): Section 9.2.3.2
Q2: What practical alternatives to using identifying information can be used when emailing or faxing patient information?
A: As a general rule, a minimum amount of personal information should be used as is required in the circumstances. If the sender of the fax/ email is confident that the recipient knows or can ascertain the identity of the patient, then the patient’s initials, or MRN, or Miss X, Mr Y can be used. In using such abbreviations, it is important that there is no risk of confused identity or risk to patient care or safety.
Privacy Manual Reference(s): Section 9.2.3
Q3: Are patient’s medical and observation charts kept at the end of the bed allowed?
A: Yes, where this is necessary for ongoing care and patient safety. Reasonable measures should be taken to ensure that patient records are only viewed by health workers involved in the patient’s care, such as storing the charts in an envelope or box at the end of patient beds, or including a cover sheet with a notice indicating that the records must only be viewed by staff caring for the patient.
Privacy Manual Reference(s): Section 9
Q4: Can whiteboards be used in wards to display patient details?
A: Yes, where this is necessary for ongoing care and patient safety. Whiteboards should contain a minimum amount of personal information about a patient, normally limited to a patient’s name, and should not contain personal health information about a patient. Wherever possible, whiteboards should be located out of public view.
Patient information should not be included on public view whiteboards, where it is known that there is a risk to a patient in having their information displayed in this way, such as if there is an AVO on a patient’s spouse or family member.
Privacy Manual Reference(s): Section 9
Sharing of personal health information
Q1: Do hospitals need to obtain consent to release patient information to another health worker outside the health service for ongoing care purposes?
A: Patient consent for access to the general medical record is not required as long as:
- the patient is generally aware that their information may be shared for such purposes (see Privacy Manual , Section 7.4)
- the purpose is for the ongoing care and treatment of the patient, or for other secondary purposes (see Privacy Manual , Section 11.2.)
- adequate security measures are in place to ensure the bonafides of the requesting health worker (see below).
It is recommended that the following steps are taken when requesting access to a patient’s record from another health service facility:
- Except in an emergency, the requesting health worker should request access to the patient record in writing (eg. on letterhead via fax) stating that the purpose is for the ongoing care or treatment of the patient. This request should be filed on the patient record.
- If in an emergency situation the request is not received in writing, a notation of the circumstances of the disclosure and that it was requested for ongoing care purposes must be made in the patient record.
Privacy Manual Reference(s): Section 7.4, and Section 11.2.1
Q2: A doctor other than the referring doctor or GP recorded in the medical record requests a copy of the results/ discharge summary by telephone. Can these be forwarded to them without the patient’s consent?
A: Yes, as long as the request relates directly to ongoing care and there are grounds to believe the patient would reasonably expect the information to be given. For example, if the GP or specialist is listed on the patient’s file as the current GP.
Facilities should take extra precautions if a GP/ other doctor requests patient information without patient consent a considerable time after the patient’s discharge from hospital. Such requests should be in writing as outlined in Q1 above.
Privacy Manual Reference(s): Section 11.2.1, Section 15.1.5
Q3: What privacy protocols should be in place at patient case management and discharge planning meetings? Is it appropriate for external organisations and health service staff to be present throughout the meeting when they may be involved in some but not all cases?
A: Reasonable steps should be taken for staff to leave the room if the discussion does not involve a patient in their care. It would be desirable to prepare a policy statement about patient privacy for patient planning meetings, especially where external organisations are involved. Such a statement could include:
- that all people attending the meeting are bound by the 15 Health Privacy Principles and the NSW Health Privacy Manual
- that patient information acquired in patient planning meetings must only be used for purposes relating to the patient’s care
- that staff should leave the room if the discussion does not involve a patient in their care
Privacy Manual Reference(s): Section 9
Q4: What information can be given to emergency workers who have been involved in a drowning or trauma when they enquire about the outcome of the patient’s care?
A: Disclosure of patient information in these circumstances may be possible if it is a management of health services activity, such as a Morbidity and Mortality debriefing session, or a group session to provide feedback to the team involved in the rescue.
Disclosure of patient information to an individual health worker for non-official purposes outside these types of circumstances, will require consent from the patient, or if they are deceased from their authorised representative.
Privacy Manual Reference(s): Section 11.2.1.1, Section 5.6
Q5: An antenatal unit from another hospital is requesting a copy of the notes from a previous pregnancy. Is this ongoing patient care?
A: As the information about a previous pregnancy is likely to be relevant to the current care being provided, then the information may be disclosed on the basis of ongoing care. See procedures set out in Q1 above. While privacy law would allow for this use/ disclosure, it would be expected that as a matter of good clinical practice, this would have been discussed with the patient or if impracticable, with their spouse/ or other authorised representative.
Privacy Manual Reference(s): Section 11.2.1
Q6: The Police are requesting access to detailed personal health information of a patient involved in a car accident, such as the nature and description of injuries. They state they need this level of information to establish an accident investigation team. Is the health service allowed to release this information?
A: The NSW Police Service is listed as a law enforcement agency under the HRIP Act, and as such a health service is permitted to disclose personal health information that is reasonably necessary to assist Police in carrying out their law enforcement functions.
Whilst a health service is not obliged to supply information to the Police, it must balance the public interest in assisting the Police with law enforcement and public protection, with the health service’s own duties of confidentiality to a patient.
Generally, information supplied should be limited to the patient’s identity and address. If the Police can prove that the car accident was caused as a result of an offence and that additional information is necessary to assist the Police with its investigation, further information about the patient may be disclosed.
The request should be in writing except where it is impracticable in the case of an emergency. The request should identify the requesting officer and why the information is required, that is, some evidence that an offence has been committed. The request should be retained on the patient’s file as evidence as to why the information was disclosed.
These cases are not always straightforward and more detailed guidance in provided in the Privacy Manual Reference(s): Section 11.2.7
Q7: Are photographs and Xrays considered personal health information?
A: If the image contains information that identifies or can potentially identify a person then it is personal health information. The image constitutes part of the patient’s medical record, and can be used and disclosed in the same manner as any part of the medical record for clinical care purposes, and other secondary purposes.
Privacy Manual Reference(s): Section 5.1, Section 11.2.
Patient access to their personal health information
Q1: We have a father asking for information on his 6 month old child. There is an AVO against the father not to go near the child. Do we have to provide the father with access to relevant parts of the child’s health record?
A: No. Privacy law and the Freedom of Information Act both allow for access to be refused where this may put a person at risk of harm, or where access may be prejudicial to the child’s physical or mental health.
Privacy Manual Reference(s): Section 12, Section 15.3.4, Section 5.6
Q2: When a patient requests access to his/ her medical record, and the record contains letters and documentation from another agency, can we also provide access to that information?
A: Depending on the circumstances of the request, you may take some or all of the following steps:
- Ascertain from the patient whether he/ she is aware that any third party agency may have had contact with the health facility.
- Make an evaluation of the content of the other agency’s documents. If the documents do not provide information, which may cause distress to the patient, and the patient has confirmed that he/ she is generally aware of the content of the documents, then a professional judgement should be made as to whether it is appropriate to disclose them.
- Make contact with the other agency, and discuss whether in their opinion it would be appropriate to disclose the documents.
- The health facility may refuse disclosure if it is believed that disclosure may cause risk of harm or distress to the patient.
Privacy Manual Reference(s): Section 12
Ambulance Service of NSW
the caller to ‘OOO” such as their name and telephone number. When a patient requests a copy of the CAD report, can the third party information be disclosed?
A: The third party must consent prior to their information being disclosed to the patient. If the third party is known to the patient, the patient may request that the third party provides this consent. If the third party is unknown to the patient, the Ambulance Service may contact the third party to request their consent. If the third party cannot be contacted, their information should not be disclosed, unless there is some other lawful justification.
Privacy Manual Reference(s): Section 5.4, Section 11.2.2
Q2: Can health facilities and Ambulance Service Operations Centres disclose which hospital or other health facility a patient has been transferred to?
A: This information may be disclosed to family members or close friends on compassionate grounds if the third party can provide sufficient evidence that they know the patient and are genuinely concerned for their welfare. The type of questions which should be asked include:
- what is the person’s full name, age/ date of birth?
- what relation are you to the person?
- what is your name?
A notation must be made in the patient’s file of the details of the request, including the requesting person’s name, relationship to the patient and the time/ date of the request. It must be explained to the person that the information is being provided on the legal basis of compassionate grounds, and that a notation of their details has been kept on file. If the person requests that their personal information is not disclosed, the facility should withhold information regarding the patient.
Disclosure of patient information to the media must be with consent from the patient (or their authorised representative), and should be limited to the patient’s sex, approximate age, and whether injuries are critical, serious or minor.
Privacy Manual Reference(s): Section 11.2.9, Section 15.7
Q3: What information can be disclosed to the Police when Ambulance Officers assess patients in police holding cells?
A: Ambulance Officers should disclose the necessary personal health information to enable the Police to monitor the condition of the patient and to ensure that the Police know which symptoms would require the patient to be taken to hospital.
Depending on the circumstances of the patient and wherever practicable, Ambulance Officers should explain to the patient that they will only discuss with the Police matters relating directly to their health to ensure that they receive the best possible care whilst in Police custody.
Ambulance Officers are not required to discuss with the Police matters other than the patient’s health care or treatment, such as whether in their opinion the patient is medically competent to be interviewed.
Privacy Manual Reference(s): Section 11.2.7
Q4: Our work within Child and Family Health involves school health and home visiting. A local school would like us to screen a child as they have concerns regarding the child’s learning. We need to gain parental consent prior to screening the child. We have a record of the parents’ details via clinic notes from their youngest child who already attends the clinic. Can we use these to contact the parents?
A: No. In these circumstances, you are unable to contact the parents direct because the reason you hold their personal information is not directly related to the reason you now wish to use it. The school however may contact the parents and either ask for their consent to have the child screened, or ask whether they mind if you contact them direct (a note of this action should be kept by the school).
Privacy Manual Reference(s): Section 11.2.1, 11.2.2
Q5: If a patient is unconscious and not with anyone, can an Ambulance Officer search a patient’s wallet to ascertain identity in order to complete the patient health care record?
A: Yes. The patient’s identity may be required for treatment purposes and mandatory billing by the Ambulance Service and the health facility receiving the patient.
Privacy Manual Reference(s): Section 11.2.1.1, Section 7.2