Protecting your patients’ privacy
- On 27/04/2017
Medical record management is an important part of managing your practice. Doctors and medical staff have an ethical and legal duty to keep patients’ medical records confidential. To ensure that you are meeting requirements regarding private health information, you will need a system that is both secure and confidential.
Medical records, which include all information collated about a patient, can be in electronic or paper form, or a combination of both. If your practice is disposing of paper records that have been transferred into an electronic format, then the disposal must be done in such a way to preserve confidentiality and complies with legislative requirements. In NSW, a register of all records that have been destroyed needs to be kept.
Electronic medical records
Your practice must take reasonable action to protect the information from loss or unauthorised use or disclosure. Back up your computer regularly to a remote data storage facility of external hard drives that are rotated, and stored off-site.
Your computers must be password protected and it’s good practice to change your passwords on a regular basis. An IT consultant can help you protect the information on your computer against hacks, any record alterations or viruses.
Information from medical records should not be disclosed without a patient’s consent unless permitted as a matter of law. Patients don’t have right of access to their medical records, however, under privacy legislation he or she has the right to request access.
This access is subject to limitations and procedures under NSW legislation. Patients must make a written request for access to their records or to transfer their records, and this request must be kept in the patient’s medical record. Should the patient transfer to another doctor, the new medical practitioner is entitled to a copy of the records or a treatment summary.
Medical records for inactive patients need to be kept for as long as the requirements of Australian, State or Territory government legislation.
Generally for inactive patients this is for a minimum of seven years from the time of last contact, or until the patient has reached the age of 25 years, whichever is longer.
Regular archiving of inactive patients will improve the performance of your clinical and management software.
For more information on medical health records, visit:
- RACGP Electronic health records
- RACGP Computer and information security standards
- Privacy obligations of medical practitioners in regard to patients’ records and health information:Nationally, the Privacy Act 1988 and the National Privacy Principles 2014Australian Privacy Principles and National Privacy Principles – Comparison Guide
- In New South Wales – Health Records and Information Privacy Act NSW 2002