Is your medical practice’s privacy policy up to date?

Written by Sarah Chia and Mark Henderson

More than two years after privacy reforms were introduced, many medical practices do not have a privacy policy which complies with the Australian Privacy Principles (‘APPs’) and the Privacy Act 1988 (Cth) (‘Act’).

Do the APPs require medical practices to have a privacy policy?

In practice, all medical practices, pharmacies, allied health professionals, pathology labs and other businesses which provide services to the medical industry through collecting or disclosing patient information are regulated by the Act and must have a privacy policy that complies with the Act and the APPs.

The 13 APPs came into force on 12 March 2014.  They regulate how personal information is dealt with by both Australian government agencies and the private sector, and cover the handling, holding, use, accessing and correction of personal information.

The APPs and the Act apply to any business that:

  • provides a ‘health service’ (regardless of turnover); and
  • holds any ‘health information’ (other than employee records).

Do most medical practices have a complying privacy policy?

In 2015, the Office of the Australian Information Commissioner (‘OAIC’) undertook a privacy assessment of 40 randomly selected GP clinics around Australia against the requirement to have a clear and up to date privacy policy.

The OAIC found that less than 10% of the selected clinics had a compliant privacy policy.

While 36 of the 40 clinics had a privacy policy (amongst other examples of non-compliance):

  • only four policies included appropriate contact information to submit access or correction requests, or to make complaints;
  • only one policy appropriately advised patients how to request access to their personal information; and
  • the policies did not contain some of the content required by the APPs.

What is a complying privacy policy?

Your medical practice’s privacy policy must be clear and current.  It should be provided to your patients free of charge and be readily available.  It must explain how you manage personal information.

Your privacy policy must include:

  • the legal name and contact details of your practice;
  • the fact that your practice collects and holds health information;
  • why your practice collects and holds health information (including any law that requires health information to be collected or held);
  • the main consequences for your patient if your practice doesn’t collect important health information;
  • other organisations (such as other medical practitioners) to which your practice usually discloses health information;
  • how patients can access their health information and seek a correction of that information; and
  • how patients can make a privacy related complaint about your practice and how your practice will deal with such a complaint.

Why should you take steps to comply?

Your patients are likely to consider their health information to be extremely personal and private.  It will therefore give them comfort and confidence to know that their privacy and that information are properly protected.

It is important, not only for compliance but also to demonstrate patient care, for all medical practices to review their privacy policies to ensure that they comply with the Act and the APPs.

A Google search will lead you to examples or templates of privacy policies.  Before applying one of them, it is important to ensure that they are tailored to your practice and how you handle personal information, and do comply with the Act and the APPs, having regard to your practice’s activities.

If you would like any assistance with putting in place a privacy policy for your practice, please contact Sarah Chia or Mark Henderson.