H20 21 82 Response Appendix 5 Privacy of Health Information Policy.pdf

link to page 1 link to page 2 link to page 2 link to page 2 link to page 3 link to page 3 link to page 3 link to page 4 link to page 4 link to page 4 link to page 4 link to page 4 link to page 5 link to page 5 link to page 5 link to page 6 link to page 6 link to page 6 link to page 7 link to page 7 link to page 7 link to page 7 link to page 8 link to page 8 link to page 8 link to page 9 link to page 9 link to page 9

The  policy  applies  to  all  health  and  disability  services  provided  by  HVDHB  and  recognises  the
importance of family/whānau (persons of importance) and culture to the individual1¹.
The Privacy Officer at HVDHB can be contacted for advice and training. To contact the Hutt Valley DHB
Privacy Officer email [email address]  or phone ext 9516
Scope:
This policy applies to:
  All volunteers and employed staff at HVDHB.
  Visiting  health  professionals  and  students  undertaking  training  or  education  within  the
organisation.
  Independent external contractors providing any service to HVDHB
Principles:
This  policy  covers  personal  information  relating  to  any  individual  of  HVDHB  health  or  disability
services.  This  information  is  often  sensitive  and  important  to  the  individual  concerned,  however
HVDHB recognises that ready access to accurate health information is essential for the provision of
appropriate clinical care and treatment.
Definitions:
Health Information
personal health information about an identifiable individual and includes:
  Information about the health of an individual including his or her medical
history;
  Information about any disabilities that individual has, or has had;
  Information  about  any  health  or  disability  services  that  are  being
provided or have been provided to that individual;
  Information provided by that individual in connection with the donation
by that individual of any body part or any bodily substance or derived
from the testing or examination of any body part or bodily substance.
Privacy Officer
The role of the Privacy Officer includes:
  Promoting privacy by encouraging compliance with the Code;
  Providing advice in privacy matters;
  Liaison  as  appropriate  with  the  Office  of  the  Privacy  Commissioner,
Health and Disability Commission; or the Ombudsman;
  Responding  as  appropriate  to  complaints  from  clients  about  possible
breaches of privacy;

Official Information  The  Official  Information  Act  (OIA)  allows  New  Zealanders  to  have  access  to
Act (OIA) Requests
information  that  enables  their  participation  in  government,  and  hold
governments and government agencies to account.
The OIA allows anyone who is in New Zealand to request any official information
held by government agencies including DHB’s.

¹ 1“Individual” includes patient, consumer and tangata whaiora
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 2 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

Any request for information held by Hutt Valley DHB, regardless of whether it is
made  verbally  or  in  writing,  is  covered  by  the  Official  Information  Act.  The
requestor does not need to mention the Act in making the request.
OIA  requests  should  be  forwarded  to  the  Executive  Administrator,  Chief
Executive’s office for processing.
Email: [email address]

Information Privacy Principles
At the core of the Privacy Act are 12 information privacy principles that set out how agencies may
collect, store, use and disclose personal information.
The Privacy Act uses the term "agency". An agency is any individual, organisation or business,
whether in the public sector or the private sector. There are a few exceptions such as MPs, courts,
and the news media. Generally, though, if a person or body holds personal information, they have to
comply with the privacy principles. See the Privacy Act, section 2, for the full definition of "agency".
"Personal information" is any information about an individual (a living natural person) as long as that
individual can be identified.

Rule 1  Purpose of collecting information
Health information must only be collected for a lawful purpose connected with a function or activity
of the DHB.
Health information should not be collected if it is unnecessary to that needed to provide health or
disability  services  to  an  individual,  namely:  details  of  income,  sexual  orientation  etc.,  unless  this
information is necessary in order to provide care and treatment to that individual.
Rule 2  Source of health information
Health information should be collected directly from the individual concerned, unless it can be clearly
shown that:
  The individual, has authorised collection from someone else;
  Collecting information directly from the individual, would prejudice the individual’s interests,
would prejudice the purpose of collection or would prejudice the safety of another person;
  Collection  of  information  directly  from  the  individual  would  not  be  practicable  in  the
circumstances e.g. an unconscious patient.
Health professionals should always try to obtain information (in the first instance) from the individual
concerned  and  should  verify  with  the  patient,  when  possible,  information  collected  from  another
source or person.
Rule 3 – Collection from the individual
When information is being collected, staff must take all reasonable steps to ensure that:
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 3 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

  The individual knows that the health information is being collected;
  Why the information is being collected;

  The intended recipients of that information;
  Whether it is voluntary or mandatory by law to collect the health information;
  The consequences of not providing the information requested; and
  The individual’s right of access to, and correction, of health information.
Rule 4 – Manner of collecting information
The manner in which health information is collected must be fair, lawful and not unreasonably intrude
into the individual’s privacy particularly when collecting information about the individual’s, gender,
culture or ethnicity, or in the presence of others.
Rule 5 – Security of health information
Rule 5 requires  HVDHB to take reasonable security safeguards with health information against the
following:
  Loss of health information;
  Access, use, modification, or disclosure of health information, except with authorisation from
HVDHB; and
  Other misuse.
Safeguarding  and  securing  health  information  belonging  to  an  individual  is the  responsibility of  all
HVDHB personnel who handle the individual’s health information.
Physical,  operational  and  technical  arrangements  for  the  security  of  the  information  will  be
appropriate to the particular service in which the information is being held or used and the purpose
for which the information has been collected.
Availability of personal health information for clinical purposes
Any person who has custody of a medical record or other item of health information is responsible for
ensuring that:
  They know the policies relating to the tracking, storage and security of information and abide
by them; and
  The information is readily accessible and can be transferred to any service of HVDHB within a
reasonable period of time when the information is required for the provision of health and
disability services to the individual to whom the information belongs.
Rule 6 – Right of access to personal health information
Everyone  has  a  right  of  access  to  their  own  health  information.    A  request  for  personal  health
information by that person is treated as a request under Rule 6 of the Code.  There is no need for
individual to explain or disclose why they are requiring the information. Requests made by persons
wishing to access health information about someone other than themselves are known as third party
requests and are actioned under the Official Information Act 1982.
Click here to see the Release of Clinical Record Information Policy
Reasons for refusing access
Information may only be withheld if it falls within one of the exceptions in the Code.  Some of the
common exceptions include:
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 4 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

  Release of the information would be likely to prejudice the maintenance of the law;
  Release of the information would be likely to endanger the safety of an individual;
  Release would involve the unwarranted disclosure of the affairs of another individual or a
deceased individual;
  Release would be likely to prejudice the physical or mental health of the requestor.
For an overview of the steps to be taken in providing access to patient information refer to Hutt Valley
DHB’s Release of Patient Information Policy.
Rule 7 – Requests for correction
People have the right to ask for their information to be corrected.
If the Hutt Valley DHB is not willing to make a correction, it must, if requested, take reasonable steps
to attach a statement of the correction sought, but not made.  The statement must be attached so
that it will always be read with the disputed information.
When a patient disagrees with a diagnosis and wants it removed from the file, careful consideration
must  be  given  before  any  decision  is  made  to  alter  the  original  record.    Removing  the  disputed
diagnosis  could  render  the  notes  incomplete.    If  it  is  acknowledged  that  a  diagnosis  is  wrong  this
should be recorded alongside the original entry. Clinical information, clinicians’ opinions and other
information that was considered factual at the time it was obtained will not be corrected or removed
from any records held by HVDHB.
The Hutt Valley DHB is required to provide reasonable assistance to any individual wishing to record
a statement of correction. Where a correction has been made, or a statement of correction added to
an individual’s record, the DHB must, if reasonably practicable, inform each person or body or agency
to whom the health information has been disclosed e.g. the patient’s GP, or treating clinician if care
has been provided by another healthcare provider.
Rule 8 – Accuracy of information
Before  using  health  information  personnel  must  take  reasonable  steps  to  ensure  that  the  health
information is
  Correct
  Up to date
  Complete
  Relevant
  Not misleading.
This is especially important if the information has been collected from a third party and not directly
from the individual.
Rule 9 – Retention of health information
Health  information  must  not  be  kept  longer  than  is  required  for  the  purpose  for  which  it  may  be
lawfully  used.    The  Regulations  allow  information  to  be  transferred  from  one  provider  to  another
during this time.  Destruction of personal health information should comply with the Health (Retention
of Health Information) Regulations 1996 and any other relevant policies.
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 5 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

For more information refer to the 3DHB Retention and Disposal Policy.
Rule 10 – Use of health information
Health information obtained or collected must only be used for the purpose for which is was collected.
The individual should be told of this purpose(s).  Uses which are “directly related” to the purpose for
which the information was collected will include administrative purposes.
Some exceptions to Rule 10 include using information for another purpose if it is necessary to prevent
or lessen a serious threat to public health or public safety or health of an individual.
Rule 11 – Disclosure of health information
In general terms, health information must not be disclosed unless authorised by the individual or is
allowed or permitted by law.  A request for access to personal information about someone other than
the requestor is known as a third party request.
There are a number of situations when details may have to be disclosed such as when legislation states
there must be limited disclosure for specific or law enforcement purposes.  If another law enables
health information to be disclosed this will not breach the Privacy Act or the Code provided that
HVDHB exercises any discretion given reasonably.

The information sharing requirements of some other Acts override the Privacy Act – for example the
Mental  Health  (Compulsory  Assessment  and  Treatment)  Act  1992;  the  Health  Act  1956;  Official
Information  Act  1982  and  the  Children,  Young  Persons,  and  Their  Families  (Oranga  Tamariki)
Legislation Act 2017 set out specific circumstances where information may, or must, be disclosed even
without authorisation of the individual.
Where release of personal information is permitted under Rule 11 of the HIPC (or sections 27-29 Of
the Privacy act) the disclosure must be made only to the extent necessary to meet the purpose of the
request.
This Rule is also dealt with in its entirety in the Hutt Valley DHB Release of Patient Information Policy.
Please refer to that policy when dealing with disclosure of information.
Rule 12 - Assignment of Unique Identifiers
Some agencies give people a “unique identifier” instead of using their name. Examples are a driver’s
licence number, a student ID number, or an IRD number.
A health agency cannot use the unique identifier given to a person by another agency. People are not
required to disclose their unique identifier unless this is one of the purposes for which the unique
identifier was set up (or directly related to those purposes).
The unique identifier used by the Hutt Valley DHB is the National Health Index (NHI) number.

Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 6 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

Privacy - Best Practice Guidelines
Office/Reception/Areas
  Any patient information e.g. operation, clinic lists, clinical records should not be kept/left in
places easily accessible or viewable by the public or staff not directly involved in a patient’s
care.
  Patients should not be asked to verify personal details in reception/waiting areas where they
can be overheard by others.
  Outgoing mail awaiting collection should not be left where it is easily accessible to the
public.
  All computers should be placed so that PC screens cannot be read except by staff entitled to
the information. Screens should be locked when not in use and password protected.
  Any correspondence, old labels or other documentation containing patient information
authorised to be discarded must disposed of in the secure shredding bins.
  Offices and filing cabinets should be locked when unattended.
  Names and details of patients should not be discussed in lifts or any other public areas.
Clinical Records
  All clinical records being transported by hospital staff internally or off-site, including the mail
system must be covered and secured at all times.
  Trolleys containing clinical records should not be left in areas accessible to the public or
other patients.
  Only those staff members involved in the care and treatment of a patient may have access
to that person's clinical records.
Identity of Patients
  Wherever possible, patients should be asked on admission to the ward areas if their name can
be displayed on room doors, above beds and on name boards.
  Ideally name boards in wards/units should not be able to be viewed by any members of the
public.
  Name boards should only show patient name, room allocation and who is responsible for their
care.
  Patients can request that no details be released in relation to their condition.
  Unless specific consent is given, only the general condition of a patient, (e.g. satisfactory) can
be released.
  If at all possible, patients should not be asked to verify personal details in waiting rooms/ward
areas where they can be overheard.
  When requesting information from a patient, all care should be taken to ensure that this is
achieved in a manner that respects the individual’s privacy.
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 7 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

  A patient’s consent must be obtained if a photograph is to be taken of them and such consent
must  be  in  writing  if  the  photograph  is  to  be  used  for  educational  or  research  purposes.
(Please refer to the Hutt Valley DHB Informed Consent Policy and Clinical Photography policy.)
Facsimiles (fax) and emails, texts
Staff have a duty to protect personal information and are trusted to do so. Whilst communication or
distributing personal information in health care is “business as usual”, staff need to be sure that the
information is sent to the intended recipient and any risks identified.
When a fax or email, text (see email usage policy for further information) is necessary, staff should:
  Check the number/email address of the recipient.
  Check the number/email address before sending e.g. ensure that “autofill” has not added
the incorrect email recipient and limit the use of “reply all”.
  Encrypt or password protect the information attached in an email. Limit the information to
only that which is necessary e.g. take care with excel spreadsheets as they may contain more
information than is required.
  Where practicable, telephone prior to sending so the recipient is aware it is being sent and
the relevant password.
  Fax machines should be placed in rooms that can be secured after hours and placed in areas
where the public are unable to access information coming through.
  All faxes/emails sent should have a disclaimer attached, which contains one of the following:
“Caution: The information contained in this facsimile is confidential.  If the reader is not the intended
recipient,  you  are  hereby  notified that  any  use,  dissemination,  distribution or reproduction of this
message is prohibited.  If you have received this message in error, please notify us immediately.”
“This email and attachments have been scanned for content and viruses and is believed to be clean.
This email or attachments may contain confidential or legally privileged information intended for the
sole  use  of  the  addressee(s).    Any  use,  redistribution,  disclosure,  or  reproduction  of  this message,
except  as  intended,  is  prohibited.    If  you  receive  this  email  in  error,  please  notify  the  sender  and
remove all copies of the message, including any attachments.  Any views or opinions expressed in this
email (unless otherwise stated) may not represent those of Hutt Valley DHB.
Answer Phones
  Leaving messages about or for patients on their answer phones should be avoided.
  When urgent contact is to be made the only message that is acceptable is to leave a
telephone number and name for the person to phone back.
  Under no circumstances should the name of the organisation, the clinical area, or reference
for any health care treatment be made.
General
  Patient details should be checked with the individual concerned to confirm accuracy and
that the details are up to date each time the person presents.
  Information obtained from third parties should be verified with the patient as soon as
possible, where practicable.
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 8 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.

  Patients should not be stopped in lifts, corridors or public places and their care discussed.
  Wherever practicable an explanation should be given before information is collected as to its
intended use and to whom it may be disclosed.
  Information for patients and members of the public should outline the reasons for collecting
the information and the purposes for which it will be used.
References
  Canterbury DHB Privacy policy
  Capital & Coast DHB Privacy Policy
Associated Documents
  Hutt Valley DHB Release of Health Information Policy
  Hutt Valley DHB Informed Consent Policy
  3DHB Retention and Disposal Policy & Procedure
Numerous  pieces  of  legislation  have  an  impact  on  the  way  in  which  HVDHB  manages  personal
information it receives and generates including:
  Privacy Act 1993
  Health Information Privacy Code 1994
  Health and Disability Commissioner Act 1994
  Code of Health and Disability Services Consumers’ Rights (1996)
  Mental Health (Compulsory Assessment and Treatment) Act 1992
  Intellectual Disability (Compulsory Care and Rehabilitation) Act 2003
  Health Act 1956, regulations and amendments
  the Children, Young Persons, and Their Families (Oranga Tamariki) Legislation Act 2017
  Official Information Act 1982
  Land Transport Act 1998
  Misuse of Drugs Act 1975
  Medicines Act 1981
  Criminal Disclosures Act 2008
Associated Websites
  Privacy Commissioner www.privacy.org.nz
  Nursing Council www.nursingcouncil.org.nz
  Medical Council www.mcnz.org.nz
  Health and Disability Commissioner www.hdc.org.nz
  Health Quality & Safety Commission www.hqsc.govt.nz
  Standards NZ www.standards.co.nz
  Ministry of Health www.moh.govt.nz
  Mental Health Commission www.mhc.govt.nz
Document author:  Privacy Officer
Authorised by Patient Safety Leadership Group
Issue date:  March 2015
Review date:  March 2018
Date first issued: March 2007
Document ID: PRIV.001
Page 9 of 9
CONTROLLED DOCUMENT – The electronic version is the most up to date version.  The DHB accepts no
responsibility for the consequences that may arise from using out of date printed copies of this
document.