Policies under HISO 10029
AS Van Wey (Account suspended) made this Official Information request to Health New Zealand
The request was partially successful.
From: AS Van Wey (Account suspended)
Dear Health New Zealand,
Request 1:
I request the current Health Information Standards Organisation (HISO) 10029 Health Information Security Framework, if it is not HISO:10029(2015) which is readily available online.
HISO 10029 (2105) requires policies on communication, including policies on "how personal health information exchanged over a network is protected from interception, incorrect routing and/or loss" (section 8.2). Former versions use to include protection from inter- and intra-agency interception in accordance with the Crimes Act 1961.
This standard also requires policies on investigation of security incidents (section 12).
In 20121, the Ministry of Health recommend "Moving from analogue faxes to secure digital communications" because "[a]nalogue faxes use communication protocols which are easier to intercept than digital communication protocols.".
https://www.health.govt.nz/our-work/digi...
Request 2:
Digital Communication protocols.
Request 3:
I request the Health NZ Policies on communications which comply with HISO 10029(2015), or the equivalent if updated, sections 8 and 12 and the Crimes Act 1961.
For clarity, under section 216A-B of the Crimes Act 1961, it is unlawful for an individual to intercept personal communications without the consent of the sender or the intended recipient. In the health sector, the sender would be a patient and the intended recipient would be a specific department or individual (e.g., named physician). Alternatively, the sender would be a physician, or employee who has restricted access to medical information (e.g., clinical records team, nurse, or scheduler in accordance with HISO 10064) and the intended recipient would be the patient or their legal gradian.
Request 4:
I request the the policy, which allows the agency (e.g. DHB or now referred to as Te Whatu Ora Health NZ) to intercept private, protected, confidential communications without the consent of the sender (e.g., patient) or the intended recipient (e.g., physician or other specified individual or department).
Request 5:
Policies regarding provision of audit logs and what must be included in such audit logs (such as name of the individual and the purpose of the access), in accordance with HISO 10064 and the Health Information Privacy Code, when requested by the patient.
Request 6:
Access to medical information without the consent of the patent (or their legal representative) by individuals not directly engaged in their care. What access is permitted for employees who are not physicians or nurses directly involved in the care and treatment of a patient? For instance, are people in Clinical Records, or other secondary purpose departments, permitted to read through the patients health information? Especially to the extent that they memorize the names of the patient's spouse or children who have different surnames (emergency contacts), or become authorities on the patients health information or behavior?
Request 7:
The policy which permits health agency employees to access personal health information to verify the individual is a NZ resident or citizen in order to respond to an OIA request.
Thanks
AS Van Wey
From: Info MOH
Health New Zealand
This is an auto-reply to acknowledge the receipt of your email.
Our standard hours are 7am-5pm Monday to Friday.
Need medical help? Call Healthline 0800 611 116 (or in an emergency dial
111)
Need to talk? Call or text 1737
To find more about the Ministry, please visit our website:
[1]www.health.govt.nz
If you have any health related concerns about COVID-19 or have symptoms of
COVID-19, please ring Healthline on 0800 358 5453
For information and the latest updates about COVID-19 please visit:
[2]https://covid19.govt.nz/
show quoted sections
References
Visible links
1. www.health.govt.nz
http://www.health.govt.nz/
2. https://covid19.govt.nz/
https://covid19.govt.nz/
From: hnzOIA
Health New Zealand
Tēnā koe,
Thank you for contacting Te Whatu Ora, Health NZ. This is an automatic
reply to confirm that we have received your email. Depending on the
nature of your request you may not receive a response for up to 20 working
days. We will try to respond to your query as quickly as possible.
In cases where Health NZ's response provides information that is
identified to be of general public interest, the response may also be
published on Health NZ's website. If Health NZ publishes the response to
your OIA request, all personal information, including your name and
contact details will be removed.
Ngā mihi
Te Whatu Ora, Health NZ.
show quoted sections
From: hnzOIA
Health New Zealand
Kia ora AS Van Wey
Please find attached a partial response to your request for official
information. We will provide the remaining information in due course.
Nga mihi
Te Whatu Ora
show quoted sections
From: hnzOIA
Health New Zealand
Tçnâ koe AS Van Wey
On 11 November 2022 we provided you with an initial response to your
request for information, the following aspects are still to be responded
to:
The Health NZ Policies on communications which comply with HISO
10029(2015), or the equivalent if updated, sections 8 and 12 and the
Crimes Act 1961.
For clarity, under section 216A-B of the Crimes Act 1961, it is unlawful
for an individual to intercept personal communications without the consent
of the sender or the intended recipient. In the health sector, the sender
would be a patient and the intended recipient would be a specific
department or individual (e.g., named physician). Alternatively, the
sender would be a physician, or employee who has restricted access to
medical information (e.g., clinical records team, nurse, or scheduler in
accordance with HISO 10064) and the intended recipient would be the
patient or their legal gradian.
the policy, which allows the agency (e.g. DHB or now referred to as Te
Whatu Ora Health NZ) to intercept private, protected, confidential
communications without the consent of the sender (e.g., patient) or the
intended recipient (e.g., physician or other specified individual or
department).
Policies regarding provision of audit logs and what must be included in
such audit logs (such as name of the individual and the purpose of the
access), in accordance with HISO 10064 and the Health Information Privacy
Code, when requested by the patient.
Access to medical information without the consent of the patent (or their
legal representative) by individuals not directly engaged in their care.
What access is permitted for employees who are not physicians or nurses
directly involved in the care and treatment of a patient? For instance,
are people in Clinical Records, or other secondary purpose departments,
permitted to read through the patients health information? Especially to
the extent that they memorize the names of the patient's spouse or
children who have different surnames (emergency contacts), or become
authorities on the patients health information or behavior?
The policy which permits health agency employees to access personal health
information to verify the individual is a NZ resident or citizen in order
to respond to an OIA request."
This email is to advise you that the Te Whatu Ora requires more time to
respond to the last aspect of your request. In accordance with section
15(1) and 15A of the Official Information Act, Te Whatu Ora’s decision
will be with you no later than 24 November 2022.
The reason for the extension is that consultations necessary to make a
decision on the request are such that a proper response to the request
cannot reasonably be made within the original time limit.
You have the right to seek an investigation and review by the Ombudsman of
this decision. Information about how to make a complaint is available at
[1]www.ombudsman.parliament.nz or 0800 802 602.
If you wish to discuss any aspect of your request with us, including this
decision, please feel free to contact [2][email address]
We respond to you sooner if able to.
Ministerial Services
Te Whatu Ora – Health New Zealand
show quoted sections
References
Visible links
1. http://www.ombudsman.parliament.nz/
2. mailto:[email address]
From: hnzOIA
Health New Zealand
Kia ora AS Van Wey
Please find attached the response to your request for information.
Nga mihi
Te Whatu Ora
show quoted sections
From: AS Van Wey (Account suspended)
Dear HNZ OIA,
Thank you for your response and the policies; however the policies attached are not those required under section 8 of HISO 10029(2015). Would you please include these policies, which are about the protection against unauthorized access of information, including email correspondence. For instance, this section would pertain to the data breach that occurred at Waikato DHB. Waikato DHB and all DHBs were to have policies to ensure that all information was held securely.
Thanks.
Yours sincerely,
AS Van Wey
From: hnzOIA
Health New Zealand
Thank you for contacting Te Whatu Ora, Health NZ. This is an automatic
reply to confirm that we have received your email. This inbox will be
unattended until 4 January.
As a note, the OIA does not recognize the period from Christmas Day
through to 15 January 2023 (inclusive) as working days in calculating the
timeframes for responding to a request. As your request has been received
in this period, 20 working days from this date with the holiday period
will be in mid-February. Regardless, we will try to respond to your
request as soon as reasonably practicable.
show quoted sections
From: hnzOIA
Health New Zealand
Tēnā koe,
Thank you for contacting Te Whatu Ora, Health NZ. This is an automatic
reply to confirm that we have received your email. Depending on the
nature of your request you may not receive a response for up to 20 working
days. We will try to respond to your query as quickly as possible.
s information that is identified to be of general public interest, the
response may also be published on our website. If we e response to your
OIA request, all personal information, including your name and contact
details will be removed.
Ngā mihi
Te Whatu Ora, Health NZ.
show quoted sections
From: hnzOIA
Health New Zealand
Kia ora AS Van Wey,
Please see attached the response to your OIA request.
Ngâ mihi
Ministerial Services
Government Partnership and Risk
Te Whatu Ora – Health New Zealand
TeWhatuOra.govt.nz
------------------- Original Message
show quoted sections
This e-mail message has been scanned for Viruses and Content and cleared
by the Ministry of Health's Content and Virus Filtering Gateway
--------------------------------------------------------------------------
Things to do with this request
- Add an annotation (to help the requester or others)
- Download a zip file of all correspondence