Safeguarding Patient Information

Policy

We respect the highly sensitive nature of our patients' health information. We expect all staff to meet their obligations to collect, hold, use, and dispose of health information under:

We are guided by the Code's key concepts of purpose and openness, in being clear about why we are collecting information, and how it will be used. All new staff receive training about confidentiality, the Privacy Act 2020 and their corresponding obligations at the practice during their induction.

Refer to Privacy Commissioner | Te Mana Mātāpono Matatapu: Privacy Act 2020 and the Privacy Principles for information on all 13 principles.

Collecting patient information

Practice staff follow the rules in the Code when collecting patient information. Rules 1 – 4 in particular apply:

1.	We only collect information for a specific purpose, when needed: to care for and treat the patient to carry out our function as a health provider to fulfil a legal requirement.
2.	We collect information directly from the patient unless they have consented to it being collected from somewhere else.
3.	We tell the patient: why we are collecting the information who will have access to it who will hold the information.
4.	We collect information: lawfully and fairly as unobtrusively as possible with consideration of our privacy obligations when collecting information in a setting that could allow other people to see or overhear.

Refer to Privacy Commissioner | Te Mana Mātāpono Matatapu: HIPC Factsheet2 - Collection of Health Information

Using patient information

Our practice staff use patient information appropriately:

We access patient records only when we need them to provide healthcare services.
We handle all patient information with care.
Patient information of any kind should be handled securely. For example:
- Make sure information isn't visible on whiteboards and computer screens.
- Take care to keep hard-copy information such as print outs or paper records, out of sight of the public, e.g. place them in a folder or drawer.
- Ensure that information isn't visible or insecure during handling, while in transit, or while awaitng destruction.
Patient information is used only for the purpose it was collected for, unless the patient has consented to another use.
We treat patient information with respect and confidentiality.
We check our processes to avoid privacy breaches when sending or handling patient information.
To help prevent mistakes:
- Double check new patient contact details before sending anything.
- When sending emails:
  - make sure that the "To" field only contains the intended recipient
  - use "BCC" to email a group so that your list isn't visible to everyone
  - consider encrypting sensitive information – ask IT support for help if needed
- Store and record patient information carefully:
  - Ensure information isn't visible on whiteboards, computer screens, print outs, paper records.
  - Information shouldn't be visible while in transit or during handling.
  - External storage devices/USBs should be stored safely, and ideally encrypted.
  - Information awaiting destruction should be secure.

Refer to Privacy Commissioner | Te Mana Mātāpono Matatapu: Using and Disclosing Personal Information

Storage, security, and disposing of patient information

We use Medtech to electronically store and manage all patient health information. Practice staff access the system with their unique login and password.

Patient records are stored and disposed of in accordance with legislation:

Records are updated regularly, and patient-related documentation is uploaded or scanned into the patient's clinical record promptly.
Information is kept secure, and backed up.
Records are retained for a minimum of 10 years after the last contact with the patient, in accordance with the Health (Retention of Health Information) Regulations 1996.
The 10-year retention period applies unless records are transferred to another doctor or to the patient.
Outdated information and records are disposed of confidentially. Any hard-copy records are locked away securely when not in use.
Patient records must be destroyed in a way that preserves the patient’s privacy. Burning or shredding records is acceptable.

You can also contract a document destruction company to securely destroy the records.

Source – Medical Council of New Zealand: Managing Patient Records

See also: Waste Management

Refer to Privacy Commissioner | Te Mana Mātāpono Matatapu: HIPC Factsheet 5 - Storage, Security, Retention and Disposal of Health Information

Page Information

Last reviewed Last review: The date this page last had a comprehensive review by the GPDocs team. See the review schedule.	June 2024
Next review Next review: The date this page will next be reviewed by all GPDocs practices. See the review schedule.	April 2027
Topic type Topic Types There are two topic types: Core content Text outside the yellow highlighting (as shown on the model site) is there for compliance, legislation, or best practice. The text is not normally changed. Core content is continually reviewed and kept up to date. Customised Core content on this page has been changed on request by the practice. Customised topics must be reviewed and updated by the practice because they are not automatically updated by GPDocs.	Core content
Approved By:	Key Contact
Topic ID:	8153

Site Links

About us

Logout

Contact

Phone: 0800 473 627
Email: support@gpdocs.co.nz

Safeguarding Patient Information

Page Information

Last review:

Next review:

Topic Types

Site Links

About us

Contact