Last Updated: September 11, 2020

Policy brief & purpose 


We aim to ensure absolute confidentiality and safety of all personal health information collected regarding our patients.




This policy primarily addresses the management of “personal health information” in the practice.


Policy elements 


This practice policy covers the following areas:


  • Privacy
  • Third party access
  • Access by a new therapist or other practitioner
  • Patient access
  • Security
  • Staff training
  • Informing new patients


Personal health information is defined as information which concerns a patient’s health, medical history or past or present health care; and which is in a form that enables or could enable the patient to be identified. 


This policy is based on the 2001 RACGP/CPMC Best Practice for the Management of Health Information in Medical Practice. The handbook is consistent with the national Principles for the Fair Handling of Personal Information in the Federal Privacy Act 1988.


While the policy focuses on the management of the patient’s medical record, it also relates to information recorded, for example, in billing and accounting records, pathology and radiology results, medical certificates and letters to and from hospitals and other doctors.


Retention and culling of clinical and administration records


All hard copies of information are stored safely and securely on the premises and kept for a minimum of 7 years after final attendance at the practice. In the case of a child, files are stored for 7 years after the final attendance after the child has turned 18 (25 years of age).


Our practice software stores some administrative and clinical records. All electronic records are kept indefinitely and are made inactive at the discretion of the practice manager and treating practitioner or practice partner in the event the treating practitioner is unable to advise.


If necessary inactive electronic records are made active again using our computer software.


No record will be destroyed at any time without the permission of the treating practitioner or of a practice partner if the treating practitioner is no longer involved in the practice.


In the event of a practitioner being deceased or transferring out of the practice, the practice will post a notice in the practice waiting room or on the practice website informing patients OR a departing practitioner may choose to individually inform each patient, asking the patient to nominate a practitioner to whom the record should be transferred.


If the practice closes, patients will be contacted individually or, if this is not practical, a public notice will be placed in the local newspaper indicating the way in which patients should arrange for the transfer of their record to another therapist.


When hard files are due to be destroyed they are shredded as directed by the Practice Manager.


1.  Privacy


All practitioners and staff will take steps to ensure that patients can discuss issues relating to their treatment and that the practitioners and other staff can record relevant personal health information, in a private setting where unauthorised people cannot access the information.


For example:


·       Practitioners will ensure that consultations are conducted in a manner that prevents conversations from being overheard. 


·       Staff will not enter a consultation area without communicating with the practitioner.   


·       Staff, other practitioners and students should not be presented during the consultation without the prior permission of the patient.


·       There is auditory privacy in the waiting areas. The receptionists speak softly without mentioning patient’s full name, health conditions or problems.


·       Consultation areas have a modesty curtain to ensure patient privacy.



2.  Access to personal health information by practice staff and for research and Quality Assurance.


Patients are informed of who in the practice has access to their records. This information is given on the Privacy and consent to services form 


Patients will be informed and consent gained if the practitioner undertakes research and quality improvement activities in which patient information is to be used.


When research projects are conducted in the practice under the approval of an institutional ethics committee, staff must be aware of the requirements to obtain consent specified in the research protocol and ensure that consent is properly obtained.


Where possible, all identifying information will be removed from personal health information being used for research and QA activities. Where this is not possible, internal staff accessing personal health information are aware that they are under an obligation of confidentiality not to disclose the information. Breaches of that obligation may result in dismissal. The responsible practitioner will ensure that any external researchers are also under an explicit written obligation of confidentiality with appropriate penalties for disclosure.


Other disclosure


Practitioners and staff will ensure that personal health information is disclosed to third parties only where consent of the patient has been obtained. Exceptions to this rule occur when the disclosure is necessary to manage a serious and imminent threat to the patient’s health or welfare, or is required by law.


Practitioners will explain the nature of any information to be provided to others about the patient, for example, in letters to referrers, other practitioners and hospitals. If appropriate the letter may be shown to the patient. In terms of a letter, patient consent is implicit in their agreement to be referred by their referrer or their agreement to take the letter to a hospital or other practitioner.


Practitioners and staff will only disclose to third parties that information which is required to fulfil the needs of the recipient.


Information disclosed to Medicare or other health insurers will be limited to the minimum required to obtain insurance rebates. Information supplied in response to a court order will be limited to the matter under consideration by the court.


Information classified by a practitioner or patient as restricted will not be disclosed without the explicit consent of the patient and/or practitioner.


3.  Access to the record by a new treating practitioner


Access to accurate and up-to-date information about the patient by a new treating practitioner is integral to the practitioner providing high quality health care. If a patient transfers away from the practice to another practitioner, and the patient requests that the health record is transferred, the existing practitioner will provide a copy of the record. This may incur a reasonable administration charge.


4.  Patient access to records


It is practice policy that all patients have access to the health information contained on their file. The treating practitioner will provide an up-to-date and accurate summary of their health information on request or whenever appropriate.


The treating practitioner will consider in a timely manner any written request made by a patient for access to the health record itself. In doing so he/she will need to consider the risk of any physical or mental harm resulting from the disclosure of health information.


If the practitioner is satisfied that the patient may safely see the record then he/she will either show the patient the record, or arrange for provision of a copy and explain the contents to the patient. A charge may be incurred by the patient for any copying.


5.  Security


Practitioners and staff will protect personal health information against unauthorised access while it is being stored and transmitted.


Staff will ensure that patients and other visitors to the practice will not have access to the health record and that records or any other papers containing personal health information are not left where they may be accessed by unauthorised persons.


Non-clinical staff will limit their access to personal health information to the minimum necessary for the performance of their duties.


Fax, e-mail and telephone messages will be treated with security equal to that applying to health records.


Computer screens will be positioned in a way which prevents unauthorised viewing of a patient’s personal information. Staff will ensure that computers left unattended cannot be accessed by unauthorised persons.


Practitioners and staff will ensure that personal health information held in the practice is secured against loss or alteration of data.


Patient records will not be taken away from the practice except when required by clinical staff for the care of a patient and kept securely during this time. The responsible clinician will ensure that the record is returned to the practice filed securely.


Health records and other papers containing personal health information are either securely disposed of or filed promptly after each patient contact.


Staff will ensure that the computers are secured with a password and that the building is locked when leaving.

The data on the computer system will be backed up regularly. Computer systems are constantly updated with latest virus and firewall protection.


6.  Staff training


On induction, all practice members are trained in the importance of confidentiality. All staff sign a confidentiality statement stating that breaching confidentiality is a dismissible offense.


The staff induction program will contain a specific segment on the management of personal health information.


7. Scope of this Policy 

This privacy policy applies only to health information collected through private consultations with me, and does not apply to personal information collected online. Please ask to see my Privacy Policy (Data) if you wish to know how your personal information is protected. 

Contacting Me

If there are any questions regarding this privacy policy you may contact me using the information below.