Bits & Bytes
Open for comment: DoH survey on PCEHR The Department of Health is running an online survey until September 1 to help gauge opinion on the implementation of the recommendations of the PCEHR review, as part of a month-long consultation process. The consultations, being managed on the department’s behalf by Deloitte, also included a special session at the Health Informatics Conference (HIC) in Melbourne in August. The PCEHR review survey is broken into three groups: healthcare practitioners, consumers and software vendors. For practitioners, it asks whether they actively access any of their patient’s records, and if not, why not. On the latter, practitioners are given the option of stating that the PCEHR is not useful to care delivery, that it takes too much time to access or any liability concerns. It asks if the information contained is useful, and what changes practitioners would like to see in the system in order to start using it in a meaningful way. It also asks what clinical measurements need to be included and what support practitioners need in terms of training to use the system in day-to-day work. One of the most important recommendations of the Royle review was that the system become opt-out. The survey asks providers their view on the key issues and risks of moving to an opt-out approach, including whether they will remain reluctant to access it because it takes too much time or is not clinically relevant. They are also asked what they would do if a patient demanded that a shared health summary be uploaded, including an option to refuse the patient’s request.
Get out the shredder: medical records found in a garden shed A Melbourne medical centre has been found to have committed a breach of the Privacy Act when it failed to properly secure or dispose of old medical records that were discovered in a garden shed after a break-in. Pound Road Medical Centre (PRMC) had operated a medical centre at a site in Narre Warren South for a number of years before moving to a new location, but unintentionally left behind medical records for 960 patients along with other sensitive documents such as batched Medicare vouchers and invoices for payments made. The majority of the records related to individuals who ceased to be active patients of the practice principal prior to 2004. In that year, the practice installed Medical Director and began to scan in paper records and other paper correspondence. Scanned files were kept in a locked room. When PRMC moved to new premises in 2012, it transferred some of the old records from the locked room to the garden shed at the back of the site so renovations could occur. PRMC said it did not recognise at the time that the moved documents included some health records. The old files were
discovered in the garden shed after a break-in in November last year. Privacy Commissioner Timothy Pilgrim said physical security of hard copy documents was just as important as digital security. “There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured,” Mr Pilgrim said. “If paper records are no longer needed, they should be disposed of securely.”
“Get out the shredder or hire a secure document destruction service.” It is a requirement under the Privacy Act that organisations securely destroy or de-identify personal information that is no longer required. “Get out the shredder or hire a secure document destruction service,” Mr Pilgrim said. “If you don’t, you’re putting your clients at risk of identity theft or fraud, and your company at risk of enforcement action.” Mr Pilgrim noted the seriousness of the breach in
that the records contained full names, addresses, dates of birth and Medicare numbers as well as diagnoses and hospital discharge summaries. While the practice did not believe any patient records were being stored, it did know that other sensitive information such as invoices and payments to other healthcare providers was kept in the shed. Even if there were no health records, the practice’s obligation to securely destroy or identify personal information that was no longer required would still have applied. “The Privacy Act requires organisations to take reasonable steps to protect the personal information of their customers,” Mr Pilgrim said. “I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed.” With mandatory data breach legislation likely to be debated this year – it was delayed last year – fines could have been applied as the practice did not notify any of the patients that their data may have been breached.
Pulse+IT Magazine - Australasia's first and only eHealth and Health IT magazine.