Privacy and Confidentiality ??? Privacy and Confidentiality ??? Kathryn Dalziel.

Slides:



Advertisements
Similar presentations
 Q. Should we keep electronic records  Q. Do you purchase a software package  Q. Do you develop your own package  Q. What solution would be most cost.
Advertisements

Protection of privacy for all Students!
Data Protection Information Management / Jody McKenzie.
Confidentiality and HIPAA
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
The Data Protection (Jersey) Law 2005.
Data Protection.
Kathryn Dalziel Taylor Shaw Christchurch. Why bother if you have done nothing wrong?....
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
1 Disclosing Student Personal Information to the Queensland Police Service 1-2 July 2008 RED/EDS Business Meeting.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Handling information 14 Standard.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
© Buddle Findlay 2013 Privacy matters – rules about use and disclosure MAY 2013 Holly Hedley.
Updated 12/02/2007 Relevant Laws Relevant Laws ContraceptionContraception, Sterilisation and Abortion Act 1977 (CS&A Act) CS & A Amendment 1978, 1990 AbortionCare.
Privacy, Confidentiality and Duty to Warn in School Guidance Services March 2006 Disclaimer - While the information in these slides are designed to reflect.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
707 KAR 1:360 Confidentiality of Information. Section 1: Access Rights 1) An LEA shall permit a parent to inspect and review any education records relating.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
1 Support needs of guardians and attorneys in Scotland Jan Killeen, Public Policy Director, Alzheimer Scotland.
Confidentiality Dr Katherine Teare GP Educator Fellow Dr Katherine Teare GP Educator Fellow.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
1 Data Protection & Confidentiality Young Carers Workers Conference, Harrogate, 25 March 2009 Paul Ticher
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
HIPAA Vs. Family Educational Rights and Privacy Act (FERPA) How do these laws impact Educational Settings?
TRAINING COURSE. Course Objectives 1.Know how to handle a suspected case 2.Know how to care for a recognized trafficked person referred to you Session.
An NZFFBS Training Module.  Objective 1  State the purpose and principles of the Privacy Act and the Code of Ethics.  Objective 2  Apply the principles.
Privacy Compliance in Schools Darrebin A/P’s Network 7 May 2009.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Health and Social Care Deprivation of Liberty Safeguards.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Understanding Privacy An Overview of our Responsibilities.
Information Governance A refresher for all staff who have previously gone through the full course.
SAFEGUARDING – MENTAL CAPAPCITY ACT.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA CONFIDENTIALITY
Privacy principles Individual written policies
APP entities (organisations)
Data workshop WhOSE DATA IS IT ANYWAY? Alexia Christie
Move this to online module slides 11-56
Information Governance
G.D.P.R General Data Protection Regulations
Disability Services Agencies Briefing On HIPAA
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
Data Protection principles
Information for Patients Please return to reception
General Data Protection Regulations 2018
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
Data Protection What can I do? GDPR Principles General Data Protection
Obtaining Proof of Decision-Making Authority
The Health Insurance Portability and Accountability Act
Presentation transcript:

Privacy and Confidentiality ??? Privacy and Confidentiality ??? Kathryn Dalziel

I’m going to talk about … A legal framework: Confidentiality Privacy Privacy Breach Policy & Procedures Trust and Confidence

Issues…. You tell me!

‘Whatever, in connection with my professional practice or not in connection with it, I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.’ Confidentiality In roads: reporting requirements of funders the increasing size of medical practices patient’s rights of support sharing of health information between health care professionals ease of access to health records on electronic databases insurers’ insistence on full access to patient records

Privacy v Confidentiality Privacy – Principles to guide the amount of control which an individual can exercise over his or her personal data – Collection, storage, use and disclosure of personal information and the right of access and correction Confidentiality – akin to secrecy – fundamental to trust relationship/promotes full disclosure – ability to disclose information received in confidence is limited to authorisation or public interest.

Privacy Act v Health Information Privacy Code Privacy Act – Data protection – 12 privacy principles: collection, storage, use and disclosure of personal information and the right of access and correction Health Information Privacy Code – Health Information & Health Agency – 12 rules: collection, storage, use and disclosure of personal information and the right of access and correction

Health Information Privacy Rules… 1.Only collect health information if you really need it. 2.Get it straight from the people concerned. 3.Tell them what you’re going to do with it. 4.Be considerate when you’re getting it. 5.Take care of it once you’ve got it. 6.People can see their health information if they want to.

Health Information Privacy Rules… 7.They can correct it if it’s wrong. 8.Make sure health information is correct before you use it. 9.Get rid of it when you’re done with it. 10.Use it for the purpose you got it. 11.Only disclose it if you have a good reason. 12.Only assign unique identifiers where permitted.

Purposes: lawful and necessary From person concerned: unless an exception applies Transparency: fact of collection, purposes, who sees the information, where it is held, compulsory/optional questions, right to access and request correction Lawful and fair collection Rules COLLECTION

Storage & Security An agency that holds personal/health information must take reasonable security safeguards to protect against: loss unauthorised access, use, modification, disclosure other misuse Rule 5

Access If information is readily retrievable people have a right to: confirmation whether the agency holds* information about them; AND have access to the information. * holds includes info received from other agencies Rule 6

Correction Individuals have a right to request correction; or have a statement of correction added. Agency must either: make the changeattach statement inform the individual and any recipients of the information Rule 7

Accuracy Before using personal or health information, an agency must take reasonable steps* to ensure it is: accurate up to date complete relevant not misleading *what is reasonable will depend on the proposed use Rule 8

Retention Personal/Health information must not be retained for longer than is required for the purposes for which it may lawfully be used. Note: Health (Retention of Health Information) Regulations 1996 Health Information to be retained for at least 10 years from last date of treatment or care Does not prevent agencies from transferring information to individual or to personal representative where individual is deceased Rule 9

Limits on the use Personal/Health information obtained for one purpose must not be used for another purpose unless the agency believes, on reasonable grounds: Other use authorised by individual or their representative Other purpose is directly related purpose for which information was collected initially *many exceptions mirror principle/rule 11 Rule 10

Statute Common Law/Equity Contract/Agreements/policies & procedures Personal decision making Legal Framework

Health Information s22F Health Act Treat as Rule 6 request Individual does not want the information disclosed Disclosure contrary to individual’s interests Individual does not want information disclosed Privacy Act withholding grounds apply (see Rule 6) Individual Representative Health Provider May refuse in some circumstances) May also refuse for a lawful excuse which does not include non payment, prejudice to commercial position, disclosure not allowed by Privacy Act On request, must disclose to

Health Information Who is a representative? where individual is dead: personal representative where individual is under the age of 16 years: parent or guardian where individual is not in above categories & is unable to give consent or authority or exercise his/her rights – a person appearing to be lawfully acting on the individual’s behalf or in his/her interests Parents / guardians DO NOT have automatic right of access to children’s information consider requests under section 22F or OIA People can appoint agents eg. lawyer, friend, parent written authority, properly authorised

Disclosure of health information A health agency must not disclose health information, unless it believes, on reasonable grounds, that disclosure is: to the individual/representative authorised by individual/representative purpose of publicly available info general information: presence, location, condition, progress of patient (not contrary to express request) fact of death by registered health professional or by auth person to specified people advice to principal caregiver of individ’s release under Mental Health[Compulsory Assessment and Treatment] Act Rule 11

Disclosure of health information rule 11 When it is not desirable or practicable to obtain the individual’s authorisation, a health agency may disclose where the disclosure is: Directly related purpose By registered health professional to specified people (not contrary to Express request) Statistical (no id) to prevent/lessen serious & imminent threat to public or individual Health and/or safety Necessary to facilitate sale of business Of brief description of nature of injuries in accident & individuals id by auth person in hosp to media (not contrary to express request) To id individuals for health education related to accreditation, quality assurance or risk management (no id) To avoid prejudice to law/drug dependency authorised by PC. Rule 11

Unique Identifiers What is it? A code or number that is assigned to a person by an agency which uniquely identifies the person in relation to the agency. An agency may only assign one if: Necessary to carry out its functions Person’s identity is clearly established *Must not use identifier assigned by another agency. *The NHI number is an exception – see HIPC Rule 12

“But most people had probably sent an or text message in error” Prime Minister John Key says the big privacy breach at EQC was "distressing" but most people had probably sent an or text message in error. "We do live in a world where these things are possible." The Christchurch Press: March 2013

staff interest in health information CDHB staff interest in the health records of the New Zealand cricket player Jesse Ryder. ADHB staff interest in the health records of a man with an eel ….

Setting the Standard: Independent Review of ACC’s Privacy and Security of Information Clear policies creating a positive mindset as part of building customer trust & establishing a “firm but also seen as fair” image in public minds Coherent strategy & process to mitigate privacy risks Monitor performance for compliance Ensure adequate resources & capacity to respond to incidents

Setting the Standard: Independent Review of ACC’s Privacy and Security of Information Importance of privacy and protection of personal data at Board governance level Privacy vision, strategy and programme Role of privacy officer and use of privacy champions Education and Training Culture Reporting Audit, review and evaluation Retrospective or prospective?

See OPC voluntary guidelines: notes/privacy-breach-guidelines-2/ Breach containment and preliminary assessment; Evaluation of the risks associated with the breach; Notification; and Prevention Data Breach

Be like me: