Using email in general practice – guiding principles
General practices should take reasonable steps to safeguard patient information when sending information to patients, health organisations or third parties by email, as with any other types of communication. General practices should inform patients who request information to be sent by email, that there may be a risk (as with any other document) that it could be read by someone other than the intended recipient.
Recherche Medical Centre is increasingly receiving requests from patients, other clinicians and third parties for health information to be sent to them electronically because it is an easily accessible method of communicating. The Australian Privacy Principles published by the Office of the Australian Information Commissioner state that: “Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling”.
The Privacy Act defines health information as:
a) information or an opinion about: i. the health or a disability (at any time) of an individual; or ii. an individual’s expressed wishes about the future provision of health services to him or her; or iii. a health service provided, or to be provided, to an individual; that is also personal information; or
b) other personal information collected to provide, or in providing, a health service; or
c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
As all health information is sensitive by nature, all communication of health information, including via electronic means, must adequately protect the patient’s privacy. General practices should take reasonable steps to make their communication of health information adequately safe and secure. GPs, health providers and patients should be aware of the risks associated with using email in the healthcare environment.
Obligations under the Privacy Act
Recherche Medical Centre must consider their obligations under the Privacy Act before they use or disclose any health information. The Privacy Act does not prescribe how a healthcare organisation should communicate health information. Any method of communication may be used as long as the organisation takes reasonable steps to protect the information transmitted and the privacy of the patient.
RECHERCHE MEDICAL CENTRE DOES NOT USE EMAIL COMMUNICATIONS WITH PATIENTS HEALTH INFORMATION.
In the rare event of the patient requesting that their health information be send via email to themselves or a third party then the patient is advised of the privacy risks of the use of unencrypted email for communication and it is noted in their health record.
Recherche Medical Centre uses only highly secure messaging software with digital credentials to send or receive patient’s health information.
A failure to take reasonable steps to protect health information may constitute a breach of the Australian Privacy Principles and may result in action taken against the organisation by the Australian Privacy Commissioner. What amounts to reasonable steps will depend on the nature of the information and the potential harm that could be caused by unauthorised access to it.