This policy covers all aspects related to the collection and storage of health data: clinical service privacy is covered in a separate document available from Outcome Health.
The Privacy Act (1988) was introduced to promote and protect the privacy of individuals.
Outcome Health takes your privacy seriously. This Policy outlines the privacy handling practices of Melbourne East General Practice Network, trading as Outcome Health (ABN 86 129 637 412) in dealing with personal information.
This policy sets out the principles that Melbourne East General Practice Network, trading as Outcome Health (“the organisation”) has adopted in order to protect personal information and comply with privacy obligations. These principles deal with the entire lifecycle of such information including: collection, use and disclosure, access to, correction of, security and disposal. The Organisation aims to ensure a high standard and compliance of documentation within its current practice and to strengthen information handling procedures in a way that is ethical and consistent with Commonwealth and State legislation.
The Organisation is committed to the protection of privacy (including health information) and has adopted a set of privacy principles based on relevant state and federal privacy laws and adherence to a range of existing legal and ethical obligations regarding privacy, security and confidentiality of personal information.
This policy has been prepared in March 2015 and reviewed yearly in accordance to Australian Privacy Principles (APPs). The APPs are found in the The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act). We collect personal information that is necessary to undertake our programs, activities or functions; these include facilitating the exchange of information between Outcome Health and other agencies.
Any enquiry or if they have a complaint about privacy or confidentiality should, in the first instance, be directed to the Organisation:
Phone: 8822 8444 Email: email@example.com
The organisation will respond to all privacy enquiries within 30 days, if a response is not received (after 30 days), then a complaint may be lodged with the Office of the Australian Information Commissioner (OAIC) on the enquiries line 1300 363 992 or, if calling from outside Australia call: + 61 2 9284 9749.
What is personal information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
When do we interact with data?
Outcome Health offers a system called POLAR to General Practices. POLAR allows the practice to interrogate data in their clinical systems for a range of clinical improvement and population health based activity.
We de-identify this information and supply it to Primary Health Networks (PHNs) so they can use the data to commission services and provide quality improvement activity across their catchments. PHNs do not access identified data about you. You can read more about the PHNs roles here.
What types of personal information do we collect and store?
We collect clinical and demographic information generated and stored in your General Practices clinical information system.
Identifiable information about you is stored at the practice to ensure your care is coordinated in the best way. De-identified information is removed from the practice for PHNs to use.
We collect health information that relates to the care you receive in the practice. Data is collected in 12 broad categories:
- Activity (number of visits and interactions);
- Medicare billing information;
- Observations (height, weight etc)
- Pathology tests;
- Radiology tests;
- Cervical screening;
- Referral categories
A more comprehensive detailed list of common data items can be found here.
Before the data is de-identified we use some of the information to create a unique encrypted key which allows us to link with other de-identified datasets to form a more complete picture of a patient’s health journey. This is an example of a linkage key:
It is not possible to re-identify a person from this information.
If you do not wish to have your personal data collected for improvement activities, you can, at the time of consultation, inform your practice staff who will ensure your data is not shared.
How do we collect data?
Data collected during the consultation is transferred to a secure location on the practice server. From there it interacts with our system to make it possible for your practice to view identified data about you and ensure the care you receive is the best possible care. The practice can view your details in their system, much like in the clinical information system in the consultation room.
Before data leaves the practice, all identifiable information is removed so that only a de-identified subset of patient data is saved in our warehouse. The data in this warehouse is a tool which allows your Primary Health Network to design population health initiatives to improve the health of your community.
How do we store data?
All data is stored in a secure environment. Your identified data remains at the practice site. Practices can view your data only in their facility when they log in to the secure POLAR system.
De-identified practice data is stored in an off-site secure environment with multiple levels of data security enforced. Some parts of your de-identified data is viewable to the PHN in your region. PHNs use this data to know what services are most needed in your area and then work to address those needs.
Access to the de-identified data is strictly monitored, audited and restricted. We take all steps necessary to ensure your data is never accessed by an unauthorised person.
We have multiple levels of security to ensure we maintain highest standards of practice in how we handle your data.
Why do we collect, hold and disclose data?
First and foremost, we collect data to allow your practice to provide you with the highest possible level of care. This information helps the practice team to design a care package that ensures your needs are met to help you on your health journey. Any identifiable information about you remains at the practice site and it is never shared or disclosed with anyone.
The PHN in your region assist the practice with their data management needs by providing advice and education. Practices are supported to use the practice data in a way which translates to tangible improvements in the health of their patients.
PHNs access a copy of a combined de-identified practice dataset which allows them to perform population health analysis. Your GP helps you manage your individual health needs and PHNs help manage the community health needs.
If your practice has consented to allow research to be conducted on de-identified datasets, then a limited number of data items may be made available to researchers for PHN-approved projects. There are strict guidelines around which data items are available and for what studies. PHNs will only approve research that is of direct benefit to the general practice community. In some instances, your practice may choose to be involved in selected research. This ensures that medical knowledge is constantly improved which means that you continue to have access to best medical practice.
Researchers cannot request access to all data items in the warehouse. In line with all other layers of security, research access is strictly enforced and monitored. Researchers access the data in a secure virtual environment controlled by Outcome Health.
More detail on research activity can be accessed by contacting Outcome Health on (03) 8822 8444.
How can you access your information?
You have a right to request access to personal information about you and to request that this information be corrected.
You can access the information we collect at the practice site by simply requesting to view it. It is not possible to search for your record in the POLAR system by ‘Name’ but it is possible to locate your record via a patient list, such as: a list of patients under 50 and over with no cholesterol recorded.
Correction of incorrect personal information cannot be conducted through POLAR, as it is a reporting system that simply displays the data as entered in your electronic medical record. If you suspect that incorrect personal information has been captured, you may contact your GP and request for your personal information to be corrected.
Once the data is transferred to our secure warehouse, it is impossible to locate your record in the de-identified aggregated set. Privacy is further protected by suppressing any cohort containing less than 20 patients. For example, patients with extremely rare conditions cannot be re-identified simply by searching for that condition if there are 20 or less patients in that group.
What is the complaints process?
If you believe a breach of the Australian Privacy Principles has occurred, you may raise your concerns or lodge a complaint with:
- Your general practice
- Your PHN
- Outcome Health – contact us on 03-88228444 and ask to speak to the CIO. Alternatively you can email us firstname.lastname@example.org
Complains are treated with highest priority and all reasonable steps are taken to address them. If you are unsatisfied with the proposed solution, you may lodge a complaint to an external body such as the Office of the Australian Information Commission.
This policy is assessed for risk of content variation and as such has the below rating:
|Low Risk||Reviewed every 2 years|
|Medium Risk||Reviewed every year|
|High Risk||Reviewed every 6 months|
|Extreme Risk||Reviewed every 3 months or less|
Commonwealth Privacy Act (1988) http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act
Australian Privacy Principles and National Privacy Principles – Comparison Guide – Summary and analysis of key differences for organisations (2013) http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/australian-privacy-principles-and-national-privacy-principles-comparison-guide
Victorian health Records Act (2001) https://www2.health.vic.gov.au/about/legislation/health-records-act
Commonwealth Healthcare Identifiers Act 2010: http://www.comlaw.gov.au/Details/C2012C00590
Commonwealth (2015). Australian Privacy Principles guidelines https://www.oaic.gov.au/resources/agencies-and-organisations/app-guidelines/APP_guidelines_complete_version_1_April_2015.pdf
Privacy Fact Sheet 17 Australian Privacy Principles http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles
Privacy business resource 5: Healthcare Identifiers — General information for healthcare providers http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/health-and-ehealth/privacy-fact-sheet-13-healthcare-identifiersgeneral-information-for-healthcare-providers