15 August 2011

Information Afterlives

The Health Records Act 2001 (Vic) recognises that information in health records may continue to be sensitive even when recording ceases or the entity that recorded the information ceases to operate (eg a medical practitioner dies or retires or a clinic ges into banruptcy).

The Office of the Health Services Commissioner in Victoria accordingly indicates that -
Handling, retention and storage of medical records

Health service providers who elect to retain health information must continue to hold it or transfer it to a competent organisation for safe storage in Victoria, until the time when the health information is destroyed in accordance with Health Privacy Principle 4. A competent organisation for storage of records refers to a facility in which legitimate, 'reasonable steps' have been taken to ensure safe and secure storage of personal health information.

Health information must not be deleted until at least 7 years after the last occasion on which the individual received a health service from the provider. In the case of a child, information may only be deleted after the individual attains the age of 25.

Providers may have obligations under other laws or to their medical indemnity funds to retain records longer than the specified periods.

Care should always be taken before destroying any records.

Where information is transferred to another health service provider or organisation, and a copy is not kept, a written note must be made of the name and address of where the information was transferred. Although there is no NPP applying specifically to the transfer of health information, the Federal Privacy Commissioner's Guidelines on Privacy in the Private Health Sector advise health service providers to consider the range of obligations they may have in managing medical records when a practice closes. The guidelines also suggest that patients be informed of the closure.

Upon closure, patients’ health information may be transferred to another health service provider, particularly if the services of the new health service provider are the same as those of the previous health service provider. Where this is not the case, an individual patient’s consent may be needed prior to transfer. Where patients cannot be contacted, suitable storage arrangements will be needed
That guidance is of interest given this afternoon's ABC report that Victoria's Health Services Commissioner is investigating a claim that thousands of medical records were left unsecured in an abandoned Melbourne clinic.
The Commissioner has received a report that children's medical files were left in the Hawthorn Clinic when it went into administration in 2008.

The clinic treated children with autism and other disabilities.

Commissioner Beth Wilson says she believes people have been able to access the files in the building.

"I will be speaking to the administrator with the view to getting those records safely under lock and key," she said.

"We can then sort out how we can get them back to the parents involved and what breaches of the Privacy Act may have occurred.

"Health information is extremely sensitive. It is extremely disappointing if these records have been left unsecure."

Health Minister David Davis says it is unacceptable for medical records to be left abandoned in an unsecured place.

"Clearly it is unacceptable that records should be accessible in this way - records should be protected," he said.

"I will wait to find the facts of the matter, but certainly I think Victorians would not want to see records available in this way."
Indifference to outcomes through abandonment of records - and of responsibilities - might be addressed through meaningful penalties.

Health Privacy Principle 4 concerns 'Data Security and Data Retention'. It provides that -
4.1. An organisation must take reasonable steps to protect the health information it holds from misuse and loss and from unauthorised access,
modification or disclosure.

4.2. A health service provider must not delete health information relating to an individual, even if it is later found or claimed to be inaccurate, unless -
(a) the deletion is permitted, authorised or required by the regulations or any other law; or

(b) the deletion is not contrary to the regulations or any other law and occurs -

i) in the case of health information collected while the individual was a child, after the individual attains the age of 25 years; or

ii) in any case, more than 7 years after the last occasion on which a health service was provided to the individual by the provider-

whichever is the later.
4.3. A health service provider who deletes health information in accordance with HPP 4.2 must make a written note of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted.

4.4. A health service provider who transfers health information to another individual or organisation and does not continue to hold a record of that information must make a written note of the name and address of the individual or organisation to whom it was transferred.

4.5. An organisation other than a health service provider must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for the purpose for which it was collected or any other purpose authorised by this Act, the regulations made under this Act or any other law.