Efficient and effective administrative procedures are implemented to meet care recipient/consumer (as appropriate) and regulatory requirements. Information is used responsibly to inform the decision making process to improve care and services provided to care recipients / consumers and effective management.
As a provider of residential aged care/home care package services, RusCare is bound to collect personal information according to the Aged Care Act 1997. The organisation is also bound by the Victorian Health Records Act 2001 and the Australian Privacy Principles within the Privacy Amendment (Enhancing Privacy Protection) Act 2012 that set out the requirements for ensuring systems and processes are in place to appropriately manage personal information.
An open and transparent approach to management of personal information is taken and communicated to care recipients/authorised representatives on admission in the Australian Privacy Principles Policy.
RusCare is committed to providing a culture for privacy of personal information and systems for responsible handling of personal information collected. Staff must ensure information is as accurate as possible and must take steps to maintain the security and confidentiality of personal information at all times including, but not limited to: electronic information, paper based information and oral information such as handover and the use of telephone.
A multidisciplinary team approach to providing care in partnership with care recipients/consumers (as appropriate) and their representatives is provided. Information is only shared with team members on a need to know basis.
Systems are in place to ensure care recipient/consumer (as appropriate) personal information and confidential information related to staff and the management of the organisation is safeguarded against loss, unauthorised access, use, modification or disclosure.
A Privacy Officer has been appointed to assist with any issue care recipient / consumers (as appropriate) and their authorised representative/s may have related to privacy of personal information. All matters related to privacy should be directed to the Privacy Officer.
Information and social media technology and social networking must be used according to the IT and Social Media procedure (4.4) to reduce the associated risks to the organisation, care recipients and staff.
Personal information is information or an opinion about an identified person or who can be reasonably identifiable no matter whether the information or opinion is true or false, or whether it is recorded or not.
Staff have the responsibilities to maintain confidentiality and to only share privileged personal information about care recipients/consumers and staff members to other members of the team on a need to know basis.
Care recipients/consumers have a right to have their personal information protected through the control of the collection, use and dissemination of personal information as required by the Australian Privacy Principles (APP) and Victorian Health Privacy Principles (HPP).
Privacy does not apply to de-identified information for example, statistics where an individual cannot be reasonably identified.
A copy of the Australian Privacy Principles Policy and consent form is provided to all care recipients/consumers/representative on admission. They are also available on our website and in the Resident Handbook.
Home Care Packages consumers sign the SCTT consent form, receive a privacy information flyer and the Consumer Information Kit.
Whilst the Privacy Act does not cover the handling of personal information by organisations where it is contained in employee records, systems are in place to ensure staff’s personal information is safeguarded.
Staff phone numbers must not to be given to any person outside the organisation.
The Managing Director and the Quality Manager have been appointed as the Privacy Officer for the organisation and acts in accordance with her/his position description and the organisation’s policies and procedures.
Additionally, RusCare has appointed an external Privacy Officer who may also be accessed in the first instance to resolve privacy issues.
All requests to access or correct information or complaints related to alleged breaches of privacy are to be referred to the Privacy Officer.
Action taken by the Privacy Officer will depend on the individual circumstances of an issue raised and legislative requirements.
An Action Plan is completed for complex issues to ensure follow up action is planned and completed within defined timeframes.
The Privacy Officer maintains accurate documentation of each issue raised related to privacy. A Privacy Issues Register is maintained to identify and monitor the progress of privacy related issues within the defined timeframes.
The Health Records Act (Vic) allows for an authorised representative to act for the care recipients/consumers if she/he is incapable of acting for her/himself.
The Australian Privacy Act 1988 as amended 2012 allows for a responsible person for an individual to act on her/his behalf if they are unable to do so.
Sensitive information must not be collected without resident/representative consent and should only include information required by an aged care facility or reasonably necessary for the provision of care and services to the care recipient/consumer
The APP Policy has a section for the Consent for collection, use and disclosure of personal information. The care recipient/consumer or authorised representative is asked to sign the consent section of the APP policy form.
A copy of the APP Policy and signed consent form is offered to the care recipient/consumer/representative. This form is then filed in the care recipient/consumer’s admission notes.
Wherever possible information is collected from the individual care recipient/consumer or representative if this is not possible.
Staff must maintain privacy when collecting information for example, in the care recipients room rather than dining room. This applies throughout the care recipients stay.
Every effort is to be made to ensure information collected, used and or disclosed is accurate, up to date and complete.
Care recipients / consumers / representatives (as appropriate) / family members are encouraged to inform staff if information changes.
Entries in care recipients / consumers’ (as appropriate) files must be actual and factual about what staff have observed and have done, not their personal opinion of the care recipient / consumer.
A Staff Signature Register is maintained to identify initials and signatures.
Whiteout must not be used in any care recipient/consumer record. Any errors have a line drawn through them and are initialled.
Personal Information must only be used or disclosed for the primary purpose for which it was collected; or directly related secondary purpose which would be reasonably expected by the care recipient / consumer (as appropriate) / authorised representative. For example:
Refer also to the Australian Privacy Principles Policy.
Staff may disclose (communicate) health information related to a care recipient/consumer to an immediate family member as necessary to provide appropriate care unless there is an expressed wish that the care recipient / consumer or authorised representative does not want information discussed with a particular person. This includes general comments to next of kin and close relatives over the telephone.
Staff must document such discussions in the progress notes.
There must be informed consent for use / disclosures for other purposes where reasonable expectation does not apply for example;
The care recipient / consumer / representative must have options explained and have the right to refuse consent for the use of personal information for a secondary purpose.
A care recipient / consumer / authorised representative may request information to be available to another health service or provide authority for another health service provider to request information. This may involve a copy or summary of the information. Such requests must be referred to the Privacy Officer and processed as soon as practicable.
Personal information may be disclosed/used for a secondary purpose if it is related to a law enforcement or regulatory purpose for example; subpoena, notifiable disease, compulsory reporting of elder abuse and missing care recipient. Details of such disclosures require documentation including the date, the information was used/disclosed, the enforcement body to whom it was disclosed/use and how it was used/disclosed. Refer also to Incident Reporting (21.1).
In the case of a subpoena the whole record is copied prior to sending by Registered Mail to the address requested.
Solicitors requesting copies of records are referred to the Managing Director.
Legal advice is sought by the organisation if it unsure about how to proceed with a court order.
Care recipients / consumers or their authorised representative have the right to access personal / health information kept. The authorised representative must consider whether if able the care recipient/consumer would wish to access the information.
All reasonable steps must be taken to provide access.
An Acknowledgement and Response is provided for all requests using Part B of the Request to Access /Correct Information Form including whether access can be provided or correction can be made and whether a fee applies. Refer below for Refusal of Access.
Generally a fee is not charged for access unless there is a large amount of photocopying/printing or time required. In these cases:
However, the care recipient/consumer is still able to access the facts and opinions and an explanation about how the decision was made related to them.
Where a request for access has been refused the Privacy Officer must provide a reason as required by APP 12 or HPP 6. The Notification of Refusal template letter is used by the Privacy Officer.
An exception to providing a reason would be if the disclosure would prejudice a legal investigation.
Where refusal has occurred and all other avenues have been explored consider the offer of an intermediary person who is mutually acceptable to the person and the organisation to assist with limited access when direct or limited access is not appropriate.
The Privacy Officer will need to establish whether an acceptable outcome would be achieved for the person with the use of an intermediary without revealing the information covered by the exception.
The Privacy Officer will need to establish the availability of a suitable intermediary.
The Intermediary’s role is to facilitate sufficient access, which meets the person’s and the organisation’s needs.
This person should be another qualified health service provider who will act in the best interest of both parties.
Disclosure of the information to which access has been requested is required with the individual’s written consent using the Consent to Use/Disclose Information form. This disclosure is to enable the Intermediary to explain the contents of the information to the individual, without revealing specific details without the organisation’s authority.
The steps in this process must be explained to the individual when an Intermediary is offered.
The applicant may nominate a consenting health service provider to assess the grounds for refusal if the offer of an intermediary has not been made by the organisation or if she/he does not accept such an offer or is not satisfied with the outcome of the discussion. A written notice of the nomination must be provided within 21 days after receiving the notice of refusal or an offer or following discussion.
The organisation may object to the nomination in writing within 14 days.
The Privacy Officer will refer to the requirements of the legislation and may require legal advice for this situation.
A care recipient/consumer or authorised representative is entitled to request information to be corrected should they believe personal information is incorrect.
Requests for correction are required in writing using the Request to Access/Correct Information form.
The organisation can refuse to correct the personal / health information if it is believed there is lack of supporting evidence. However, a statement provided by the person should be attached to state that correction was requested.
Where a request for correction has been refused the Privacy Officer must provide a reason as required by APP 13 or HPP 6. The Notification of Refusal template letter is used by the Privacy Officer.
Care recipients /Consumers/ authorised representatives have the right to make a complaint where they believe there is a breach of the resident’s/consumer’s privacy. Such complaints must be recorded on an Feedback Form (2.0.1) and followed up promptly by the Privacy Officer according to the Complaint Handling procedure (2.6) and the Security Breach section below.
Care recipients /consumers/ authorised representatives also have the right to make a complaint to the Office of the Australian Information Commissioner / Victorian Health Services Commissioner.
The commissioners are able to investigate complaints where it is alleged that there has been a breach of the Australian Privacy Principles / Health Privacy Principles or access has been denied. Compliance notices can be served for serious breaches by the commissioners or binding orders by the Victorian Civil & Administrative Tribunal.
Any request to access medical records for the purpose of research must demonstrate in writing how information will be used and how ethical issues and privacy will be protected.
Written consent using the Consent to Use/Disclose Information form (4.0.3) is required if information is not de-identified or a consent form specifically designed for the research project is used.
Generally where de-identified information is used/disclosed for study purposes no privacy issue arises unless there is no direct relationship between the use and the purpose of the initial collection. In this case;
The Managing Director handles media issues for the organisation. All media inquiries are to be directed to this person.
Personal or health information must not be disclosed unless there is informed consent or expressed consent.
Information may be provided only if individuals cannot be identified by the statement made.
The organisation does not use personal information to contact residents / families for the purpose of fundraising such as donations, bequests or direct marketing without written consent.
Measures are in place to safeguard personal and health information in any form from loss, unauthorised access, use, modification or disclosure.
The following steps should be taken if there is a situation where “…[p]ersonal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.
A comprehensive investigation is conducted following the incident to identify and if possible implement preventative action such as; increased security measures, staff training, review and update of policies and procedures
If you have any questions, feedback or concerns about this policy or how your information is handled by RusCare Ltd, you can contact our office on 03 9793 5955 (9am-5pm, Monday-Friday, AEST).
Fax – (03) 9791 3933
Mail – RusCare Ltd – 13 Conway Street Dandenong South Victoria 3175
Email – [email protected]
RusCare Ltd will manage any concerns internally, directly with you.
If you are not happy with our response, or if you do not feel your complaint has been resolved, you are able to seek advice from the Office of Australian Information Commissioner by calling 1300 363 992.