Safeguarding Patient Information

At Papanui Medical Centre, we take care to protect patient’s health information at every stage, from collection through to storage and disposal. We safeguard information in line with the Health Information Privacy Code, the Privacy Act 2020 (including IPP3A), and other relevant legislation. We expect all staff to collect, hold, use, and dispose of health information appropriately.

We are guided by the Health Information Privacy Code’s key concepts of purpose and openness, in being clear about why we are collecting information, and how it will be used. New staff receive training about how to handle health information appropriately during their induction.

Collecting patient information

Practice staff follow the rules in the Code when collecting patient information. Rules 1 – 4 in particular apply:

1.

We only collect information for a specific purpose, when needed:

  • to care for and treat the patient
  • to carry out our function as a health provider
  • to fulfil a legal requirement.

2.

We collect information directly from the patient unless they have consented to it being collected from somewhere else.

We may also collect information indirectly (from someone other than the person it is about). If we do collect information indirectly, we must notify the individual unless:

  • an exception applies
  • it is routine information collection from other health services involved in the patient’s care (for example hospitals, other health providers, laboratories, radiology, ACC and Health New Zealand | Te Whatu Ora) that has been explained in the practice’s privacy statement.

3.

We tell the patient:

  • why we are collecting the information
  • who will have access to it
  • who will hold the information.

4.

We collect information:

  • lawfully and fairly
  • as unobtrusively as possible
  • with consideration of our privacy obligations when collecting information in a setting that could allow other people to see or overhear.

Using patient information

Our practice staff use patient information appropriately:

  • privacy statement is made available to new patients at enrolment, explaining how we collect, use, and share their health information (including the information we receive from other services).
  • We access patient records only when we need them to provide healthcare services.
  • We handle all patient information with care.
  • Patient information is used only for the purpose it was collected for, unless the patient has consented to another use.
  • We treat patient information with respect and confidentiality.
  • We follow processes to avoid privacy breaches when sending or handling patient information.

Storage, security, and disposing of patient information

We use Indici to electronically store and manage all patient health information. Practice staff access the system with their unique login and password.

Patient records are stored and disposed of in accordance with legislation:

  • Records are updated regularly, and patient-related documentation is uploaded or scanned into the patient’s clinical record promptly.
  • Information is kept secure, and backed up.
  • Records are retained for a minimum of 10 years after the last contact with the patient, in accordance with the Health (Retention of Health Information) Regulations 1996.
  • Outdated information and records are disposed of confidentially. Any hard-copy records are locked away securely when not in use.