EMAIL POLICY

EMAIL POLICY

TERRY HILLS MEDICAL CENTRE

Current as of 16th March 2022

Introduction

This email policy is to provide information on how we manage our privacy and security via email communications. This email policy is adapted from and written in accordance with RACGP 5th Edition standards and AHPRA guidelines.

This policy sets out guidelines for acceptable use of email by the practice team, contractors and other staff of Terrey Hills Medical Centre. General practices are increasingly receiving requests from patients, other clinicians and third parties for health information to be sent to them electronically. The Australian Privacy Principles published by the Office of the Australian Information Commissioner state that: “Health information is regarded as one of the most sensitive types of personal information.”

For this reason, the Privacy Act 1988 (CTH) (Privacy Act) provides extra protections around the handling of an individuals’ health information.

 The Privacy Act defines health information as:

Information or an opinion about:

  • the health or a disability (at any time) of an individual; or 

  • an individual’s expressed wishes about the future provision of health services to him or her; or 

  • a health service provided, or to be provided, to an individual; that is also personal information; or

  • other personal information collected to provide, or in providing, a health service; or

  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

  • genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Rationale

As all health information is sensitive by nature, therefore, all communication of health information, including via electronic means, must adequately protect the patient’s privacy. Terrey Hills Medical Centre takes reasonable steps to ensure that any electronic communication of health information by our GPs, nurses, health providers and support staff is adequately safe and secure. 

Scope

GPs, health providers, support staff and patients should be aware of the risks associated with using email in the healthcare environment. This email policy applies to the practice team, contractors and other staff of Terrey Hills Medical Centre who use email for the conduct of practice business, this could include by use of practice owned devices, personal mobile phones, tablets or personal laptops through the remote server, to perform their work.

Policy

Our practice considers our obligations under the Privacy Act before we use or disclose any health information. The Privacy Act does not prescribe how a healthcare organisation should communicate health information. Any method of communication may be used as long as the organisation takes reasonable steps to protect the information transmitted and the privacy of the patient. A failure to take reasonable steps to protect health information may constitute a breach of the Australian Privacy Principles and may result in action taken against the organisation by the Australian Privacy Commissioner. What amounts to reasonable steps will depend on the nature of the information and the potential harm that could be caused by unauthorised access to it. The Royal Australian Practice of General Practitioners has developed a matrix is to assist practices in determining the level of security required in order to use email in general practice for communication.

Our practice reserves the right to check an individual’s work email account as a precaution against fraud, viruses, workplace harassment or breaches of confidence by members of the practice team. Inappropriate use of the email facility will be fully investigated and may be grounds for dismissal.

Email configuration

Communication of clinical information to and from healthcare providers are completed from within the practice’s clinical software, wherever possible, using a secure clinical messaging system such as Health Link. The use of a practice’s clinical software means that a record of communication is automatically retained in the patient’s medical record. However, this is not possible when communicating with patients.

We have the current protective measures in place:

  1. Computer security measures

  2. Using 3 identifiers to identify patients 

  3. Notifying patients that there is a security risk in sending emails to them containing their personal medical information. They can choose to collect a hard copy from our office if they prefer

  4. A notice on our emails if the email is sent to the wrong address

  5. Notification to OAIC of any significant data breach

  6. Protecting against spam / malware by use of a spam filtering software 

  7. Encryption of patient information by using a program such as S/MIME

  8. Ongoing training and education on safe email use

General protection

All email communications must be treated as confidential. The following procedures have been implemented at Terrey Hills Medical Centre to ensure safe email use, data protection and data privacy: 

  • Any information received by email that constitutes a patient’s health information must be downloaded and imported onto the relevant patient file to ensure patient files are kept up to date and are backed up in accordance with practice policy. 

  • We do not provide confidential information to an email address that has not been verified

  • We use a spam filtering program.

  • Patient information or other confidential information sent by email must be encrypted. Note: encrypted files are not automatically screened for viruses. They have to be saved, decrypted and then scanned for viruses before being opened.

Protection against the theft of information

All employees are required to follow the following guidance to protect against information theft: 

  • There are significant risks if providing confidential information on a website: only do so via the internet when the site displays a security lock on the task bar and with an https in the web address.

  • Do not inform people of your email password.

  • Be aware of phishing scams requesting logon or personal information (these may be via email or telephone), do not click on links from suspicious email addresses

Email disclaimer

Terrey Hills Medical Centre requires that all outgoing emails contain the following disclaimer:

PRIVACY & CONFIDENTIALITY NOTICE

This e-mail and any files transmitted with it are confidential and are only for the use of the person to whom they are addressed. If you are not the intended recipient, you have received this e-mail in error, and any use, dissemination, forwarding, printing, copying or dealing with this e-mail, in any way whatsoever, is strictly prohibited. If you have received this e-mail in error, please reply immediately by way of advice to us. It is the duty of the addressee/recipient to virus-scan and otherwise test the information provided, before loading it onto any computer system. Reading this email does not warrant that the information is free from viruses or from any other defect or error. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the company.

Email correspondence

Email correspondence sent to our email address is retained as required by the Public Records Act 2002 and other relevant legislation. Email messages may also be monitored by our information technology staff for system and maintenance purpose. Patient email address details will not be added to a mailing list or disclosed to a third party unless required by law.

Policy review statement

This privacy policy will be reviewed regularly to ensure it is in accordance with any changes to law or regulation that may occur.