At The Heart Group we are committed to promoting and protecting individual privacy in accordance with the Privacy Act 2020 (“Act”) and the Health Information Privacy Code 2020 (“Code”).
- The Heart Group Limited is an agency and means:
- Each individual cardiologist; and
- The Company, Intra Limited
- The above companies’ employees, including technical staff, nursing staff and administrative staff.
Application and Scope
This policy sets out the principles we use when collecting, storing, using, and disclosing personal information and health information from our patients (collectively referred to as “personal information” throughout this policy).
Our Privacy Officer is Suzanne Endicott-Davies (email: firstname.lastname@example.org, phone: 09 623 6373). The Privacy Officer’s role and responsibilities include:
- Encouraging us, our employees, our contractors and all other related parties to comply with the information privacy principles as set out in the Act;
- Dealing with requests made to us pursuant to the Act;
- Working with the Privacy Commissioner in relation to investigations; and
- Ensuring we are compliant with the Act.
Our address is 1 Gilgit Road, Epsom, Auckland.
Purpose and collection
We will only collect personal information for a lawful purpose connected with the functions and/or activities of our business and where the collection of personal information is necessary for that purpose.
We will only collect personal information directly from the patient concerned, except where otherwise permitted by the Act or Code.
Patients are asked to notify us of any changes to their personal information.
When we collect personal information about a patient, we will ensure it is only collected by lawful means and in a way that is fair and does not intrude to an unreasonable extent upon the patient’s personal affairs.
We will take reasonable steps to ensure each patient is aware of:
- The fact that information is being collected;
- The purpose for which the information is being collected;
- The intended recipients of the information;
- The name and address of who is collecting the information, and who will hold the personal information;
- If collection is authorised or required by law, the particular law, and whether the supply of information is voluntary or mandatory;
- Any consequences for that patient if all or part of the requested information is not provided; and
- The rights of access to, and correction of, personal information.
This will usually be done by way of our Privacy and Email Consent Form.
There are limited circumstances in which the Act permits us to not inform the patient of the above information. For example, where doing so would prejudice the purpose of collection.
Storage and security
We will ensure that reasonable security safeguards are in place to protect our patients’ personal information we hold, from misuse, loss, and unauthorised access, use, modification or disclosure.
We will only keep personal information for as long as is required for the purposes for which the personal information may lawfully be used, or as required by law. Once we no longer require the personal information for that purpose, we will take reasonable steps to safely dispose of the personal information.
Access and correction
If we hold personal information about a patient, then the patient is entitled to request access to, or correction of that personal information. Any request should:
- Be in writing to our Privacy Officer; and
- Set out the scope of personal information to which access or correction is sought.
We will respond to the request in accordance with the timeframes and procedures specified in the Act. There are limited circumstances in which we can deny a patient access to, or to correct personal information. If that is the case, we will provide the patient with the reason for denial of access to, or correction of, the personal information.
We will not use or disclose our patients’ personal information without taking reasonable steps to ensure the personal information is accurate, up to date, complete, relevant and not misleading.
Use and disclosure
We will not use or disclose our patients’ personal information unless we believe on reasonable grounds that:
- the use or disclosure is for one of the purposes for which the information was obtained, or a directly related purpose;
- the disclosure is to the patient concerned;
- the information is in a form that does not identify the patient;
- the patient has authorised the use or disclosure (or the patients’ representative, where the patient is unable to give their authority as per the Code);
- the source of the information is a publicly available publication and it would not be unfair or unreasonable to use the information;
- the use or disclosure is necessary to avoid prejudice to the maintenance of the law by any public sector agency, or for the enforcement of a law imposing a pecuniary penalty, or for the protection of the public revenue, or for the conduct of proceedings before any court or tribunal;
- the use or disclosure of the information is necessary to prevent or lessen a serious threat to public health or public safety, or the life or health of the patient concerned or another individual;
- the use or disclosure of information is necessary to enable an intelligence and security agency to perform any of its functions;
- the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern;
- the information is information in general terms concerning the presence, location, and condition and progress of the patient in a hospital, on the day on which the information is disclosed, and the disclosure is not contrary to the express request of the individual or their representative;
- the use or disclosure is required or authorised by or under law.
It is important our patients understand that medical records and other personal information (including referrals) can only be given to third parties, including other medical professionals or those involved in the provision of medical care to the patient, where:
- The disclosure is authorised by the patient concerned (or the individual’s representative where the individual is unable to give their authority under the Code) by way of the Privacy Consent form;
- If the patient has not provided consent by way of the Privacy Consent form, then where they have provided consent in relation to the specific disclosure that is proposed;
- The disclosure is one of the purposes in connection with which the information was obtained; or
- If it is not desirable or not practicable to obtain authorisation from the patient concerned, the disclosure is specifically permitted by the Act and/or Code (for example, where the disclosure of the information is necessary to prevent or lessen a serious threat to the life or health of the individual concerned).
Disclosing information outside New Zealand
We may disclose our patients’ personal information to a foreign person or entity where the requirements of the Act are met. These requirements are intended to ensure that personal information disclosed overseas is subject to comparable safeguards to the Act, or where that may not be possible, that the patient is fully informed and has expressly authorised the disclosure.
If we disclose our patients’ personal information to a foreign person or entity, to store that personal information on our behalf, provided the foreign person or entity will not use or disclose that information for its own purpose, then that will not be considered a disclosure of information outside New Zealand in accordance with the Act.
We are authorised to assign the same National Health Index numbers to our patients as other agencies, if doing so is necessary to enable us to carry out one or more of our functions efficiently.
Mandatory reporting breaches
We will take all steps necessary to ensure a privacy breach does not occur.
- A privacy breach is the unauthorised, or accidental access to, or disclosure, alteration, loss or destruction of personal information, or an action that prevents us from accessing the information (on a temporary or permanent basis).
- A notifiable privacy breach is a privacy breach from which it is reasonable to believe serious harm has been caused to an affected individual(s) (or is likely to do so).
In the event that a notifiable privacy breach occurs, we are required to notify the Privacy Commissioner and the individual affected by the notifiable privacy breach of that occurrence.
Any individual who becomes aware of a privacy breach or a notifiable privacy breach should immediately notify our Privacy Officer, so that the matter can be dealt with in accordance of the Act.
Complaint process under the Health Information Privacy Code 2020
We are committed to the fair, simple, speedy and efficient resolution of complaints relating to the Code. If a patient wishes to make a complaint for a breach of the Code, they should direct their complaint to Suzanne Endicott-Davies.
If we receive a complaint for a breach of this Code, we will:
- Within 5 days of receipt of the complaint, acknowledge the complaint in writing (unless the complaint has been resolved to the satisfaction of the complainant within that period); and
- Inform the complainant of any of our relevant internal and external complaints procedures; and
- Document the complaint and our actions regarding that complaint.
Within 10 days of acknowledging the complaint we will:
- Decide whether we accept that the complaint is justified or not; or
- If we decide that more time is needed to investigate the complaint, we will:
- Determine how much additional time is needed; and
- If that additional time is more than 20 working days, we will inform the complainant of that determination and the reasons for it.
As soon as practicable after we have decided whether or not we accept the complaint is justified, we will inform the complainant of:
- The reasons for our decision;
- Any actions that we propose to take;
- Any appeal procedure we have in place; and
- The right to complain to the Privacy Commissioner.
This complaint procedure is subject to our rights under the Act to refuse to provide patients with access to their personal information.