Policies _ 2018

Communication Policy, The Parks Medical Centre, Updated May 2018.

Communication and confidentiality are cornerstones of medical practice. We at the Parks are fully aware of our collective responsibility to maintain these key elements of our interactions with all our clients. Over the past couple of months, we have reviewed all our policies and there are some changes.

Verbal Communication.

We make every effort to ensure that all communications between the staff at the Parks and our clients is confidential. The consultation room provides a secure environment for this to happen. In this environment we will disclose no information about a third party without consent. In the past this may have been verbal but moving forward we will have to request written consent.

Unfortunately, the front desk poses a significant problem, the administrative staff at the front desk are aware of this and do their level best to maintain confidentiality. Please be assured of our good will at all times. If the information you are discussing with the receptionist is of a confidential nature and the environment is not so, please advise the receptionist and they will endeavor to find a quieter spot to listen to what you have to say.

It would be hugely helpful if you could check that we have your correct address and mobile phone number.

Telephone.

In future, unless whomever you are communicating with via the phone is absolutely sure you are the person you state you are, you will be asked your date of birth. As you are maybe aware our computer files go back to 1994 and we regularly find we have several people with the same name. Please do not be offended, it is to protect your confidentiality.

Text messaging.

No text will be sent to any patient without their consent documented in their computer file. Heretofore this was verbal consent and documented in the administrative section of the file. From 25/5/18, all new patients will have to sign a consent form re receiving text messages from the practice and this consent will be scanned into their patient file. Text messaging is used in the practice, to convey test results, to remind patients re appointments or to request patients to attend the practice generally in relation to text results or prescription check-ups that are required.

Policy on Transfer of Medical Records

This Practice has always endeavoured to ensure the highest standard of medical care for our patients. Should you wish to view your medical records, transfer your medical records to another health professional or if we receive third party requests for your medical information, we have put together this policy to protect you, the Patient.

Transferring to Another Practice

If you decide at any time and for whatever reason to transfer to another practice we will facilitate that decision by making available to your new doctor a copy of your records on receipt of your signed consent from your new doctor. From the end of May 18, we will be only release medical records through Healthmail or directly to you, the Patient. We will have a no post policy unless it is not geographically possible for you, the patient, to pick these files up. They will then be registered posted (eg, moved outside Dublin) We will not email them or save them to a usb stick/cd or other device.

For medico-legal reasons we will also retain a copy of your records in this practice for an appropriate period of time which may exceed eight years.

As per new legistation, we will need written consent from every individual in your family. As per GDPR legislation, an individual can only make an Access Request for their own personal data. Legal Guardians can also make a request on behalf of a child, however, once a child is capable of understanding their rights to privacy and data protection, the child should make this request in their own name. THIS IS NOT AGE DEPENDENT therefore we reserve the right to process these requests on an individual basis as revealing medical information of a child who is capable of making decisions themselves will in most cases constitute a breach of Data Protection Acts.

Medico/Legal Requests
In the event of a solicitor requesting these records, we will ask you, the patient, to look at these notes prior to releasing them and/or will release them directly to you, the patient.

PMA Requests
Again, we will ask you, the patient, to look at this report prior to sending this to the Insurance company and we will not include/disclose third party reports from Consultants with this report. We will however give you, the patient, these third party reports upon receipt of your signed request.

Health Insurance Companies
As with above, we will ask you to look at this report prior to releasing and will not release third party reports from Consultants with this report. As is your right, we will release these third party reports to you upon receipt of your signed request.

Data Breach Policy– The Parks Medical Centre

Policy Objective
The aim of this policy is to ensure that in the event of a data breach, the appropriate measures are taken in compliance with GDPR.

Scope
This policy applies to medical data ie computer files, paper files. It applies to personnel data for all staff members from contracts to payroll.

Typical Data Breaches are:
1) Loss of theft of data or equipment on which data is stored
2) Loss of theft of documents/folders
3) Unforeseen circumstances such as a flood or fire which destroy information
4) Inappropriate access controls allowing unauthorised use
5) A hacking/cyber-attack (such as ransomwear)
6) Obtaining information from the practice by deception
7) Misaddressing of e-mails/post/scripts/certs
8) Sending a copy of a lab result or radiology result to a wrong patient
9) Being in the wrong patient’s file – ie patients with the same name
10) Discussing patient information without prior consent – ie parent/ guardian of child or spouse/ partner

Procedure

In the event of a suspected data breach,

1) The Practice owner must be notified in writing straight away.
2) This should be done by internal message giving all details of the breach.
3) In the absence of the Practice owner please notify the Practice Manager who will manage this until the Practice owner’s return.
4) The Practice owner/Manager will carry out a risk assessment to determine if this was an incident or a breach.
5) In the event of it being an incident, the data commissioner does not need to be informed however all events of the incident must be recorded.
6) In the event of it being a known breach, the practice owner/manager will follow protocol and notify the Data Protection Commissioner as below

Notification to The Data Protection Commission

Where feasible and without undue delay the practice owner will notify the personal data breach to the Data Protection Commissioner no later than 72 hours after being made of aware of it. If this notification is made more than 72 hours it will be accompanied by the reason for this delay. The only exception to this is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons (ie the patient)

Notification to the Data Subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons (the patient) the practice owner will communicate this breach to the patient without delay. It will be explained in clear and plain language and will contain the following:
1) The name and contact details of the data protection officer or other point of contact where more information can be obtained
2) A description of the breach and it’s likely consequences
3) A description of the measures the practice took or intends to take to manage this breach and the steps to prevent a breach of this nature re-occuring.

The Article 29 Data Protection Working Group has produced “Guidelines on Personal Data breach notification under Regulation 2016/679. The full document is available at
https://iapp.org/media/pdf/resource_centre/WP29-Breach-notification02-2018.pdf

For the purposes of this policy see pages 30-33 as printed here.