A breach of privacy

The other day I saw a staff member getting into their car, and putting what looked like a handful of patient notes in the boot. He was probably off to see his patients at a clinic or do a home visit.   This sort of thing is not unusual, especially as we are very much a paper based system and need to take patient notes with us to do our jobs. However, I couldn’t help thinking how accountable we are for keeping the personal and sensitive details of our patients safe when their notes are in our care.   I bring this up as we have dealt with a case where patient information (contained in a notebook) was left in a vehicle, in full view while unattended. To compound matters, the car was broken into, and the notebook discarded along the way. While the notebook was retrieved, the Privacy Commissioner at the outset told CM Health that it had likely breached ‘Rule 5’ of the Health Information Privacy Code. In a nutshell, the Commissioner indicated that in this situation we did not take reasonable safeguards to protect the information contained in the notebook.

So what are reasonable safeguards, when it comes to transporting patients’ health information, for example, between sites?

Today I’m joined by John Hanson our Senior Legal Advisor who talks us through the intricacies of privacy law and how we can safeguard ourselves and our patients against breaches of privacy. If you are a health professional, who sometimes has to take notes off site to do your job, this is an interesting read.

John Hanson, Senior Legal Advisor
John Hanson, Senior Legal Advisor

CM Health takes patient privacy very seriously, and on the whole we do a great job of protecting our patients’ confidential and private details. However, when we transport patient information off site, we open ourselves up to a higher risk of this information being damaged, left behind, or in the worst case scenario being stolen. When a breach of privacy occurs, we go through a robust process to manage the situation and minimise the impact and risk for the people involved, in particular our patients.   In the case mentioned by Geraint, every patient whose information was involved was notified. Understandably there were a mixture of responses. One patient was particularly upset and complained to the Privacy Commissioner’s Office. The Commissioner’s initial but clear indication to CM Health was that it had interfered with the person’s privacy.

In effect, this means that CM Health had breached Rule 5 of the Health Information Privacy Code, and the patient had suffered harm as a direct result.  The Commissioner also found that some of the information in the notebook (including that relating to the patient who complained) did not need to be taken off site.  In fact some of the information was quite historic. The Commissioner believed it was not reasonable to expose this type of historic information to the additional security risks involved without a clear clinical purpose.

In this case, the person felt particularly distressed by the whole affair and, as a result, had suffered harm. As a DHB, we had failed on both counts.

What this ruling did, up and down the country, is raise the following question. In healthcare organisations, where we largely deal with paper-based systems, how far do you need to go to ensure the safety of confidential information when transporting notes off-site? While it can seem like a minefield, the Privacy Commissioner is aware of the limitations that health agencies and DHBs work under and is working with the health sector to put in place some safety guidelines.

There are things you can do now to ensure patient records, remain safe and secure when travelling between sites. These reflect the Commissioner’s approach to security:

  • If possible, transport patient notes or information in a secure container and remain in touch with them. If they need to be transported by car, for example, they should be secured in a container in your boot. They should never be left in open view or on a seat.
  • Only take the notes you need for your task.
  • If it’s a rainy or windy day, secure the notes in a bag, so they don’t blow away or get wet.
  • Don’t take notes out for an extended period, when you don’t need them.

Just as you don’t leave your valuables, such as your wallet, in your car treat patient notes and information the same way. If they were your health records, it’s very unlikely you would want them falling into the wrong hands.

John and Geraint



 asset_f_logo_lg   g+29   Twitter_logo_blue   YouTube-icon-full_color   Lindedin_logo

You can now follow my blog and stay updated with our organisation via social media.


Author: Geraint Martin

Geraint Martin was appointed Chief Executive Officer of Counties Manukau DHB in December 2006. It is one of the largest District Health Boards in New Zealand and services a population of half a million. He has significant experience over 30 years in national policy & in managing both primary and secondary care . Previously, he was Director of Health and Social Care Strategy at the Welsh Government .He authored a radical 10 year strategy of reform, including the successful “Saving 1000 lives” Campaign.Until 2004, he was CEO at Kettering General Hospital & had held senior positions in London & Birmingham.He has worked closely with clinicians in improving clinical standards,patient safety,chronic disease management & managing acute care to reduce hospital demand.In NZ, He has promoted clinical quality and leadership as central to improving patientcare. This has led to a significant increases in productivity and access, whilst maintaining financial balance. CMH has completed in 2014 a $500 m capital redevelopment programme, the largest in New Zealand. A central part of this is the establishment of Ko Awatea,the Centre for Innovation and Research which will underpin CMH as one of the the leading health systems in Australasia.In 2008, he chaired the Ministerial Review of Emergency Care in New Zealand, and in 2013 was an member of the Expert Advisory Panel on Health Sector Performance. Geraint has an MSc in Health Policy from Birmingham University .His post-graduate work has focused on health economics and Corporate Strategy . He is adjunct Professor of Healthcare Management at AUT and Victoria University, Wellington Elected in 2006 as a Companion of the Institute of Healthcare Management, previously he was an Associate Fellow at Birmingham University.He is is Chair of the Auckland Philharmonia Orchestra, a member of the Institute of Directors, on the Board of the NZ Institute of Health Management & previously the Board of The NZ Health Quality and Safety Commission.

2 thoughts on “A breach of privacy”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s