Email Policy

This email policy is to provide information on how Southern Doctors Clinic (SDC) manages our privacy and security via email communications. This email policy is adapted from and in accordance with RACGP 5th Edition standards and AHPRA guidelines.

General practices are increasingly receiving requests from patients, other clinicians and third parties for health information to be sent to them electronically because it is an easily accessible method of communicating. The Australian Privacy Principles published by the Office of the Australian Information Commissioner (OAIC) state that: “Health information is regarded as one of the most sensitive types of personal information”.

For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling.

The Privacy Act defines health information as information or an opinion about:

  • the health or a disability (at any time) of an individual; or

  • an individual’s expressed wishes about the future provision of health services to him or her; or

  • a health service provided, or to be provided, to an individual; that is also personal information; or

  • other personal information collected to provide, or in providing, a health service; or

  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs, or body substances; or

  • genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Rationale

As all health information is sensitive by nature, all communication of health information, including via electronic means, must adequately protect the patient’s privacy. SDC takes reasonable steps to make our communication of health information adequately safe and secure. GPs, health providers. support staff and patients should be aware of the risks associated with using email in the healthcare environment.

Policy

SDC considers our obligations under the Privacy Act before we use or disclose any health information. The Privacy Act does not prescribe how a healthcare organisation should communicate health information. Any method of communication may be used as long as the organisation takes reasonable steps to protect the information transmitted and the privacy of the patient. A failure to take reasonable steps to protect health information may constitute a breach of the Australian Privacy Principles and may result in action taken against the organisation by the Australian Privacy Commissioner. What amounts to reasonable steps will depend on the nature of the information and the potential harm that could be caused by unauthorised access to it. The RACGP has developed a matrix is to assist practices in determining the level of security required in order to use email in general practice for communication.

Our practice reserves the right to check an individual’s email account as a precaution to fraud, viruses, workplace harassment or breaches of confidence by members of the practice team. Inappropriate use of the email facility will be fully investigated and may be grounds for dismissal. SDC does not email documents to patients except in rare circumstances.

Email configuration

Communication of clinical information to and from healthcare providers are completed from within the practice’s clinical software, wherever possible, using a secure clinical messaging system such as Healthlink. The use of a practice’s clinical software means that a record of communication is automatically retained in the patient’s medical record. This is not possible when communicating with patients. Particularly during the current pandemic there has been an increase in email communication with patients and pharmacies. Increasingly, referrals and prescriptions have been sent by email.

We have the current protective measures in place:

  1. Computer security measures

  2. Using 3 identifiers to identify patients.

  3. Notifying patients that the information is not encrypted and that there is a security risk in sending emails to them containing their personal medical information. They can choose to collect a hard copy from our office if they prefer.

  4. A notice on our emails if the email is sent to the wrong address.

  5. Wherever possible send patient information via secure programs.

  6. Notification to OAIC of any significant data breach

  7. Protection against spam: Use a spam filtering program.

  8. Encryption of patient information: Use server to server encryption such as SSL or TLS.

  9. Email use education

General protection

  • If any information held in our email accounts are relied on, you will download and follow download procedure as per practice policy. You will import into relevant patient file to ensure contents are backed up with the rest of our data.

  • Do not download or open any email attachments where the sender is not known to you.

  • Email use that breaches ethical behaviours and/or violates copyright is prohibited.

  • Do not send or forward unsolicited email messages, including the sending of ‘junk mail’ or other advertising material (email spam).

  • Do not use email for broadcast messages on personal, political, or non-business matters.

Encryption of patient information

  • All email communications should be treated as confidential.

  • When sending patient information or other confidential data by email, it is best practice to use encryption.

  • Be aware that encrypted files are not automatically checked for viruses. They have to be saved, decrypted, and then scanned for viruses before being opened.

Protection against the theft of information

  • There are significant risks if providing confidential information by email: only do so via the internet when the site displays a security lock on the task bar and with an https in the web address.

  • Do not inform people of your email password.

  • Be aware of phishing scams requesting logon or personal information (these may be via email or telephone).

Email disclaimer

The practice uses an email disclaimer notice on outgoing emails that are affiliated with the practice stating:

“This email message and any attached files is confidential and intended solely for the use of the individual or entity to whom it is addressed and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this email in error, delete all copies and notify the sender. This email is subject to copyright. No part of it should be reproduced, published, communicated or adapted without the copyright owner's written consent. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the SDC. SDC accepts no liability for any loss or damage arising from the use of this email and the recipient should check this email and any attached files for the presence of viruses. While we make every effort to keep your information secure we want to remind our patients that electronic communications can potentially be compromised and accessed by persons outside of our practice. Patients communicating with Southern Doctors Clinic through email do so at their own risk.”

Email correspondence

Email correspondence sent to our email address is retained as required by the Public Records Act 2002 and other relevant legislation. Email messages may also be monitored by our information technology staff for system troubleshooting and maintenance purpose. Patient email address details will not be added to a mailing list or disclosed to a third party unless required by law.

Policy review statement

This email policy will be reviewed regularly to ensure it is in accordance with any changes that may occur.