This privacy statement explains how Bay Radiology Ltd manages the health information we collect about people, including our patients and referring health care providers (‘referrer’), in order to meet our mission of providing quality imaging services of a consistently high standard in a caring and professional environment.
We take a patient-focused approach to delivering services and to managing personal and health information. We are committed to ensuring that we use and share it in accordance with the law and the expectations of our patients and referrers.
We may update this privacy notice from time to time, to reflect changes to privacy law or our practice operations. This privacy notice was last updated in May 2021.
1. The information we need to treat patients and manage our services
We need to collect and create personal and health information about patients, referrers and other individuals so we can deliver health services and manage our practice, but we always ensure that we keep this information to a minimum.
You will generally have a choice whether you provide us with the information we request, but we may not be able to properly understand your needs, provide you with imaging services or facilitate payment if you do not provide us with the information we need. If you have any concerns about providing us with certain information, talk to us about it. We can help you understand why we are requesting it.
1.1 How we collect personal and health information
We may collect information from you either directly, or from others.
As a patient, we collect your health information from you directly, for example when you interact with us during consultations or contact us through our website. We receive health information from your healthcare provider when they refer you to us for imaging services. We may also collect health information about you from other third parties where required and usually with your authorisation, such as your family, your authorised representative, other healthcare providers or insurers.
We also create health information about you when we are delivering services, such as carrying out ultrasounds and other imaging services.
As a referrer, we collect and create personal information from you as part of establishing our professional relationship with you, and then on an ongoing basis when you provide referrals and receive images and reports. We mostly collect this information from you directly but may also collect information from third parties such as your practice manager or professional body.
1.2 What information we collect (or create)
As a patient, we may collect or create the following information about you:
· General information – your name, contact details (address, email and phone number), NHI number, date of birth, gender, ethnicity and residency status, information about your carer/guardian/support person (where relevant), appointment preferences, insurance or ACC claim identifiers.
· Other provider information – your primary healthcare provider, the healthcare provider who referred you to us, other health professionals involved in your care, your health insurer (where appropriate), or ACC (where appropriate).
· Relevant medical history – including medical conditions, weight, height, allergies, medications, surgical notes, consultation notes, previous images or other diagnostics tests (such as blood test results).
· Health information we create about you – ultrasounds and other imaging scans, and accompanying notes.
· Interaction information – communications with you (including any feedback you give us), your healthcare provider/referrer or your family.
· Payment information – bills, payment records and credit card details.
As a referrer, we may collect or create the following information about you:
· General information – your name, contact details (address, email and phone number), information about your qualifications, MCNZ or other professional registration number, HealthLink details, details of the practice you work at (where relevant).
· Clinical information – information about your treatment of the patients you refer to us, for reporting purposes.
· Interaction information – communications with you (including any feedback you give us).
· Payment information – bank account and related billing information.
2. How we use and share information
We will only use or share personal and health information when the law allows us to. Wherever possible, we will tell you how we plan to use and share your information (including via this privacy statement).
As a patient, we use and sometimes share the health information we hold about you to meet our goal of delivering quality imaging services of a consistently high standard in a caring and professional environment. We make sure that your information is used and shared only in ways that support this outcome. Where we need to use your information for wider purposes, such as medical research or statistical analysis, we anonymise it first.
We will use your health information to:
· understand your needs, so we can deliver the right services in a safe way;
· assess the urgency of appointments;
· diagnose and treat medical conditions, including administering medications;
· report back to your referring healthcare provider;
· contact you about your care and treatment;
· respond to any concerns you raise about our services;
· work with ACC or your health insurer to manage claim approval and payment;
· otherwise administer and manage the delivery of services to you, including debt recovery action where necessary;
· meet our legislative reporting obligations, including to the Ministry of Health;
· conduct medical research and statistical analysis (with anonymised information).
As a referrer, we use your information to manage our relationship with you, to support the services we provide to patients, and facilitate payment. We may also use your information to manage complaints or concerns from patients about you or us, for example, if we need to respond to a complaint from the Health and Disability Commissioner.
2.2 When we share your information
The health system depends on responsible and legitimate sharing of health information to ensure that health providers have the information they need to provide the right care and treatment to their patients.
As a patient, as part of providing you with healthcare services, we may disclose health information about you to:
· the healthcare provider who referred you to us, such as your GP, specialist, midwife, or physiotherapist. If you have self-referred, we will send your imaging results to your usual GP or specialist;
· other healthcare providers with a legitimate role in your ongoing care, such as other specialists, laboratories or the District Health Board;
· your carer, guardian, authorised representative or family/whānau, where you have authorised this or in accordance with the law or accepted medical practice;
· your health insurer, where you have authorised this as part of your insurance claim process (including applying for prior approval if you are a Southern Cross member);
· your Primary Health Organisation to facilitate payment and for reporting purposes;
· ACC (or your employer if it is an ACC accredited employer) where your treatment is provided as part of an ACC claim;
· your employer, where they are an ACC accredited employer;
· the Ministry of Health or other health agencies as part of statistical reporting or health research activities, in aggregated and anonymised format;
· Breast Screen Aotearoa and/or its local provider where you have participated in its free breast screening programme;
· our trusted service providers, including data storage providers;
· government, regulatory or law enforcement agencies (where required or permitted by law (such as Police, Oranga Tamariki and the Health and Disability Commissioner);
· other third parties where you have given us your permission to do so.
As a referrer, as part of providing our services to patients and managing our relationship with you, we may disclose information about you to your patients or colleagues (for example, to your accounts department for the purpose of facilitating payment). If required or permitted by law we may also share information about you with third parties such as your professional body, the Medical Council of NZ, the Police or the Health and Disability Commissioner.
3. How we store and protect your information
We are required by law to retain patient health information for at least 10 years after the last contact we have had with you. We retain other personal information, such as about referrers, for as long as we have a valid reason to do so.
We store all the health information we hold, including images, on secure cloud-based data storage platforms, which are hosted both in New Zealand and other countries. Some features of Aura Care Connect use Amazon Web Services (AWS). All data sent to and from AWS is encrypted during transmission. Data stored in AWS is encrypted at-rest. Documents uploaded via Online Appointments are stored temporarily in AWS for the purpose of being virus scanned and uploaded to the RIS. All related paper records we collect or create are scanned and uploaded to this secure platform. In addition, we keep these paper records for a period of time in secure offsite and/or onsite storage.
We take all reasonable steps to protect the personal and health information we hold from loss, misuse or unauthorised access, modification or disclosure. For example, we restrict access to health information to our staff on a ‘need to know’ basis.
One of the ways we share health information with the healthcare provider who referred you to us and/or is providing you with treatment is by providing them with access to the secure online system where we store images. We require each health care provider to sign a confidentiality agreement before providing access, and we audit this access on a regular basis.
If you have any concerns about your referring or treating health care provider having access to your images via this online system, then please contact us and we will remove your images from this system. Please be aware that doing so means that in the event of an emergency, or a referral on to a different healthcare provider, your images will not be available to them via this online system. For example:
· We restrict who has access to health information to our staff; and
· Our data storage platforms are protected by firewalls and are password-protected;
· Where we can, we use the secure systems such as HealthLink and Medical Objects system to share health information with referring clinicians.
4. Accessing or correcting your information
You have important rights in relation to your information, and we respect these. To make a privacy request, update your information, or tell us about any concerns, please:
· use the ‘Contact us’ form on our website
· call us on: 0800 467 4260
· email us at: firstname.lastname@example.org (Attention: Privacy Officer)
· write to us at: Attention: Privacy Officer, Bay Radiology, PO Box 2636, Tauranga 3144
4.1 Accessing or correcting your information
You have the right to ask us for a copy of the information we hold about you, or to ask us to correct it if you think it is wrong.
We will need to verify your identity before releasing or correcting your information. If you ask someone (like your carer or a family member) to make a request on your behalf, we will need to see written authorisation from you and we may give you a call to check if we’re unsure. Please understand that all these steps are intended to protect your privacy.
We will always seek to be open with you about the personal and health information we hold about you, particularly if we have created it. Sometimes we may hold health information about you that we received from, or created on behalf of, another healthcare provider or agency. If we think that this other healthcare provider or agency would be better placed to handle your request, we may transfer your request to them. If we need to do this, we will tell you as soon as possible.
4.2 Concerns about your information
If you have any concerns about the way we have collected, used, or shared your health information, or you think we have refused a request for information without a good reason, then please let us know using the contact details above and we’ll try our best to resolve them.
If we cannot resolve your concerns, you can also make a complaint to the Office of the Privacy Commissioner by:
· completing an online complaint form at www.privacy.org.nz
· writing to the Office of the Privacy Commissioner, PO Box 10-094, The Terrace, Wellington 6143