Part 5: Safe and secure access

Ministry of Health: Supporting the implementation of patient portals.

In this Part, we discuss:

Summary of our findings

The Ministry takes privacy and security seriously. Recognising that it is ultimately the role of PHOs and general practices to protect personal health information, the Ministry has supported PHOs and general practices to manage people's personal health information effectively by contributing to an established framework of privacy rules and rights, standards, and guidelines.

Requiring compliance with the Privacy Act and the Privacy Code

We looked at how the Ministry was supporting PHOs and general practices to manage the security and privacy of people's personal health information, but we did not directly audit the safety and security of patient portals.

The Privacy Act 1993 (the Act) covers the privacy and security of personal information. The Act sets expectations for how agencies collect, use, disclose, store, and give access to personal information.

The Act allows the Privacy Commissioner to issue codes of practice for specific sectors. For the health sector, the code of practice is the Health Information Privacy Code 1994 (the Privacy Code), which sets specific rules for all New Zealand health and disability service organisations. The Privacy Code has 12 rules for how health organisations should gather, use, store, release, and dispose of people's personal health information.

The Ministry expects and supports PHOs to ensure that general practices are following the Privacy Code.

Privacy impact assessments

A privacy impact assessment is a tool that organisations can use to:

  • check whether a project (including a patient portal) is likely to comply with privacy laws;
  • make decisions about whether, and how, to adjust a project to manage any privacy risks; and
  • create a reference point for future action as the project or organisation changes (for example, when a general practice decides to increase the functionality of its patient portal).

For general practices implementing a patient portal, part of the assessment would include looking at the rules in the Privacy Code to determine whether anything needs to be done to meet each rule.

The College of GPs provided guidance to PHOs and general practices to help them complete privacy impact assessments for patient portals. Other guidance is available, including from the Office of the Privacy Commissioner. The Commissioner's staff can also review draft assessments and provide assurance to PHOs and general practices that the assessments cover everything they need to. The Commissioner's staff said that they do this fairly often.

The Ministry required PHOs that were receiving some funding to support implementing patient portals (see paragraph 3.13) to complete a privacy impact assessment. A Ministry representative said that some funding applications were sent back because of an inadequate privacy impact assessment. The Ministry expected PHOs, rather than the general practices, to do the assessments because PHOs tended to be better resourced. Having PHOs do the assessments would also avoid duplication.

The PHOs we spoke to confirmed that they did a privacy impact assessment for their general practices. One PHO prepared a template that other PHOs and general practices could use to complete a privacy impact assessment. The Office of the Privacy Commissioner supported the use of the template and a link to it is provided on the Ministry's website.

The Privacy Commissioner's staff told us that the health sector was generally very engaged with privacy issues, and that the health sector was keen to ensure that good practice was followed. Assessments can provide a layer of protection for general practices and PHOs in the event of a privacy breach because it would help show that they had taken reasonable steps to protect people's privacy.7

The College of GPs' Foundation standard

The College of GPs' Foundation standard (the Foundation standard) is a quality standard for general practices, designed and run by the College of GPs. It represents the minimum "legal, professional and regulatory requirements that a general practice must meet as part of providing safe, effective and equitable care".8

The Foundation standard requires general practices to meet the requirements of the Privacy Code. As part of achieving the standard, a general practice must:

  • have a privacy policy that complies with the Act and the Privacy Code;
  • train its team on the Act and the Privacy Code;
  • collect, use, store, disclose, and dispose of people's health information in accordance with the Privacy Code; and
  • set up safeguards in the reception area to ensure confidentiality of people's information.

From 1 July 2017, DHBs and PHOs were required by the Ministry to enter into service agreements. These agreements set out the roles, responsibilities, and accountabilities of DHBs, PHOs, and contracted providers to ensure that primary healthcare services are funded and delivered in each district or region in a collaborative and consistent way throughout the country. They also require PHOs to ensure that all of their general practices meet the Foundation standard.

Health Information Governance Guidelines

The Ministry has also designed guidelines on sharing health information called the Health Information Governance Guidelines. At the time of our audit, these guidelines were still in draft form. They are intended to ensure that organisations that hold personal health information meet their obligations under the Act and the Privacy Code. The draft guidelines provide policies and help for health organisations to manage and share personal health information while upholding people's privacy rights.

The Health Information Governance Guidelines apply to all electronic health information systems and include a section on patient portals. This section specifies that a patient portal should:

  • meet the Health Information Security Framework standard (see paragraph 5.21);
  • be available to all eligible and registered people; and
  • have the capability for allowing people to:
    • view their medical records;
    • send and receive secure messages;
    • view the audit trail of people who have accessed their patient portal; and
    • give other people, such as family members, access to their patient portal.

Under the draft guidelines, health organisations should also:

  • train their staff on how to use patient portals;
  • have a policy on staff access to patient portals that complies with the Act and the Privacy Code;
  • ensure that people are aware of any sensitive reports or results before they are put on the patient portal; and
  • include plain language explanations in patient portals.

The draft guidelines are intended to be finalised as part of the implementation of the single electronic health record and other regional and national systems.

Advising on security issues

We expected the Ministry to provide advice on how to ensure the security of health information when using patient portals.

Health Information Security Framework

The Health Information Security Framework standard (the standard) provides the main advice from the Ministry on the confidentiality and security of health information. The standard sets out security management requirements for health provider organisations and governs the security of all health information.

The standard is designed to support health and disability sector organisations and practitioners holding personally identifiable health information to improve and manage the security of that information. According to the Privacy Commissioner, health organisations can use the standard to make sure that they and their information systems are complying with rule five of the Privacy Code. Rule five requires health agencies to ensure that they have reasonable safeguards in place to prevent loss, unauthorised access, misuse, or disclosure of health information.

Health organisations must comply with the standard's risk management section (section 1.4). This requires health organisations to undertake at least three risk management activities so they can meet their responsibilities in managing and protecting health information. They are:

  • regularly undertaking or reviewing an existing health-information-related risk assessment, specifically covering:
    • the probability of the risk occurring;
    • the impact if the risk occurs; and
    • available risk mitigation actions and countermeasures;
  • preparing and applying policies and procedures to address each of the identified risks; and
  • regularly monitoring and reporting on the performance of the above policies and procedures.

The standard, an 82-page document, provides guidance, ideas, and comment to support these tasks. Patients First condensed the standard to 14 key points to help general practices assess whether they are meeting the IT security requirements. Patients First also created a checklist for a self-assessment and a guide with additional explanation and clarification.

Although the standard covers all health information, it was published in December 2015 and does not specifically mention patient portals. The draft Health Information Governance Guidelines makes it clear that patient portals are required to meet the standard.

The standard also includes a section on "cloud computing", which patient portals often use to store information. Before 2016, the Ministry's policy on cloud computing was that personal health information could not be stored or processed outside of New Zealand by a public cloud service without a Ministry-granted exemption. In early 2016, the Ministry allowed health organisations to use public cloud services without obtaining an exemption, provided the services had been approved by the Ministry as fit for purpose.

In July 2016, Cabinet actively promoted the use of public cloud services for government agencies. The Ministry worked with the Government Chief Information Officer to update its approach to the use of cloud-based services. In April 2017, they released a joint document advising of the changes. The Health Information Governance Guidelines reflect this change in policy. The guidelines state that health organisations can store personal health information in the cloud as long as they carry out a risk assessment before doing so and are satisfied with the resulting risk profile. The recommended tool for the assessment is the Government Chief Information Officer's cloud assessment tool, which is mandatory for DHBs and government agencies.

Aiming for excellence

"Aiming for excellence" is the College of GPs' quality standard for general practices, which is used in the Cornerstone accreditation programme. The Cornerstone accreditation programme sets out best practice criteria for general practices to achieve over and above the minimum requirements of the Foundation standard (see paragraph 5.13).

To qualify for Cornerstone accreditation, all general practices that offer a patient portal must meet the requirements of the Health Information Security Framework standard and the Foundation standard.

Balancing privacy, security, and access

Discussions of privacy and security often focus on keeping information safe and secure from people who should not have it. However, it is equally important that information can be accessed by the right people. For example, it is important that everyone treating a patient has access to all their relevant health information. One doctor pointed out to us that the risks of not sharing information can be greater than the risks of sharing it.

The need to get this balance right was a common theme in our interviews. Staff from the Office of the Privacy Commissioner did not express any major concerns about patient portals. As staff told us:

Privacy isn't all about security and secrecy. It's also about people's control of their information … On the one hand, it's access to patient information for clinical people, on the other hand it's access to your own information. So you've got a right of access to your own information anyway, but if you can just sign in and see it, that's a privacy enhancing process. And it also improves the accuracy of the information. So that's the way [we've] approached [patient portals], it's an enhancement of privacy.

In our view, the Ministry takes privacy and security seriously. PHOs and general practices are ultimately responsible for protecting the privacy and security of their patients' personal health information. PHOs and general practices are required to comply with privacy laws, health information standards, and various guidelines designed to help them manage people's personal health information effectively. The Ministry, along with others, has contributed to an established framework to support PHOs and general practices to do this job well.

7: Anyone who feels that their privacy has been breached can complain to the organisation concerned or the Privacy Commissioner.

8: See