Why have a code of practice?
A code of practice is a statement of principles and best practice. It provides for transparency in the operation of the Health Provider Index (HPI). It provides a set of rules and expectations that practitioners, organisations and the public will be able to see and use to hold the organisations using the HPI to account. It ensures that the HPI is used only for purposes that are consistent with the aims of improving outcomes for patients, while respecting legitimate privacy expectations of practitioners and others whose information is stored on the system.
What is the legal status of the code of practice?
The code of practice is a voluntary code and does not have any formal legal status. It is based on the information privacy principles and the public register privacy principles of the Privacy Act. If anyone has a complaint about the way the HPI operates, they can ask the Privacy Commissioner to investigate, and ultimately bring a case before the Human Rights Review Tribunal. The Privacy Act provides for remedies, but the Privacy Commissioner and Human Rights Review Tribunal might take into account aspects of the code that illustrate and point to the policies for maintaining the code and consider whether or not they are adequate, and if so, whether they have been properly observed.
This Code of Practice is based on the information privacy principles from the Privacy Act. It sets a higher standard for the protection of the privacy of health practitioners than the Privacy Act alone imposes and seeks to balance the gains to the health sector and to health services consumers of the HPI, with the legitimate privacy interests of health practitioners.
Who does this code of practice apply to?
This code of practice applies to any organisation making updates to or retrieving data from the HPI or collecting and recording the HPI identifiers in their systems e.g.:
- Registration agencies (termed Responsible Authorities to the Health Practitioner Competence Assurance Act).
- Health provider organisations employing practitioners and healthcare workers
- Organisations supporting health provider organisations
How the information privacy principles will apply to the HPI
- Responsible Authorities and other parties updating the HPI will collect the minimum of personal information about practitioners and health workers that they need for the purposes of administering their regulatory and other legal obligations, and for the purposes of the HPI.
- The Ministry will collect the minimum amount of personal information necessary to maintain the Health Provider Index.
- Users of the HPI will only be able to obtain access to the minimum amount of information they need for their legitimate purposes.
The HPI is not intended to be a central means of collecting all manner of information about health practitioners and workers. It is intended primarily as a numbering system, so that each worker has one number with which they can interact with their employer, their registration body, with payment and claims organisations, with IT systems requiring a unique identifier and others with a legitimate need in the health and disability sector. The HPI is used by organisations to validate a practitioner’s registration status and scope of practice and as a trusted source of a person’s place of work and contact details.
The information that is collected about each practitioner or health worker is the minimum necessary to verify their identity and provide core details for systems users. Much of the information for practitioners will be publicly available materials (such as from public registers established under the Health Practitioners Competency Assurance Act 2003.
The personal information about practitioners and health workers that is maintained on the HPI consists of:
- unique identifier
- scope of practice
- conditions on practice
- place of work (in some cases)
- contact details (in some cases).
Date of Birth, Gender and Ethnicity is maintained on the HPI by those parties creating identity records. These items are only used to ensure duplicate identities are not created and in an un-identifiable way for workforce planning.
The purposes for which information is collected on the HPI are described in the data access agreement as:
- Obtaining information about Individuals, health sector organisations and health sector facilities for the purposes of:
- providing health services;
- administering healthcare payments;
- ensuring public health and safety with respect to providing health and disability services;
- health workforce planning.
- Supporting secure access to electronic health information.
- Other purposes that are necessary for the discharge of any functions or duties under the New Zealand Public Health and Disability Services Act 2000, the Health Act 1956, the Health Practitioners Competence Assurance Act 2003, and other legislation administered by the Ministry of Health.
- To the greatest extent possible, the HPI will consist of personal information provided by the individual to the party who updates the HPI.
The Privacy Act provides that information should generally be obtained from the individual concerned. However, in recognition of the practicalities, it also provides for considerable flexibility where it is necessary to obtain information from another source. The Ministry proposes to obtain information from sources which have themselves obtained information directly from the practitioner, namely the Responsible Authority (the Data Source), or in some instances, the individual’s employer.
The Ministry is considering ways for individuals to directly view and where appropriate maintain the personal information held about them in the HPI.
- The individual concerned is entitled to know why their personal information is being collected, by whom, and to whom it will be disclosed.
The agencies collecting the personal information from practitioners and other health sector workers are obliged to inform the practitioners of a number of matters, pursuant to information privacy principle 3 of the Privacy Act.
The Ministry of Health will facilitate this process by providing explanatory material to the agencies to in turn disclose to the individuals, on their annual registration documentation, websites, or other means or combinations of means.
link to privacy statements> ???
Access controls are applied that restricts access to particular data items like date of birth, gender, ethnicity. Having access to the practitioner and their registration details does not automatically give access to the place of work and contact details.
- No personal information should be collected for or from the HPI by means that are unlawful, unfair or unreasonably intrusive.
- Personal information held on the HPI must be protected by adequate security safeguards against unauthorised access, use, modification or disclosure except to the extent authorised by the source agency.
The Ministry aims to ensure, by implementing security safeguards, that only authorised people are able to modify personal information on the HPI. The Act provides for considerable flexibility as to how an appropriate level of security will be achieved in any given system.
Access to the HPI will be granted according to data access agreements entered into between the Ministry and the source (eg, responsible authorities) and accessing agencies (eg, ACC, DHBs).
Where elements of the HPI are to be made available for public search, the Ministry will aim to ensure among other things, that effective mechanisms are in place to prevent members of the public having access to restricted information (eg, practitioner address).
The HPI will operate to improve the security of health information and other records in the health sector by enabling people with access to health databases to be properly identified, according to a common standard, and their access and usage of health databases properly audited.
While some of the information in the HPI is ‘publicly available information’ by virtue of its inclusion in public registers under the Health Practitioners Competence Assurance Act 2003, the Ministry does not currently allow the public access to the HPI. All responsible authorities have websites that allow the public to search their registers so public access to the HPI is not a priority. The main focus of the HPI is to support organisations delivering healthcare by enabling them to accurately and uniquely identify people and entities, and to access up to date place of work and contact details for individuals involved in healthcare. The Ministry recognises the large numbers of people in organisations delivering healthcare that will access the HPI as part of their work and the privacy risks that entails. Therefore, all organisations requesting access to the HPI are required to complete a data access agreement that clearly states their obligations with respect to using the HPI.
Principles 6 and 7
- Any person whose personal information is stored on the HPI is entitled to get access to that information and to seek correction of the information.
The Ministry will ensure that individuals are able to see the information relating to them that is stored, along with the HPI number, on the HPI. If there is any issue about the accuracy or currency of the information, the Ministry may consult with the source of the information as to the cause of the discrepancy and the best means of correcting it and making that correction known to other agencies.
- The Ministry, source agencies, and data users should not use information from the HPI without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
The Ministry proposes to receive regular updates of information from the data sources (including responsible authorities, DHBs and ACC) so that any changes in personal information notified by the practitioners to those agencies are updated on the HPI as soon as possible.
- Personal information on the HPI will not be retained for longer than necessary.
Practitioner information, and the associated identifier, will be retained indefinitely on the register, but changes in a practitioner’s status (active, retired) will be recorded to ensure that the information remains current.
- Agencies using the HPI should only use the personal information associated with the number for legitimate business reasons.
The personal information on the HPI should only be used for purposes consistent with those for which it was collected on the HPI; for example, those referred to under principle 1 above. The permitted uses of the HPI will be overseen and regulated by a stewardship group, which will make transparent decisions about any extension of permitted access. Any variations will require consultation with the source agencies and consequent variation of data access agreements.
The Privacy Act provides some flexibility in the application of this principle, with exceptions for use for “directly related purposes”, to those for which the information was collected, and others to be applied on a case-by-case basis (for example, for the maintenance of the law, or to avoid a serious threat to the safety of an individual).
The HPI number can be used by employers and payments agencies, and other associated health service providers such as laboratories and clinics, to uniquely identify the practitioner.
- Personal information from the HPI should only be disclosed for the purposes for which it has been collected on the HPI.
Some information about practitioners must be kept publicly available. For example, the Health Practitioners Competency Assurance Act 2003 and its predecessor Acts provide for the maintenance of public registers of practitioners. That information must be accessible and available to search by members of the public.
The HPI will also contain information that might not be part of any public register, but that some agencies will have a legitimate reason to access. For example, a practitioner’s address does not form part of the public register maintained by a responsible authority, but agencies such as claims agencies will have a legitimate reason to have access to the practitioner’s address for payment of claims, health agencies need to know where a practitioner works in order to send them information related to their work.
Information about non-practitioners will not be available for public search. The purposes for the collection, and the limitations on access, will be set out in data access agreements entered into between the Ministry and the relevant agencies providing and accessing the data.
- The Ministry may assign a unique health practitioner identifier to each person whose details are recorded on the HPI.
- Other health sector agencies may also assign the same number as their means of identifying that same person.
- Agencies such as DHBs wishing to assign the same number to a practitioner that has been assigned by that practitioner’s responsible authority and the Ministry of Health (that is, the HPI number) must notify the Privacy Commissioner of their intention to do so.
The use of one number to identify a practitioner across the health sector is one of the primary objectives of the HPI. This will allow the practitioner to interact with and identify themselves to a range of agencies with just the one number.
In respect of non-practitioners, no agency may assign to a person as a unique identifier the HPI number that has been assigned to that person by the Ministry of Health.
How the public register privacy principles will apply to the HPI
Many of the sources of information for the HPI are ‘public registers’. Public registers are lists of personal information required by law to be kept publicly available. All the registers of practitioners maintained by responsible authorities are public registers.
The Privacy Act sets out four public register privacy principles:
Public register privacy principle 1
- Personal information shall be made available from a public register only by search references that are consistent with the manner in which the register is indexed or organised.
Searches will be allowed by any of the variables under which the register information is stored or organised.
Public register privacy principle 2
Use of information from public registers
- Personal information obtained from a public register shall not be re-sorted, or combined with personal information obtained from any other public register, for the purpose of making available for valuable consideration personal information assembled in a form in which that personal information could not be obtained directly from the register.
The HPI combines many public registers. If a searcher enters the name of a person known to be both a doctor and a dentist, their professional details from both register entries are returned.
This ensures users looking for the correct HPI identifier for a person will find it with the minimum of effort and risk of error.
Public register privacy principle 3
Electronic transmission of personal information from register
- Personal information in a public register shall not be made available by means of electronic transmission, unless the purpose of the transmission is to make the information available to a member of the public who wishes to search the register.
Some responsible authorities may discharge their responsibility to make their registers publicly available by providing public search facilities on the HPI. In that way, and in terms of the assignment of the HPI number, the Ministry will be acting as agent for the responsible authorities.
Public register privacy principle 4
Charging for access to public register
- Personal information shall be made available from a public register for no charge or for no more than a reasonable charge.