Why have a code of practice?
A code of practice is a statement of principles and best practice. It provides for transparency in the operation of the Health Practitioner Index (HPI). It provides a set of rules and expectations that practitioners, organisations and the public will be able to see and use to hold the organisations using the HPI to account. It ensures that the HPI is used only for purposes that are consistent with the aims of improving outcomes for patients, while respecting legitimate privacy expectations of practitioners and others whose information is stored on the system.
What is the legal status of the code of practice?
The code of practice is a voluntary code, and does not have any formal legal status. It is based on the information privacy principles and the public register privacy principles of the Privacy Act. If anyone has a complaint about the way the HPI operates, they can ask the Privacy Commissioner to investigate, and ultimately bring a case before the Human Rights Review Tribunal. The Privacy Act provides for remedies, but the Privacy Commissioner and Human Rights Review Tribunal might take into account aspects of the code that illustrate and point to the policies for maintaining the code and consider whether or not they are adequate, and if so, whether they have been properly observed.
This Code of Practice is based on the information privacy principles from the Privacy Act. It sets a higher standard for the protection of the privacy of health practitioners than the Privacy Act alone imposes and seeks to balance the gains to the health sector and to health services consumers of the HPI, with the legitimate privacy interests of health practitioners.
Who does this code of practice apply to?
The HPI is maintained by the Ministry of Health. Other agencies that have participated in the development of the HPI on the basis of the principles in this code include:
- Registration agencies (termed Responsible Authorities to the Health Practitioner Competence Assurance Act).
How the information privacy principles will apply to the HPI
- Responsible Authorities will collect the minimum of personal information about practitioners that they need for the purposes of administering their regulatory and other legal obligations, and for the purposes of the HPI.
- The Ministry will collect the minimum amount of personal information necessary to maintain the Health Practitioner Index.
- Users of the HPI will only be able to obtain access to the minimum amount of information they need for their legitimate purposes.
The HPI is not intended to be a central means of collecting all manner of information about health practitioners. It is intended primarily as a numbering system, so that each worker has one number with which they can interact with their employer, their registration body, with payment and claims organisations and others with a legitimate need in the health and disability sector.
The information that is collected about each practitioner is the minimum necessary to verify their identity and provide core details for systems users. Much of this information will be publicly available materials (such as from public registers established under the Health Practitioners Competency Assurance Act 2003, or until that Act comes fully into effect, the individual registration statutes such as the Nurses Act, the Dental Act, etc).
The personal information about practitioners that is maintained on the HPI consists of:
- unique identifier
- scope of practice
- conditions on practice
- contact details (in some cases).
The purposes for which information is collected on the HPI are described in the data access agreement as:
Obtaining information about Individuals, health sector organisations and health sector facilities for the purposes of:
- providing health services;
- administering healthcare payments;
- ensuring public health and safety with respect to providing health and disability services;
- health workforce planning.
- Supporting secure access to electronic health information.
- Other purposes that are necessary for the discharge of any functions or duties under the New Zealand Public Health and Disability Services Act 2000, the Health Act 1956, the Health Practitioners Competence Assurance Act 2003, and other legislation administered by the Ministry of Health.
- To the greatest extent possible, the HPI will consist of personal information provided by the individual to the party who updates the HPI.
The Privacy Act provides that information should generally be obtained from the individual concerned. However, in recognition of the practicalities, it also provides for considerable flexibility where it is necessary to obtain information from another source. The Ministry proposes to obtain information from sources which have themselves obtained information directly from the practitioner, namely the Responsible Authority (the Data Source), or in some instances, the individual’s employer.
- The individual concerned is entitled to know why their personal information is being collected, by whom, and to whom it will be disclosed.
The agencies collecting the personal information from practitioners and other health sector workers are obliged to inform the practitioners of a number of matters, pursuant to information privacy principle 3 of the Privacy Act.
The Ministry of Health will facilitate this process by providing explanatory material to the agencies to in turn disclose to the individuals, on their annual registration documentation, websites, or other means or combinations of means.
- No personal information should be collected for or from the HPI by means that are unlawful, unfair or unreasonably intrusive.
- Personal information held on the HPI must be protected by adequate security safeguards against unauthorised access, use, modification or disclosure except to the extent authorised by the source agency.
The Ministry aims to ensure, by implementing security safeguards, that only authorised people are able to modify personal information on the HPI. The Act provides for considerable flexibility as to how an appropriate level of security will be achieved in any given system.
Access to the HPI will be granted according to data access agreements entered into between the Ministry and the source (eg, responsible authorities) and accessing agencies (eg, ACC, DHBs).
Where elements of the HPI are to be made available for public search, the Ministry will aim to ensure among other things, that effective mechanisms are in place to prevent members of the public having access to restricted information (eg, practitioner address).
The HPI will operate to improve the security of health information and other records in the health sector by enabling people with access to health databases to be properly identified, according to a common standard, and their access and usage of health databases properly audited.
Principles 6 and 7
- Any person whose personal information is stored on the HPI is entitled to get access to that information and to seek correction of the information.
The Ministry will ensure that individuals are able to see the information relating to them that is stored, along with the HPI number, on the HPI. If there is any issue about the accuracy or currency of the information, the Ministry may consult with the source of the information as to the cause of the discrepancy and the best means of correcting it and making that correction known to other agencies.
- The Ministry, source agencies, and data users should not use information from the HPI without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
The Ministry proposes to receive regular updates of information from the data sources (including responsible authorities, DHBs and ACC) so that any changes in personal information notified by the practitioners to those agencies are updated on the HPI as soon as possible.
- Personal information on the HPI will not be retained for longer than necessary.
Practitioner information, and the associated identifier, will be retained indefinitely on the register, but changes in a practitioner’s status (active, retired) will be recorded to ensure that the information remains current.
- Agencies using the HPI should only use the personal information associated with the number for legitimate business reasons.
The personal information on the HPI should only be used for purposes consistent with those for which it was collected on the HPI; for example, those referred to under principle 1 above. The permitted uses of the HPI will be overseen and regulated by a stewardship group, which will make transparent decisions about any extension of permitted access. Any variations will require consultation with the source agencies and consequent variation of data access agreements.
The Privacy Act provides some flexibility in the application of this principle, with exceptions for use for “directly related purposes”, to those for which the information was collected, and others to be applied on a case-by-case basis (for example, for the maintenance of the law, or to avoid a serious threat to the safety of an individual).
The HPI number can be used by employers and payments agencies, and other associated health service providers such as laboratories and clinics, to uniquely identify the practitioner.
- Personal information from the HPI should only be disclosed for the purposes for which it has been collected on the HPI.
Some information about practitioners must be kept publicly available. For example, the Health Practitioners Competency Assurance Act 2003 and its predecessor Acts provide for the maintenance of public registers of practitioners. That information must be accessible and available to search by members of the public.
The HPI will also contain information that might not be part of any public register, but that some agencies will have a legitimate reason to access. For example, a practitioner’s address does not form part of the public register maintained by a responsible authority, but agencies such as claims agencies will have a legitimate reason to have access to the practitioner’s address for payment of claims.
Information about non-practitioners will not be available for public search. The purposes for the collection, and the limitations on access, will be set out in data access agreements entered into between the Ministry and responsible authorities.
- The Ministry may assign a unique health practitioner identifier to each person whose details are recorded on the HPI.
- Other health sector agencies may also assign the same number as their means of identifying that same person.
- Agencies such as DHBs wishing to assign the same number to a practitioner that has been assigned by that practitioner’s responsible authority and the Ministry of Health (that is, the HPI number) must notify the Privacy Commissioner of their intention to do so.
The use of one number to identify a practitioner across the health sector is one of the primary objectives of the HPI. This will allow the practitioner to interact with and identify themselves to a range of agencies with just the one number.
In respect of non-practitioners, no agency may assign to a person as a unique identifier the HPI number that has been assigned to that person by the Ministry of Health.
How the public register privacy principles will apply to the HPI
Many of the sources of information for the HPI are ‘public registers’. Public registers are lists of personal information required by law to be kept publicly available. All the registers of practitioners maintained by responsible authorities are public registers.
The Privacy Act sets out four public register privacy principles:
Public register privacy principle 1
- Personal information shall be made available from a public register only by search references that are consistent with the manner in which the register is indexed or organised.
Searches will be allowed by any of the variables under which the register information is stored or organised.
Public register privacy principle 2
Use of information from public registers
- Personal information obtained from a public register shall not be re-sorted, or combined with personal information obtained from any other public register, for the purpose of making available for valuable consideration personal information assembled in a form in which that personal information could not be obtained directly from the register.
The HPI combines many public registers. In order to ensure that this principle is not breached, access to personal information about a practitioner will have to be obtained separately from each register component of the HPI. If a searcher entered the name of a person known to be both a doctor and a dentist, the searcher would be required to specify the professional registration, not just enter the name, and have both register entries returned.
This system mirrors the status quo, in requiring separate searching of different registers to obtain information about the same person.
Public register privacy principle 3
Electronic transmission of personal information from register
- Personal information in a public register shall not be made available by means of electronic transmission, unless the purpose of the transmission is to make the information available to a member of the public who wishes to search the register.
Some responsible authorities will discharge their responsibility to make their registers publicly available by providing public search facilities on the HPI. In that way, and in terms of the assignment of the HPI number, the Ministry will be acting as agent for the responsible authorities.
Public register privacy principle 4
Charging for access to public register
- Personal information shall be made available from a public register for no charge or for no more than a reasonable charge.