Medical Data Policy

Document Version, Date, Location

Version 1.1. 1st March 2024. Hosted at www.mungretmedicalcentre.ie/medicaldata and available upon request in paper.

Practice Name

Mungret Medical Centre

Practice Address

Mungret Village, Limerick, V94 X004

Practice Phone Number

061- 540990

Data Controller

Mungret Medical Centre

Lead for Data Protection

Head Medical Administrator

Practice Privacy Statement

This Practice wants to ensure the highest standard of medical care for our patients. We understand that a General Practice is a trusted community governed by an ethic of privacy and confidentiality. Our approach is consistent with the Medical Council guidelines and the privacy principles of the Data Protection Regulations. It is not possible to undertake medical care without collecting and processing personal data and data concerning health. In fact, to do so would be in breach of the Medical Council’s ‘Guide to Professional Conduct and Ethics for Doctors’. This leaflet is about advising you of our policies and practices on dealing with your medical information.

Legal Basis for Processing Your Data

This practice has voluntarily signed up for the ICGP Data Protection Guideline for GPs. The processing of personal data in general practice is necessary in order to protect the vital interests of the patient and for theprovision of health care and public health. You can access the Guideline at http://www.icgp.ie/data. In most circumstances we hold your data until 8 years after your death or 8 years since your last contact with the practice. There are exceptions to this rule and these are described in the Guideline referenced above.

Managing Your Information

In order to provide for your care here we need to collect and keep information about you and your health on our records.

• We retain your information securely.
• We will only ask for and keep information that is necessary. We will attempt to keep it as accurate and up to-date as possible. We will explain the need for any information we ask for if you are not sure why it is needed.
• We ask you to inform us about any relevant changes that we should know about. This would include such things as any new treatments or investigations being carried out that we are not aware of. Please also inform us of change of address and phone numbers.
• All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
• Access to patient records is regulated to ensure that they are used only to the extent necessary to enable the secretary or manager to perform their tasks for the proper functioning of the practice. In this regard, patients should understand that practice staff may have access to their records for:
• Identifying and printing repeat prescriptions for patients. These are then reviewed and signed by the GP.
• Generating a sickness certificate for the patient. This is then checked and signed by the GP.
• Typing referral letters to hospital consultants or allied health professionals such as physiotherapists, occupational therapists, psychologists and dieticians.
• Opening letters from hospitals and consultants. The letters could be appended to a patient’s paper file or scanned into their electronic patient record.
• Scanning clinical letters, radiology reports and any other documents not available in electronic format.
• Downloading laboratory results and Out of Hours Cooperative Service reports and performing integration of these results into the electronic patient record.
• Photocopying or printing documents for referral to consultants, attendance at an antenatal clinic or when a patient is changing GP.
• Checking for a patient if a hospital or consultant letter is back or if a laboratory or radiology result is back, in order to schedule a conversation with the GP.
• When a patient makes contact with a practice, checking if they are due for any preventative services, such as vaccination, ante natal visit, contraceptive pill check, cervical smear test, etc.
• Handling, printing, photocopying and postage of medico legal and life assurance reports, and of associated documents.
• Sending and receiving information via Healthmail, secure clinical email.
• And other activities related to the support of medical care appropriate for practice support staff.

Disclosure of Information to Other Health and Social Care Professionals

We may need to pass some of this information to other health and social care professionals in order to provide you with the treatment and services you need. Only the relevant part of your record will be released. These other professionals are also legally bound to treat your information with the same duty of care and confidentiality that we do.

Example of External Bodies;

• Department of Employment Affairs and Social Protection;
• MMC transfers personal data for the purposes of claiming and proving eligibility to Illness/Disability Schemes to the Department of Employment Affairs and Social Protection. Consent remains valid for all future transactions with the Department, unless revoked it in writing. Patients may revoke this consent at any time by contacting the Department or by informing MMC in writing.
• Chronic Disease Management Programme (from the HSE); Purpose. The Health Service Executive (HSE) must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate. We respect your rights to privacy and to the protection of your personal information. The purpose of this privacy statement is to explain how we collect and use personal information as part of the Chronic Disease Management Programme. The primary data protection legislation that applies to us is the EU General Data Protection Regulation (GDPR), supplemented by Irish legislation (primarily the Data Protection Acts 1988 – 2018 and ePrivacy Regulations 2011). The HSE seeks to be transparent with the public about our collection and use of personal information in line with our obligations under GDPR. If you wish to find out more regarding the HSE data protection legislation, please visit: www.hse.ie/GDPR . What information is shared as part of the Chronic Disease Management programme? When you confirm your participation on the CDM Programme with your GP, the GP is contracted to send the following information to the HSE following each structured review: • Identification and demographic data • Clinical details – chronic disease diagnoses • Risk factor data • Symptoms / Investigations data Why does the HSE need this information and what do they intend on using the information for? As part of the Chronic Disease Management Programme, contracted GP’s have a statutory and legislative basis for collecting patient’s data for the programme. GP’s will submit data returns to the HSE in respect of each of their patients participating in the programme. Data will be returned to HSE after each scheduled review by the GP for the purpose of: • Supporting the provision of quality patient care through the CDM programme • Supporting CDM quality assurance and quality improvement initiatives • Supporting CDM planning and evaluation processes via epidemiologic and public health processes as appropriate • Enabling probity assurance processes as required; and • Facilitate payments to the GP for CDM services provided Who will have access to the information collected by the HSE as part of the Chronic Disease Management Programme and why? Patient information which is collected by the HSE is treated with utmost confidentiality. Only fully anonymised clinical data will be accessed by authorised users for CDM management, reporting and analytics purposes. How long will the HSE hold onto information collected as part of the Chronic Disease Management Programme? The HSE will only keep patient information for as long as it is legally required to do so. The legal retention periods for medical information are recorded in the HSE’s Record Retention Policy and a copy of this is published on the HSE website at www.hse.ie/eng/services/list/3/acutehospitals/hospitals/ulh/staff/resources/pppgs/rm/recret2013.pdf. Will the HSE use information collected as part of the Chronic Disease Management Programme for any other purpose other than those listed? No. If the HSE wishes to use the patient information collected as part of the Chronic Disease Management Programme, it will seek the consent of the patients or anonymise the patient information first. Can I request a copy of my information which is collected by the HSE as part of the Chronic Disease Management Programme? Yes, under GDPR guidelines, you can request a copy of your information collected by the HSE as part of the CDM Programme. Further information on this subject can be found on the HSE website at www.hse.ie/GDPR . Can I withdraw my participation from the Chronic Disease Management Programme? Yes, you can withdraw your participation in the Chronic Disease Management Programme at any time by advising your GP. Your Rights under the General Data Protection Regulation. Under GDPR guidelines you can: • Request access to your personal information • Request correction of the personal data we hold about you • Request the erasure of your personal data (known as the right to be forgotten) • Object to the processing of your personal data • Request restriction of processing your personal data • Request the transfer of your personal data • Withdraw consent for us to retain your data Contact Information for HSE Data Protection Officer If you wish to avail of any of the above options please contact our Data Protection Officer at dpo@hse.ie or call 01 6352478.
• Mungret Medical Centre and the Tropical Medical Bureau share data, as is required, for the provision of travel services.

Disclosures Required or Permitted Under Law

The law provides that in certain instances personal information (including health information) can be disclosed, for example, in the case of infectious diseases.

Disclosure of information to Employers, Insurance Companies and Solicitors

• In general, work related Medical Certificates from your GP will only provide a confirmation that you are unfit for work with an indication of when you will be fit to resume work. Where it is considered necessary to provide additional information we will discuss that with you. However, Department of Social Protection sickness certs for work must include the medical reason you are unfit to work.
• In the case of disclosures to insurance companies or requests made by solicitors for your records we will only release the information with your signed consent.

Use of Information for Training, Teaching and Quality Assurance

It is usual for GPs to discuss patient case histories as part of their continuing medical education or for the purpose of training GPs and/or medical students. In these situations the identity of the patient concerned will not be revealed.

In other situations, however, it may be beneficial for other doctors within the practice to be aware of patients with particular conditions and in such cases this practice would only communicate the information necessary to provide the highest level of care to the patient.

GP practices can be involved in the training of GPs and be attached to a General Practice Training Schemes. This can include GP Registrars who work in practices and may be involved in your care.

Use of Information for Clinical Audit

It is usual for patient information to be used for clinical audit in order to improve services and standards of practice. GPs on the specialist register of the Medical Council are required to perform yearly clinical audits. Information used for such purposes is done in an anonymised or pseudonymised manner with all personal identifying information removed.

If it were proposed to use your information in a way where it would not be anonymous or the practice was involved in external research we would discuss this further with you before we proceeded and seek your written informed consent. Please remember that the quality of the patient service provided can only be maintained and improved by training, teaching, audit and research.

Your Right of Access to Your Health Information

You have the right of access to all the personal information held about you by this practice. If you wish to see your records, in most cases the quickest way is to discuss this with your doctor who will review the information in the record with you. You can make a formal written access request to the practice and receive a copy of your medical records.

Transferring to Another Practice

If you decide at any time and for whatever reason to transfer to another practice we will facilitate that decision by making available to your new doctor a copy of your records on receipt of your signed consent from your new doctor. For medico-legal reasons we will also retain a copy of your records in this practice for an appropriate period of time which may exceed eight years.

Other Rights

You have other rights under data protection regulations in relation to transfer of data to a third country, the right to rectification or erasure, restriction of processing, objection to processing and data portability. Further information on these rights in the context of general practice is described in the Guideline available at http://www.icgp.ie/data. You also have the right to lodge a complaint with the Data Protection Commissioner.

Questions

We hope this leaflet has explained any issues that may arise. If you have any questions, please speak to the practice secretary or your doctor.