FAQ – cdmNet Privacy
Table of Contents
To contact Precedence Support, please use one of the following options:
- Email: Use our web form to send us an email request.
- Phone: 1300 CDMNET (1300 236 638)
from Monday to Friday, 8:30 am – 8:00 pm AEDT
- Fax: (03) 9614 2650
Should Precedence Support need to access your machine remotely, you may be asked to download our secure remote support software. When instructed, you can download either:
Precedence Support will talk you through using this software when required.
Do I need consent to see if my patients are registered with cdmNet?
No, under the Commonwealth Privacy Act, a registered user of a system using it to look up whether someone is registered is considered to be an acceptable secondary use of data.
Do I need consent to access or add to a patient’s health record or care plan in cdmNet?
cdmNet will only grant you access or update rights to the patient’s health record or care plan if the patient has already consented to sharing their health information using cdmNet.
The primary care provider who is responsible for registering the patient is required to obtain consent from the patient. cdmNet will not provide access to a patient’s health information or care plan until the primary care provider has confirmed that consent has been obtained.
Once a patient has been registered with cdmNet, under the Commonwealth Privacy Act, looking up or adding to the patient’s health record or care plan is considered to be an acceptable use of data.
Do I need consent to share a patient’s health information using cdmNet?
Patients need to consent to their health record being shared with the health providers included in the patient’s care team. Their health record includes personal information such as health measurements and care plans, indigenous status, age, and contact details. The patient needs to understand that cdmNet securely shares this information with their doctor, their care team as agreed with their doctor, and possibly some hospitals and emergency services for the purpose of providing health care.
Patients also need to know that cdmNet will be used to facilitate communications among the care team and to send alerts and reminders. Some of these communications may be sent by standard (unsecured) email or SMS. Email and SMS communications do not contain any personal health information but may contain the name of the patient and provider where appropriate.
Do I need written consent from the patient?
Do I need consent every time I access information in the system?
No, once you have obtained consent from the patient, you do not need to request it again.
Why do you ask for consent to share de-identified data for research?
Precedence and partners in research including major Universities are committed to improving cdmNet and to gathering information for research, trials and analyses relating to improvements in health and the management of health services. The aim is to support ethics-approved studies that build a base of evidence for a range of health-related purposes, including the benefits of collaborative care and the relative merits of alternative models of care.
What can I do if someone withdraws consent?
What are my responsibilities and liabilities if someone else accesses patient health information without consent?
If there is a complaint, you have a responsibility to assist with any investigations that may be required. You are not liable for someone else’s breach of privacy in accessing that information without consent.
How do I protect patients’ rights to privacy while using cdmNet?
Your actions should be guided by the Commonwealth Privacy Act and the privacy principles as may be relevant to your State. If you are the primary care provider, prior to first uploading patient information to cdmNet, you must obtain consent from your patient.
When you are accessing previously stored information in cdmNet, ensure that you have a clinical reason for doing so.
cdmNet may also share a patient’s personal health information with other members of your practice. cdmNet relies on you ensuring that practice information is correct and kept up to date.
What happens if I change GP Practices?
Your cdmNet record can be assigned to a new general practice. To transfer your cdmNet record to the new practice, let the former general practice know that you wish the new general practice to take over responsibility as your primary care provider. Ask the former practice to transfer their records to the new practice, including your cdmNet record.
Precedence Health Care can assist with cdmNet record transferral. All general practices should save copies of departing patient’s medical records for record keeping.
What can I do if someone wants information in cdmNet changed?
Privacy regulations in most States and Territories do not allow information to be permanently deleted from a health record. They do allow for annotations to be made on the record. cdmNet supports such annotations.
One patient told me they want to control exactly who will have access to their information. What should I do?
Informing patients what will happen with the information you are proposing to share is part of obtaining consent. If the patient does not give consent for a particular member of the care team to view their health information, then your only option is either not to use cdmNet or to exclude that provider from the care team.
The important principle here is that the patient should not (as far as practicable) be disadvantaged by their refusal to consent to sharing their health information.
Can I control what health information is shared? How do I do that?
If you upload a patient’s health information to cdmNet, cdmNet will automatically extract elements of the patient’s health information from your clinical desktop software. The information extracted is described in the cdmNet Information Sheet entitled “Informed Consent: How cdmNet Collects and Shares Health Information”. You can edit or delete any of this information in cdmNet prior to sharing it with the care team or the patient.
Most clinical desktop software allows you to set “confidential” flags on a patient’s health information to prevent this information from being extracted by referral templates. If you wish to prevent information being extracted by cdmNet, you need to set these flags in your patient’s health record. If you do not know how to do this, please contact the provider of your clinical desktop software.
Isn’t this shared information in cdmNet risky?
There are risks with using a shared database, just as there are risks with using a fax, electronic mail, or paper based records. cdmNet is designed to maintain a full audit trail of all entry of and access to information and, providing that the protocols for use of cdmNet are followed, the risks are negligible as the information is protected by state of the art security measures.
The reward for having a shared database is the ability to support coordination of services through sharing the health information among appropriate care providers.
Further discussion: Patients are not always advised that a faxed referral or paper-based health records may go to a central location within a service or that the information in the referral or record may be available to receptionists and other staff without the patient’s knowledge. Electronic health records are usually more securely protected and auditable than conventional fax or paper-based records.
How do you manage cdmNet system security?
As you would expect, cdmNet pays a great deal of attention to privacy and security. Provision of secure access to health care information is a key part of what cdmNet does. This is backed up by a security plan that covers a range of goals and controls aimed at managing security incidents including breaches or potential breaches. Should you have any questions, please contact the Precedence Health Care Privacy Officer on (03) 9023 0800.
Technical details: All data is managed securely with encryption and access controls for all users. Strict security protocols take into account network infrastructure, backup and disaster recovery, physical security procedures, system controls, contractual oversight of outsourced internet hosting, management of other assets, staff management and maintenance of an open process for reporting incidents.
The contracted facilities management services provide:
- A physically secure environment (a certified ISO 27001:2013 information security) with controlled access in a “sensitive data facility”.
- An Uninterruptible Power Supply, air-conditioning and fire-suppression system.
- Communication between Precedence Health Care and the hosting service using a Secure Shell (SSH) connection with key based authentication and a certificate based VPN tunnel.
The sensitive data facility includes:
- Allocation to a dedicated secure (firewalled) router and network.
- Allocation to rack space in a secure rack.
- Allocation to sensitive data back-up facility (ie. tape and management system).
- Utilisation of human resources and QA procedures from a sensitive data subgroup of the hosting service.
In addition to the above, hourly backups are made on a separately hosted secure server in a separate location.
Apart from standard secure connections for portal and web services access, cdmNet does not have any special or unusual configuration requirements for opening of firewalls or gateways on end-user machines.
cdmNet is closely monitored by the development team for a range of potential threats, exploits and abuses relating to uploaded data.