Compliance with HISO 10064 and 10029
AS Van Wey (Account suspended) made this Official Information request to Health New Zealand
Response to this request is long overdue. By law Health New Zealand should have responded by now (details and exceptions). The requester can complain to the Ombudsman.
From: AS Van Wey (Account suspended)
Dear Health New Zealand,
Please provide me with a list of HNZ hospitals who have implemented the standards set out in HISO 10064 and 10029, and have role-based-access to health records, which reduces the risk of unauthorized access (defined as access without the expressed consent of the individual with whom he records pertain or absolutely necessary for their role (i.e., physician and their nurse treatment of a patient).
I note that according to the University of Auckland Medica School Phase 3 (Year 6) Guidebook 2023, none of the teaching hospitals associated with the University of Auckland appear to meet these standards and are providing paid and unpaid staff unrestricted access to patient personal health information.
Here is what the guidebook states:
"Hospitals have adopted an ‘open access’ approach to electronic security. This means
the system does not limit access."
"Please check the Auckland policy on appropriate use. The hospital uses
Concerto as its ‘umbrella’ application, which allows integrated access to a number of
clinical applications. You may require additional authorisation to access applications
such as patient discharge summaries. Year 6 students are also provided with online
access to old patient records through 3M. You will be issued a separate password for
3M."
"Te Whatu Ora Counties Manukau has adopted an “open access” approach to security. This means the system does not limit access."
"Te Whatu Ora – Health New Zealand Waitemata has adopted an “open access” approach to security. This means the system does not limit access."
"Te Whatu Ora Hauora a Toi Bay of Plenty has adopted an ‘open access’ approach to
security."
"Te Whatu Ora Te Tai Tokerau has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access."
"Te Whatu Ora Lakes has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access.
"Te Whatu Ora Taranaki has an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but records who makes every access."
"Te Whatu Ora Waikato has adopted an ‘open access’ approach to security. This means the system doesn’t limit user access to any patient, but it records who makes every access."
Health Information HISO 10064 have been in place since at least 2017. They require role-based-access, not "open access".
Meeting these standards are a legal obligation under Rights 1-7 of the Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996. Compliance with these standards are also legislative, consistent with legal obligations under rule 5 of the Health Information Privacy Code 2020 and section 22, IPP 5, of the Privacy Act 2020. These obligations were in the Privacy Act 1993.
Furthermore, patients are supposed to be informed of who will have access prior to care, pursuant to rule 3 of the Health Information Privacy Code 2020 and section 22, IPP 3, of the Privacy Act 2020. These requirements were in the previous legislation enacted in 1993. Yet, I only found this information today 14 years after moving to NZ.
Which, if any, hospital associated with Health NZ meet the HISO 10064 standards and legislative requirements regarding restricted access to personal health information and requirements of informed consent from the patient?
If any Health NZ hospital meet these standards and the legal privacy obligations, and have role-based-access to medical information which requires the informed consent of the patient, please provide me with the role-based-access descriptors for each role?
Thanks
AS Van Wey
From: hnzOIA
Health New Zealand
Tēnā koe,
Thank you for contacting Te Whatu Ora, Health NZ. This is an automatic
reply to confirm that we have received your email. Depending on the
nature of your request you may not receive a response for up to 20 working
days. We will try to respond to your query as quickly as possible.
s information that is identified to be of general public interest, the
response may also be published on our website. If we e response to your
OIA request, all personal information, including your name and contact
details will be removed.
Ngā mihi
Te Whatu Ora, Health NZ.
****************************************************************************
Statement of confidentiality: This e-mail message and any accompanying
attachments may contain information that is IN-CONFIDENCE and subject to
legal privilege.
If you are not the intended recipient, do not read, use, disseminate,
distribute or copy this message or attachments.
If you have received this message in error, please notify the sender
immediately and delete this message.
****************************************************************************
--------------------------------------------------------------------------
This e-mail message has been scanned for Viruses and Content and cleared
by the Ministry of Health's Content and Virus Filtering Gateway
--------------------------------------------------------------------------
hide quoted sections
From: AS Van Wey (Account suspended)
Dear hnzOIA,
This is a follow up reminder that I am still waiting for your response to my OIA request from March 2023. The legislative timeframe for a response was 20 working days, HNZ has not responded within the legislative timeframe. Please provide the requested information or a legal reason for refusal.
Yours sincerely,
AS Van Wey
Things to do with this request
- Add an annotation (to help the requester or others)
- Download a zip file of all correspondence