SupportAbility is designed to store and manage confidential Client details including disability and health information, as well as Client Contact details.
It's important to note that the perfect balance of maintaining a Client's privacy as well as providing system simplicity is usually derived from a combination of system privacy barriers and organisational policy.
This article provides an overview of how Privacy Barriers are initiated and managed in SupportAbility. This information is also outlined in the Privacy Barriers video.
The following list summarises the content within this article. Click on the links below to take you to the relevant sections:
- How SupportAbility manages privacy
- Privacy barriers by Site and Service
- Additional access and edit permissions
- Visibility of Client Information when 'Client Service Participation' is empty or has only inactive Services
- Managing Remote Access
- Privacy barriers for specialist Services
- Visibility of Client information for Staff working outside the Services a Client participates in
- Managing additional privacy requirements through policy
How SupportAbility manages privacy
SupportAbility uses the Site and Service configuration in your installation to create privacy barriers around Client information and Staff access.
Let's consider the following Site and Service configurations:
|Sydney Site:||Melbourne Site:|
|Respite Service||Day Service|
|Day Service||In Home Service|
Using these configurations, we have demonstrated below how the appropriate privacy barriers are enforced when:
- Staff work in one or more Services at their respective Site/s
- Clients participate in one or more Services at their respective Site/s
Privacy barriers by Site and Service
SupportAbility implements a privacy barrier so that Staff can only access the Client records for Clients who participate in the Sites and Services where they work.
Therefore, the Sites and Services itemised in the 'Sites and services where this staff member works' section of a Staff Account:
must share Sites and Services in common with the Sites and Services listed in the 'Client Service Participation' section of a Client record, for the Staff member to have access to the Client record:
The examples below demonstrate how these Site/Service privacy barriers are enforced.
Privacy barriers enforced through Services:
Staff that only work in the 'Day' Service at the 'Melbourne' Site, can only see the Clients that participate in the 'Day' Service at the 'Melbourne' Site:
Similarly a Staff member who only works in the 'In Home' Service at the 'Melbourne' Site:
- can only see the Clients that participate in the 'In Home' Service at the 'Melbourne' Site, and
- cannot access the Clients that participate in the 'Day Service' at the 'Melbourne' Site:
Unless those Clients also participate in the 'In Home' Service at the 'Melbourne' Site:
Privacy barriers enforced through Sites:
A Staff member who works at the Melbourne Site will not have access to Client records for Clients who participate in Services offered at the Sydney Site:
N.B. It is important to note that SupportAbility does not provision access to individual Client records for individual Staff. For example, you can not restrict Staff access to an individual Client record. Access is granted at the Site and Service level as described above.
Additional access and edit permissions
SupportAbility has been designed based on a collaborative access philosophy. If Staff have access to a Client's record based on the Sites and Services they work in, they will be able to view and edit the Client record.
Access to Client records can also be granted via security, global, Administration [ALL SERVICES] per Site, and restricted role-based Staff Account Privileges relative to a Staff member's roles and responsibilities.
Visibility of Client information when 'Client Service Participation' is empty or has only inactive Services
In addition to Staff being granted access to a Client record relative to Staff and Clients having active Sites/Services in common, Staff will also be able to access Client records when:
- The Client has no Services (active or inactive) listed in their 'Client Service Participation':
- The Client only has inactive Services listed in their 'Client Service Participation', and Staff work in one of those inactive Services:
Managing Remote Access
When managing privacy, it's also important to ensure that remote access to your SupportAbility installation has been configured to meet your needs. See our article on Restricting Remote Access To SupportAbility linked below for more details.
Privacy barriers for specialist Services
When a provider delivers Support Coordination and/or Financial Plan Management as part of the terms of business of operating under the NDIS with the NDIA, compliance related to conflict of interest must be demonstrated.
SupportAbility is designed to assist providers in this area. In order to demonstrate potential or real conflicts are managed appropriately for each participant additional in-built privacy barriers are initiated for any Service configured as an NDIS Support Coordination or NDIS Financial Plan Management Service. These settings ensure that privacy barriers are in place for Client Journals recorded for these Services.
This means that Staff must have access not only to the Client record the Journal entry is for, but also the relevant Specialist Service must be itemised in their Staff Account, in order to see these Journals and ensure this compliance requirement is maintained. For example, Support Coordination:
The following articles provide further information on Privacy Barriers for Specialist Services:
- Managing compliance around Conflict of Interest for Specialist Services
- NDIS Support Coordination
- NDIS Financial Plan Management (FPM)
Visibility of Client information for Staff working outside the Services a Client participates in
If Staff were to attempt to access a Client record for Clients participating in Services which that Staff member does not have access to, Staff will not be able to access the Client's record, however, they will have visibility of some basic Client details. The purpose of providing this basic Client information is to reduce the potential for duplication of Clients in the system.
A warning will be displayed 'Sorry, you do not have access to view or edit this client record' along with the following Client information:
- Active Status
- SupportAbility Client ID #
- Date of Birth
- Sites and Services in which this Client participates
- Service Start and End Dates
- Key Support Workers for each Service
Managing additional privacy requirements through policy
If you have additional privacy requirements, you may be able to manage those requirements using organisational policy. Many of our subscribers use signed privacy agreements with Staff to meet these needs.
It is important to note that SupportAbility tracks all user movement throughout the system, so if required, we can perform an investigation to determine which records a Staff member has accessed, under Support Contract if a serious breach has occurred.