New privacy breach legislation has created a flurry of activity. One legal firm issued a media release headlined 60% of patients don’t trust their GPs with sensitive information. This was probably meant to frighten medical practices into action and why shouldn’t they given the latest reported Facebook breach.
Some say legal firms contribute to the litigious environment doctors find themselves in but on the other hand it would be a crying shame if a doctor suffered professional consequences because the practice did not implement adequate privacy breach policies. These most recent changes to Privacy Law apply to the behaviours of practice doctors, whether on contract or not.
The practice would have to decide within 30 days that an ‘eligible data breach’ had occurred. Big fines are in place if they do not. This statement lists:
- stolen or lost medical records,
- medical information being supplied to wrong person, or
- a database hack
…as ‘eligible’ and therefore to be “reported to the Privacy Commissioner and to the patients themselves.”
Chris Mariani, an independent medical insurance broker based in Sydney, described doctors as great risk managers when it comes to clinical risks such as patient follow-up and recalls. They know when to ask their medical defence organisation (MDO) for help.
“It’s however the ‘business risks’ where many practitioners and their practices come unstuck. One growing risk is the reliance on IT systems to run a practice and the closely aligned issue of privacy compliance,” he said.
In 2012, a headline made the medical media – Russian hackers hold Gold Coast doctors to ransom. The Miami Family Medical Centre was being asked to pay hackers $4000 to decrypt sensitive information held on their server.
In March 2014, the Privacy Act was updated and 13 Australian Privacy Principles were implemented, including:
- Patient consent needed to collect health information
- A complying Privacy Policy, accessible to patients
- Practices required a privacy framework (see oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework)
- The Office of the Australian Information Commissioner (OAIC) could seek fines (now about $2m under indexation) for breaches of the Privacy Act.
Chris said new changes introduced on 22 February this year may catch Australian businesses unawares. The Notifiable Data Breaches (NDB) scheme which would require notification to all affected patients and individuals, as well as the OAIC, where an ‘eligible data breach’ occurs.
“The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: once notified about a data breach, individuals can take steps to reduce their risk of harm. For example, an individual can change passwords to compromised online accounts, and be alert to identity fraud or scams.”
“For most other businesses, having a privacy framework or being subject to the full weight of privacy legislation doesn’t kick in until they generate annual revenue of more than $3m. For health businesses it kicks in from $1.”
“It is important to note doctors have ethical obligations to inform patients about adverse events, including breaches of privacy and confidentiality. So even if a breach is not deemed to require reporting under the NDB scheme, the patient may still need to be informed under the doctor’s ethical obligations.”
Chris recalled a large healthcare practice where the finance manager’s computer was hacked, resulting in the entire practice contact list of over 30,000 people being sent an email with ransomware embedded in the email.
Under the new legislation the practice would need to instigate a breach response, decide if the impacted individual/s were likely to suffer ‘serious harm’ and if so, report to both the OAIC and to every impacted person. On smaller cases, legal costs had exceeded $10,000 outside other IT costs, lost revenue, and potential fines. In the hacking case, the costs are likely to be much higher.
He said all practices needed to take steps to become compliant with Privacy Law, including:
- Conducting an IT review and audit. Is the practice taking reasonable steps to prevent breaches? Is the system backup adequate to allow prompt enough return to full service? Have IT contractors, who have access to data and information about patients, signed confidentiality agreements?
- Staff training on privacy and IT security (e.g. – how to recognise scam emails, what the practice policy says, what to do should a patient make a privacy complaint or request their patient file under privacy law.
- Have up-to-date patient consent forms, privacy policy, breach response plans and other documentation.
“Staff need to understand the growing threat to the security of practice data and that the law has changed. Getting up to speed on privacy is not optional, it’s the law – compliance with the Privacy Act should be your first focus, then review your level of insurance and decide if a privacy/cyber insurance policy is appropriate.”