Amendments to the privacy legislation introduced changes which required many Australian companies to report eligible data breaches beginning on February 22, 2019. This revision is in line with major changes in European data privacy laws, which were strengthened with the implemen- tation of the General Data Protection Regulation on
May 25, 2018.1
This review of Australian
health privacy rules demonstrates how healthcare providers comply with the country’s rules within the context of medical professional liability.
Overview of health privacy rules
Privacy in Australia is administered by the Office of the Australian Information Commissioner pursuant to the Privacy Act 1988 (the Privacy Act),2 the Freedom of Information Act 1982 (the FOI Act)3 and the Australian Privacy Principle guidelines (APPs).4
The Privacy Act, FOI Act, and APPs apply to all Australian government agencies and organizations with an annual turnover—or sales—of more than AUD$3 million, and some other organizations with a turnover of less than AUD$3 million, including health service
providers.
The Office of the Australian Information Commissioner safeguards the privacy of individual patients, and is also responsible for oversight of broader issues, including health and medical research. The most recent changes to privacy in the health sector in Australia relate to the introduction of My Health Record5—the Australian government’s digital health record system—and a requirement to notify the Office of the Australian Information Commissioner of any eligible data breaches under the Notifiable Data Breaches Scheme (NDB Scheme).6
Historically, the Office of
the Australian Information Commissioner is not an overly punitive jurisdiction, but all health service providers must be aware of their obligations under the NDB Scheme due to financial penalties of up to AUD$2.1 million for repeated or serious breaches.7 The Australian government plans to increase penalties to AUD$10 million, three times the value of any benefit obtained through the misuse of information, or 10% of a company’s annual domestic turnover—whichever is greater.8
Dealing with a health data breach
When an Australian medical practice determines that confidential patient records have been compromised, management should follow a process similar to that of a U.S. healthcare provider—contacting their external IT providers and medical indemnity insurers for advice and information about handling and remediating the breach.
Once the IT provider determines the extent of the breach, the practice should contact the patients involved. Depending on the nature of the breach, affected individuals may need to contact their financial institution, or take other steps to protect their personal information.
In Australia, the NDB Scheme requires the provider to follow four prescribed steps in the event of a medical data breach: contain,
assess, notify, and review. The practice has a maximum of 30 calendar days in which to initiate, investigate, and evaluate the breach under the NDB Scheme.
If the situation involves patients outside of Australia, a practice will, in most cases, report the breach to the Australian Information Commissioner. In many cases, after a review and investigation, the practice will increase IT security and post a notice on the practice website to explain what happened and the steps the practice took to ensure the future safety of patient data.
Ensuring healthcare compliance
How can Australian doctors ensure they are providing ade- quate protection for the personal health information they control?
All health service providers
in private practice are required to meet the requirements of the Privacy Act and the related 13 APPs. APP 1 requires each practice or organization to create a privacy policy that outlines in plain English how a patient’s personal and health data will be collected, stored, and secured, and how and under what circumstances it will be disclosed. This policy is required to be on display in the practice, available on the practice website, and made available to patients on request.
An organization must take “reasonable steps” to protect personal information it holds from misuse, interference, or loss, and from unauthorized access, modification, or disclosure. Failure to do so increases the risk of privacy breaches, harm to patients, reputational damage, disruption to the functioning of their practice, and substantial fines or penalties.
Reasonable steps may include: n Robust IT systems—firewalls, virus protection, frequent password updates, backups, maintenance of hardware, software, and mobile devices
- Procedures—appropriate staff access levels, safe and proper use of internet and email, confidentiality agreements signed by staff
- Building security and alarms, and other practical steps.
Disclosing information overseas
Before personal information is disclosed overseas, a practice must also take reasonable steps to ensure that the overseas recipient does not breach APP 8 Cross-border Disclosure of Personal Information.
If the practice believes the recipient country has similar privacy laws to Australia, it should obtain documentation such as independent legal advice to support this.
If the practice does not believe the recipient country has similar privacy laws to Australia, it should
- avoid disclosing the information,
- enter into a contract with the overseas recipient requiring it not to breach the APPs, and
- obtain the patient’s consent to disclose the information to the overseas recipient.
There is a greater focus on how information is transmitted between health service providers to facilitate timely exchange of information and patient care, with the Australian courts now commenting on this issue. Of
note is the wider variety and availability of communication types, with the use of traditional mail no longer recommended for urgent matters.
The increased use of electronic communication requires greater effort and emphasis on maintaining the security of health data across the sector.
A final word
As in the United States,Australian medical providers take their duty to secure patient information seriously. National regulations encourage strict accountability and the country’s medical indemnity insurer work closely with their clients to ensure the safety and security of
all patient information.
References
1. Nick Ismail, GDPR vs Australian data privacy regulations: 5 key differ- ences. Information Age. March 5, 2018. https://www.information- age.com/gdpr-aus-data-privacy-regulations-123471003.
2. Australian Federal Register of Legislation. Privacy Act 1988. https://www.legislation.gov.au/Details/ C2019C00241.
3. Australian Federal Register of Legislation. Freedom of Information Act 1982. https://www.legislation. gov.au/Details/C2019C00288.
4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles Guidelines—Privacy Act 1988. https://www.oaic.gov.au/assets/privacy/app-guidelines/app-guidelines- july-2019.pdf.
5. Australian Government, Office of the Australian Information Commissioner. My Health Record. https://www.oaic. gov.au/privacy/other-legislation/ my-health-record.
6. Australian Government, Office of the Australian Information Commissioner.
About the Notifiable Data Breaches Scheme. https://www.oaic.gov.au/ privacy/notifiable-data-breaches/ about-the-notifiable-data-breaches- scheme.
7. Karen Stephens. Must I report this privacy breach? MDA Australia. June 12, 2019. https://www.mdanational. com.au/advice-and-support/library/ articles-and-case-studies/2019/06/ reporting-privacy-breach-flowchart.
8. Australian Government, Office of the Minister for Communications Tougher penalties to keep Australians safe online. Mar. 25, 2019. https://parlinfo. aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22media%2F pressrel%2F6577790%22;src1=sm1