By Rhiannon Riches
Updated 7 February 2018.
Private sector health service providers will be obligated to notify affected individuals and the Australian Information Commissioner of certain data breaches involving personal information from 22 February 2018, under the Notifiable Data Breaches (NDB) scheme.
Fines for failing to notify the Commissioner and patients of a data breach are $360,000 for individuals and $1.8 million for corporations.
The NDB scheme requirements supplement the mandatory data breach reporting requirements of the My Health Record system.
‘There is also a higher threshold triggering the obligations to notify under the NDB scheme; only data breaches that are likely to result in serious harm to an individual are notifiable. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm,’ a statement from the Office of the Australian Information Commissioner (OAIC) said.
Understanding whether a data breach can result in serious harm, or whether this harm is likely, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.
If a health service provider is unsure whether a data breach meets the threshold, they are required to undertake an assessment of the data breach within a maximum of 30 days, the OAIC said.
The OAIC has a range of online resources, including a webcast for on-demand viewing, to assist health service providers to prepare for the Notifiable Data Breaches scheme.
Luke Arundel, National Professional Services Manager at Optometry Australia, said that governments worldwide were tightening up regulation in this area.
‘Reports suggest that one in three Americans has had their health records compromised and there’s been a significant increase in health care hacking last year. The latest Ponemon Institute report states that cyber attacks are now responsible for over half the data privacy breaches. Practice staff errors, third-party problems and stolen computer devices make up the other half of data breaches,’ Mr Arundel said.
‘This last factor can be problematic in optometry practices as during break-ins, dispensing laptops or iPads with patient records are often stolen along with sunglasses and cash-register contents. Train staff on privacy basics, ensure software and virus protection is up to date and password protected, and set up to remote wipe capabilities for computer equipment to reduce your chances of having a data breach,’ he said.
‘These changes and huge fines for non-compliance reinforce how seriously we need to be taking privacy in practice. Many optometrists we speak to are not fully across the huge overhaul of privacy legislation in 2014, let alone these latest changes which passed through the Senate in February 2017.
‘As always, Optometry Australia is here to support you through changes in the sector and our checklists, guidelines and template privacy policies are available for members online. Our comprehensive Professional Indemnity Insurance policy does cover members for claims made against them for breaches of privacy and our medico-legal hotline provides advice 24/7 on 1800 128 268 if you wish to discuss any breach with our legal team,’ Mr Arundel said.
The following examples of data breach scenarios were provided by the OAIC.
GP’s patient records stolen
A GP’s car is broken into and their workbag is stolen. In the bag were the medical records of two patients.
The GP acknowledges that the records contained sensitive information about their patients, and that the GP is unable to know where, or in whose hands, the records will end up. The GP determines that both patients are at a likely risk of experiencing serious harm, and that notification is required.
The GP notifies the police about the break in, prepares a statement for the Australian Information Commissioner, and then calls the two patients to notify them of the data breach.
Accidental publication of sensitive information by a pharmaceutical chain
A pharmaceutical chain becomes aware that it has accidently made its record of customers and dispensed prescriptions publicly available online due to an error made by a staff member. The record is removed from the organisation’s website one hour after the error is discovered.
The organisation begins an assessment to clarify the likelihood of serious harm to any of its customers. As part of this assessment, the organisation’s security consultants find that the record had not been accessed during the time it was publicly available.
Because the record was not accessed by a member of the public, the organisation determines that it is unlikely that any of its customers will experience serious harm, and that notification is not required. However, the organisation does undertake a review of the incident to identify how the error was made, and to retrain staff responsible for managing customer information.
Information about the Notifiable Data Breaches scheme