Health service providers have consistently been among the top three sources of privacy complaints over the last three years
The Office of the Australian Information Commissioner (OAIC) has just launched a new, comprehensive guide to health privacy in the interest of safeguarding patients’ personal information.
As well as being among the top three sources of complaints, health providers have also been the leading source of notifiable data breaches since mandatory notification started in February 2018, the office warned.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the guide brings together a wide range of OAIC advice for all health service providers covered by the Privacy Act 1988.
“I expect health service providers to be familiar with their privacy obligations and to take all reasonable steps to protect the personal information they are entrusted with,” Commissioner Falk said.
“This includes any organisation who provides a health service and holds health information, from a doctor or private hospital through to a dentist, gym or childcare centre.
Commissioner Falk urged health service providers to use the guide to improve their privacy practice.
“Health information is considered to be some of the most personal information about an individual, and it must be handled responsibly and transparently.
“This guide is a step-by-step guide to help the health sector understand their privacy obligations and embed good privacy principles throughout their practice.
“It provides practical advice on meeting legal requirements and obtaining consent for the collection, use and disclosure of personal information.
“Where there are serious breaches of privacy, the OAIC has a range of regulatory powers to hold organisations to account, including auditing privacy practices, determining complaints or awarding compensation.
“We can also seek civil penalties through the Federal Court of up to $2.1 million per privacy breach.”
Pharmacy Guild Victorian branch president Anthony Tassone told the AJP that “Like other health care practices, pharmacies have a particular responsibility to protect data due to the sensitive nature of much of the information stored including information concerning the use of scheduled medicines, delivery of health services and patient health records”.
“This is further the case in the current environment of digital health/e-health initiatives encompassing; electronic transfer of prescriptions, MyHealth Record and the Australian Immunisation Register to name a few,” Mr Tassone said.
“Pharmacies are a custodian of their patients’ personal information and this responsibility underpins community pharmacy’s highly trusted role in the community.”
Mr Tassone said that it was important to be reminded that data breaches are not limited to malicious actions, but may also arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure of information.
The new guide features an eight-step plan for better privacy practice:
- Develop and implement a privacy management plan
- Develop clear lines of accountability for privacy management
- Create a documented record of the types of personal information you handle
- Understand your privacy obligations and implement processes to meet those obligations
- Hold staff training sessions on privacy obligations
- Protect the information you hold
- Develop a data breach response plan.
Mr Tassone also offered some suggestions.
“In addition to the guidance from the Office of the Australian Information Commissioner, there are some broad measures proprietors can take to protect their pharmacy’s data,” he said.
- Updating your operating system to ensure the latest protections against cyber attack are in place (particularly anti-virus software);
- Perform regularly (daily) local backups of key systems (such as the dispensary terminal/s) and have storage of backups securely in an offsite location (e.g. the cloud) which can be supported by your IT vendor;
- Do not open emails from sources that look suspicious. Cyber attackers are becoming increasingly sophisticated in this area – and a review of who has access to email systems in the pharmacy may be necessary;
- Restricting access to the network to authorised person’s only;
- Developing and enforcing security protocols; and
- Restrict access to a ‘need to know’ basis.
“Sadly, none of us are immune to the risks of cyber-attacks and in the modern digital age we all must be absolutely vigilant both at work and at home to protect sensitive information of ourselves and those of patients in the pharmacy,” Mr Tassone warned.
“The ‘Stay Smart Online’ website: www.staysmartonline.gov.au – has a range of useful resources and information for both businesses and individuals to learn more about the importance of cyber security and what they can do in their everyday lives to minimise the risk of a data breach.
“For pharmacy proprietors and managers, it’s important to create awareness amongst your team of the importance of cyber security and ‘Stay Smart Online’ week (7-13 October) is a great opportunity to have the conversation in the workplace.
“The Guild continues to support our members with updates of their obligations as health professionals and business owners in managing patient data under State and Federal legislation as well as resources to help inform what to do in the unfortunate case of a data breach.
“All business owners should consider speaking with their insurer about the possibility of coverage in this area.”
The Guide is available here.