Health service providers (including day hospitals, clinical physicians and diagnostic service providers) have obligations about their patient’s personal information under the Privacy Act 1988 (Cth) (Privacy Act). They have been a leading cause of privacy complaints over the past few years. Failing to comply with the Privacy Act can result in significant fines. For example, recent draft legislative reforms would allow infringement notices to be issued of up to $63,000 for companies, and $12,600 for individuals. Patients are also becoming more aware of the value of its personal information, so misuse or loss of that personal information can damage a practice’s reputation. Most importantly, if the misused or lost personal information is sensitive health information, then trust which supports the patient/doctor relationship can be lost.
Think – unauthorised access or use of patient email addresses and phone numbers. Your staff sends a confidential patient file to the wrong email address. You are hacked. You leave clinical files on a bus from the hospital back to your clinic. Errors are made entering identifying data about patient endpoints into your computer. Results are sent to the wrong patients.
It happens. Call them – ‘Breach Events’.
What can you do to prevent Breach Events? How do you prepare for a Breach Event, in case it happens?
The Office of the Australian Information Commissioner has recently released its ‘Guide to health privacy’ to assist health service providers improve their privacy practices. We recommend our Healthcare industry clients read the full guide here: https://www.oaic.gov.au/assets/privacy/guidance-and-advice/guide-to-health-privacy/guide-to-health-privacy.pdf
We set out some critical things you should do below.
Adopt a privacy framework
You should develop and adopt:
- an internal privacy management/data breach response plan – it’s a guide on relevant privacy issues to your practice, and is your Breach Event play book: How do we assess a Breach Event? What’s to be done urgently? Who do we call? What do we tell our patients? Are we required by law to tell the Information Commissioner or patients?
- clear lines of staff accountability for privacy management and procedures – make someone responsible for privacy. They should know what to do for a Breach Event. You might be able to keep lawyers and other advisors (and their associated costs) out of it. If no one is responsible, then who will care about privacy, and take the necessary steps to protect against, or respond to a Breach Event?; and
- means of protecting personal information – that’s data theft prevention software (good quality and regularly updated); and good ‘privacy hygiene’ (don’t take files out of the clinic unless it’s essential, don’t click on suspicious emails).
Know how to collect and use personal information properly
When you collect and use personal information – use common sense. Don’t collect it without the patient’s informed consent (either express or reasonably implied) and unless needed as part of the diagnosis/treatment. You will need consent to record the patient information necessary to comply with the Health Insurance Act, to obtain Medicare payments (or protect them against being ‘clawed back’). Don’t record your conversations (e.g. over the phone) unless the patient knows about it. Don’t discuss health issues in front of other people, unless they’re OK with that.
You must also notify the patient before or at the time you collect their personal information. Make sure that privacy notice addresses all the matters required by law.
Make sure you know:
- how you may collect health information without consent (e.g. if it’s required by law; there is a serious threat to someone’s health or safety etc.);
- when you don’t have to deal with patients anonymously or pseudonymously;
- what to do with unsolicited health information (when you have to destroy or de-identify it);
- what you can do with health information.
Only use health information with consent, or if a limited exception to use without consent applies. For example, don’t directly market to the patient unless you receive their express consent.
You can only disclose a patient’s genetic information without consent, if it’s to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the patient, and otherwise in accordance with the Privacy Act or law.
Understand that patients own their health information
If a patient requests their health information, make sure you:
- verify the identity of the person requesting that information; then
- only if verified, hand over the information within 30 days.
If you need to refuse, make sure one of the limited exceptions apply (e.g. if you believe providing that information would pose a serious threat to the life, health or safety of someone). Don’t charge the patient to give access, unless the charge is reasonable.
Take reasonable steps to ensure all personal information you hold is correct. If you’re asked to fix it, fix it within 30 days.
Know what to do in the event of a Breach Event
If the current mandatory data breach notification rules apply to you or your practice, you may be required to notify affected individuals and the Commissioner of certain Breach Events. Know:
- if these rules apply to your practice (probably, because you provide a health service and hold health information);
- how to comply with the rules (i.e. in what circumstances do you have to tell everyone about the Breach Events); and
- how to manage the process to protect your practice’s reputation, and as required by law.
If you’re a researcher, know about privacy
If you’re researching – make sure the participant has provided its prior and informed consent to collect its personal information. Only collect personal information without consent if:
- de-identified data won’t serve your research goal; and
- it is not reasonably possible to obtain consent; and
- collection is approved by a HREC, or in accordance with NHMRC guidelines approved by the Information Commissioner, or required by Australian law.
If you’d like to know more about your privacy obligations, and what is needed to comply with them, please contact Antony Harrison from our Health Care Industry team.