IN APRIL 2017, a man found piles of outpatient letters stuffed into a garbage bin in Sydney’s inner west. A subcontractor for a company involved in transcribing medical missives sent from specialists to GPs had been supposed to take them to the post office, but, inexplicably, had just shoved them into the bin instead. The data breach involved over 1600 medical letters containing private information on over 700 patients from the Royal North Shore and a number of other hospitals.

Medical data breaches are common, and while most are not as egregious as the above, all are now subject to new mandatory data breach notification laws, which came into effect in February 2018. Under these laws, any organisation subject to the Privacy Act (including all medical practices) which incurs an “eligible data breach” is obliged to alert the Australian Information Commissioner and the people whose data have been compromised.

An eligible breach is defined as any unauthorised access, disclosure or loss of personal information that is likely to result in “serious harm to any of the individuals to whom the information relates”. The penalties for failing to disclose such breaches are not to be sniffed at: up to $360 000 for individuals and up to $1.8 million for organisations.

A new article published in the MJA lays out the obligations, implications and challenges of the new laws as they relate to medical practices. The authors make the point that over half of all reported data breaches are the result of simple human error, often by just one person, rather than from ransomware, hackers or other nefarious interventions.

“Very often, a data breach could just be faxing results to the wrong recipient, or a piece of mail going to the wrong person,” says lead author Dr David Carter in an exclusive podcast for MJA InSight.

“But whatever the circumstances, the core consideration is whether the breach is going to cause some serious harm to someone,” says Dr Carter, who is a lecturer in the Faculty of Law at the University of Technology Sydney. “It could be financial harm, it could be embarrassment, but whatever the case, the practice needs to think about how they’re going to deal with it.”

He says that fairly small changes can go a long way towards preventing a data breach or mitigating its damage if it does occur.

“Probably, a really intelligent place to start is to have a conversation with your patients. Very often, we don’t think about that. If there’s a conversation upfront about what information is collected, why it’s collected and how we use it, it means patients are on the journey with you, and they understand that you take their privacy seriously.”

He says that if there is then a need to report a breach, it’s done off the back of a solid understanding and relationship with the patient.

In cases of breach, “it’s always a good idea to make a rapid and honest assessment of what’s happened”, Dr Carter says.

“Don’t ignore it, try and find out what’s gone wrong or gone missing, and seek some professional advice if needs be, from IT services for example. If it’s something simpler, just talking in a non-blaming way with staff to understand how the breach may have occurred is a good idea. It’s always okay to call the Information Commissioner and have a conversation about what might have happened as you discover the facts.”

Georgie Haysom, who is Head of Advocacy at the medical defence organisation Avant, says that a survey Avant did of its members before the introduction of the new laws revealed a low level of understanding and awareness around data breach and privacy issues.

“But I think there’s more awareness now, because of the mandatory data breach legislation and the discussions that have been going on around that. Generally speaking, I think doctors and particularly small practices need to focus on making sure their systems are secure.”

She says the first step is to make sure to have a data breach response plan in place. That involves ensuring systems and processes are up to date and that doctors, nurses, administrators and other staff understand their obligations and are aware of the response plan.

She says that if doctors are worried that there may have been a data breach, they can also ask advice from their medical defence organisation.

“We’ve had an increasing number of calls about privacy and the security of medical records since the legislation has come in. We were concerned before this legislation about the administrative burden that it places on practices, and I think there’s still a way to go before people have a good understanding of the requirements and the processes they need to go through to determine if something is mandatory. But what practices need to do is have a look at their systems and security and try to implement things to avoid the risk of data breach in the first instance.”

 

To find a doctor, or a job, to use GP Desktop and Doctors Health, book and track your CPD, and buy textbooks and guidelines, visit doctorportal.

3 thoughts on “What the new data breach laws mean for medical practices

  1. Randal Williams says:

    For years doctors managed their patient privacy and confidentiality very well–then came large medical practices with multiple staff, instant communications, mobile phones, computers, email, social media etc creating a myriad of ways in which privacy could be compromised. Most privacy breaches are unintentional and harmless–nevertheless draconian laws have been brought in that serve no one apart from a sea of bureaucrats in government departments. With these laws the hope of keeping perspective and balance about individual privacy has gone out of the window. It is yet another layer of administrative bureaucracy that doctors and their staff have to cope with.

  2. HOWARD GOLDENBERG says:

    THE LEGISLATION IS INDEED HEAVY HANDED

    AND AS THE AUTHOR OF THE ARTICLE ADVISES, A GOOD UNDERSTANDING BETWEEN PATIENT AND DOCTOR WILL, IN THE END, CONSTITUTE OUR BEST DEFENSE

    IT DOES APPEAR THAT THE PERPETRATOR OF THE BREACH MUST JUDGE FOR HERSELF WHETHER THE BREACH “is likely to result in “serious harm to any of the individuals to whom the information relates”

    I WOULD TRUST MYSELF TO BE THE JUDGE
    I WOULD TRUST MY PATIENT TO BE MY JUDGE
    BUT I WOULD NOT EXPECT BEAUROCRACY TO JUDGE SENSIBLY

  3. Bennett Franjic says:

    I would say that accidentally sending a patient’s report to the wrong medical practice is not likely to result in serious harm to the patient, and doesn’t need to be reported. (I am a doctor, not a lawyer).

Leave a Reply

Your email address will not be published.