From 22 February 2018, privately practising midwives and midwifery practices have new obligations to inform clients and the Office of the Australian Information Commissioner (OAIC) of ‘eligible data breaches’.
These obligations are an extension of existing privacy law obligations around collection, use and disclosure of health and other personal information as part of providing care to pregnant women.
What are your obligations?
Private health care providers are required to:
- inform individuals (usually patients) and the OAIC
- about events which involve
– unauthorised access to information,
– unauthorised use of information, and
– loss of information likely to result in unauthorised access or disclosure
- if these events
– are likely to result in serious harm to affected individuals or
– cannot be effectively remediated through action to prevent the likely risk of serious harm, and
- make the notification to individuals and OAIC as soon as reasonably practicable.
When could these obligations arise?
Even though the scheme refers to ‘data’, the obligations are not just for situations involving electronic health records or other e-health information. They can apply to all situations in which health care providers hold and disclose health and other personal information for their clients, including hard copy health records and contact information.
Possible examples of unauthorised access, disclosure or loss which could lead to an obligation to inform clients and the OAIC include:
- Test results being given to the wrong client;
- Inappropriate disclosure of health information to a family member or friend, ie where not permitted under privacy laws or in breach of a Court order;
- Loss of information stored electronically (ie USB) or on paper; and/or
- Inadvertently placing health or other personal information on a publicly accessible website.
Is there anything I can do to reduce the risk of a notifiable data breach?
It may be that certain data breaches are unpreventable, notwithstanding the steps taken to prevent them occurring.
How it impacts you
However, there may be steps you could take to minimise the risk of a data breach occurring, which could include:
- Reviewing privacy practices and procedures – are these in place and up-to-date?
- Does everyone in your practice understand their privacy obligations? Is any training required?
- For those working with you, including IT contractors or cloud service providers, do you have agreements dealing with privacy and notifiable data breach obligations?
- Assessing where you or your practice may be at risk of a data breach, and taking remedial or risk reducing action before it occurs;
- Having a notifiable data breach response plan – the OAIC has developed a helpful Guide, download it using the link at the bottom of this article.
I think there may have been a data breach – what should I do?
The first thing is to take the necessary steps to contain or fix the breach.
The next step is to assess the breach, what it involves and the risk it may pose to affected individuals.
At this point, we encourage you to contact MIGA claims team for assistance in working through what, if any, reporting requirements need to be considered.
For more information on the data breach scheme and additional resources, visit our website using the link below.