In the healthcare setting privacy of information remains fundamentally important.
In recent years, the privacy laws have struggled to keep up to speed with the ever-changing communication landscape. Social media in all its forms has pushed (and sometimes breached) the boundaries of acceptable standards. This has occurred in the healthcare environment as well as globally.
While there has always been an expectation that an individual’s personal information is protected from misuse, the public are now demanding that organisations including healthcare providers are transparent about how they collect and use that information and are held accountable if they misuse it.
That accountability has over the years taken the form of regulation and enforcement by the Office of the Australian Information Commissioner (OAIC) and the Australian Federal Government has recently announced the allocation of further resources to the OAIC to investigate and address privacy breaches and also to significantly increase the range of penalties available to it.
Increased penalties for privacy breaches
While the amending legislation is yet to be drafted, the Federal Attorney-General has announced a new penalty regime, with a view to ensuring that the information of Australians is protected online and on social media platforms.
The current maximum penalty for an entity covered by the privacy legislation is $2.1 million, however that is set to be increased to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10% of the company’s annual domestic turnover, whichever is greater.
New powers for the OAIC to issue infringement notices for failure to cooperate with efforts to resolve minor breaches are also proposed. The maximum fines that could be issued under an infringement notice are $63,000 for companies and $12,600 for individuals.
Increased investigatory resources
In addition to the increased penalties, the Federal Government has also announced additional funding to the OAIC to investigate and respond to individuals’ privacy breaches. Those resources will also be devoted to creating a new code for social media and online platforms that trade in personal information, which will require those companies to be more transparent about any data sharing and to obtain more specific consent of users when they collect, use and disclose personal information. This appears to be a response to the recent privacy concerns of Health Engine’s data sharing (please see our August 2018 Bulletin article).
It is anticipated that the amendments to the Commonwealth Privacy Act will be drafted and released for consultation in the second half of 2019. Stay tuned for further updates.
Mandatory Data Breach Notifications – a snap shot
It is just over 12 months since the introduction of the OAIC’s notifiable data breach scheme where individuals and entities must notify the OAIC when data breaches occur that are likely to result in serious harm.
The OAIC releases quarterly reports on notifiable data breaches and the most recent January to March report noted the leading cause of notifiable data breaches was malicious or criminal attack (131 notifications) followed by human error (75 notifications) and system error (9 notifications).
In the health sector there were 58 data breach notifications in the October to December quarter, up from 54 from the previous quarter.
Human error was the leading source of notifications in the healthcare sector, including the communication of personal information sent to the wrong recipient, unintended release or publication of personal information, or loss of data. This represented 52% of all notifications in the December quarter. Malicious or criminal attacks and system faults represented the remaining categories of data breaches in the health care sector. Cyber incidents, where credentials were compromised through unknown methods, represented 40% of malicious or criminal attacks.
The statistics provided by the OAIC suggest that, while healthcare providers are managing privacy well, more can be done to minimise the chance of human error causing privacy breaches. Some cannot be avoided.
It is a timely reminder to review your privacy policies both from a security point of view and also a processing point of view, to ensure that the chance of a privacy breach occurring in your practice is minimised.