The newly released ‘Guide to Health Privacy’ from the Office of the Australian Information Commissioner (OAIC) provides welcome clarity on a number of health data related obligations set out in the Privacy Act 1988 (Cth) (the Privacy Act), including the concept of consent, how and when health data is collected, stored and used, and of course who has access to it.
Earlier this year we reported on statistics coming out of the Notifiable Data Breach Scheme, one year on from its enactment. A key finding of the report highlighted particular vulnerabilities in the Health Services sector, ranking number one for notifiable data breaches by industry. On top of this, the health sector also ranks consistently in the top 3 sources of privacy complaints by individuals. With health data among an individual’s most sensitive personal information, the OAIC release of the Guide to Health Privacy could not be more timely.
Notifiable Data Breaches by Industry
The Guide, written primarily for health professionals and practice staff, aims to provide practical and actionable advice on health information handling for those in the industry, providing industry specific examples on a number of important topics. It helpfully provides a number of examples specifics to medical practices which practitioners may find enlightening.
Of particular impact will be the recommended key steps to “embedding privacy in your health practice”, which include, amongst other things, developing and implementing a privacy management plan, developing clear lines of accountability for privacy management, and of course, developing a data breach response plan.
The Guide additionally provides industry specific detail and examples on a number of other key Privacy Act obligations, including for example:
- the form and method of providing privacy notices;
- collecting unsolicited health information or collection without consent; and
- disclosure of health information for a reasonably expected or secondary purpose (e.g. referrals to a specialists or a broader treating team)]
Conclusions and resources
Whilst the importance of data privacy is not a new concept to health professionals, additional guidance on best practice from the governing privacy body should act to entrench a privacy-by-design approach to patient interactions and practice management. The Guide will hopefully also go some way to reducing the incidents of two key causes of notifiable data breaches, human error (35%) and malicious attack (60%), and as a result the high number of individual complaints to the OAIC.
The Guide additionally points to a number of key OAIC additional resources for health professionals, including:
- Privacy management framework;
- Privacy management plan template;
- Guide to securing personal information; and
- Preparing a data breach response plan
Written by Andrew Hii, Mark Ferguson and Alexander Ryan