Under a new mandatory notification scheme, businesses must now report a data breach to the Office of the Australian Information Commissioner.
The first 37 days of the new mandatory notification scheme has revealed that a breach occurred in the health sector every two days, yet no financial penalties are being applied; instead the government agencies are merely giving undertakings to do better.
Yes, there is a provision for the OAIC to order compensation payments to victims which have occurred in at least one case, and there is also a civil penalty of $420,000 for a serious or repeated interference with privacy for individuals, and $2.1 million penalty for body corporates. However so far it has not been used.
Following the Facebook privacy saga, a plethora of local and international privacy laws, with big fines to protect users, either have come into effect or will do so, affecting your patients and staff.
Furthermore, if you have patients from the European Union for example who are traveling and visit your clinic, then new rules will apply from the 25th May 2018. Substantial fines apply to you for any breaches, which may amount to as much as 2% of your turnover! See the Minter Ellison article.
You may not be aware that in February 2018, a new Privacy Law legal requirement that affects every single medical and healthcare business came into force. For practices with a turnover of over $3m the conditions are particularly onerous. If you fail to act you could potentially end up losing your practice.
This is thee‘Notifiable Data Breach Scheme’. The bottom line is within 30 days you may be required to notify your patients and the Privacy Commissioner of any breaches. Depending on the seriousness of the breach you may need to publish details on your website! For more information see Notifiable breaches scheme.
If the breach causes serious harm to others, you may be liable. Serious harm could include (but is not limited to) identity theft, financial loss, the threat to physical or emotional well being, and harm to reputation and humiliation.
If you fail to notify, the fines can be as high as $2.1m. So it cannot be ignored.
For those who employ contractor medical personnel (e.g. GPs) it gets worse. If your contractor does something which should be notified and they don’t, your business is jointly responsible, even if you argue you did not know of the incident.
Any of the following will constitute a breach:
– Sharing staff passwords e.g. of former staff. (Organisations can use programs like Last Password to overcome this problem for cloud software programs.)
– Lost phones with data on it (including apps)
– Hacking of any kind
– Breaches involving emails
– Loss of USB flash drives/ laptop or mobile devices
– A third party receives information about your patient
For example, if you tell a nurse to provide an opioid to someone in the waiting room and another patient hears it, then strictly speaking the practice has to report it to the Privacy Commissioner. (In practice, serious cases are more likely to be an issue, such as where demonstrable harm is caused and the person is identifiable).
Contact your professional indemnity insurer and/or local healthcare professional body for more information. Be careful not to provide them with any patient information they should not be receiving. If unsure, consult an experienced legal adviser. Ensure you have the correct documentation and processes in place. Be wary of the vexatious staff member or patient, which is often where these problems originate.
Contact David Dahm at firstname.lastname@example.org for further information.
Please note we are not lawyers, we are accountants and practice advisers. Please seek specific legal advice in relation to your own circumstances. We cannot be held responsible for any errors or omissions in this article. This article is for discussion purposes only.