Friday, September 23, 2016

This Article Provides A Useful Summary Of myHR Breach Management. It Is Mandatory To Report Breaches!

This appeared last week:

Mandatory Breach Reporting For Health Records – What You Need To Know

Last Updated: 13 September 2016
Most Read Contributor in UK, August 2016                                           
Mandatory data breach reporting is the buzz word in privacy and cyber risk circles. Many Australian governments (including the incumbent) have sought to introduce legislation requiring all Australian businesses to report data breaches that compromise personal information collected or held by those businesses. But no government has yet succeeded. Except that is, for certain health service providers, who should take note – if you're handling certain types of health records, you may already be required to report such breaches.

What is 'mandatory reporting' – and is it relevant for my business?

The Privacy Act applies to Australian individuals and businesses with a turnover of over AUD 3 million, and to those providing a health service and who hold health information irrespective of turnover. Currently, the Privacy Act does not require that your customers or the Office of the Australia Information Commissioner (OAIC) be notified of a data breach that compromises their personal information. That is likely to change in time – and draft legislation could (if implemented) extend such mandatory reporting obligations to all businesses subject to the Privacy Act. In the meantime, notifications are encouraged by the OAIC as part of a data breach response plan, where the disclosing party thinks there may be a real risk of serious harm to the individual as a result of the breach.

I run a health services business – how does this affect me?

In addition to the requirements of the Privacy Act, healthcare providers accessing, processing and storing 'My Health Records' are subject to a mandatory data breach reporting regime. This regime has been in place since the inception of the My Health Record scheme in 2012 and requires notification, in certain circumstances to the My Health Record System Operator (i.e. the Secretary of the Department of Health) and the OAIC, of data breaches affecting an individual's My Health Record.

What is My Health Record?

Essentially, it is the future of digital health in Australia.
My Health Record is described by Government as "a secure online summary of your health information". It is an opt-in scheme, operating from an online platform, which stores in one place important health information relating to individuals. Healthcare providers including doctors, specialists and hospital staff can access these details online from anywhere, at any time, for the purpose of providing healthcare and in accordance with access controls set by the individual patient or default access controls, as the case may be.
Considering the sensitive nature of an individual's health information that is being stored in the individual's My Health Record, the provisions relating to mandatory breach reporting have been seen as an important element of the system and a safeguard for those providing their details for storage in the system.
However, the slow uptake of the system by Australian health providers and practitioners means that industry awareness of the mandatory reporting requirements attaching to the My Health Record platform is unlikely to be widespread.

Why is this now more important than ever?

A digital health records system has been on the radar for many years.
In June 2016, the My Health Record "opt-out" trials commenced in the Nepean region of Western Sydney and North Queensland where 1 million individuals have been provided with a My Health Record. Trials are due to close in October 2016 and reports indicate that there has been a very low opt-out rate.
In July 2016, the National E-Health Transition Authority became the Australian Digital Health Agency, and is expected to become the system operator for the My Health Record system. In August 2016, the Government appointed as the agency's CEO, the former National Director for Patients and Information in the UK National Health Service (NHS) who was responsible for the digital transformation of the NHS. And, the Government has launched a public consultation on the development of a framework for secondary use of My Health Record data, which opened in late August / early September 2016 and will close in November 2016.
It seems to us that this shift of focus and the move towards widespread implementation of the My Health Record system is indicative of the Government's continued support for the expansion and development of digital health in Australia. While important building blocks in the digital health system (such as universal use of secure messaging and standardised system interoperability) may be several years away, we believe that mandatory adoption and use, in the short to medium term, of the My Health Record system across health service providers in Australia is inevitable.
Lots more here:
Also very useful is this part of the article alerting providers what they must do:

What can healthcare providers do?

Digital health is coming and healthcare providers should start preparing now. All healthcare providers, in particular those operating in the My Health Record system, should consider the following:
  • Review how your organisation manages its data: Know the kinds of data your organisation handles, and the value of the data. Know where it is stored, who has access to it and how it is secured.
  • Know your obligations in operating within the My Health Record system: What obligations are imposed under the Privacy Act and under the My Health Record system on you as a business handling such sensitive information?
  • Identify and understand relevant risk frameworks suited to your business: Consider different risk frameworks that may apply to your business. Decide on a framework, implement it and use it to evaluate your cybersecurity. Test the framework regularly and consider how it can be improved.
  • Be prepared: Have a breach response plan in place. Consider the different types of breaches your business could suffer. Your plan should set out roles within your breach response team, and identify third parties or experts (IT security, legal, public relations) that will assist you in a critical situation.
  • Consider insurance options available to your organisation: The terms of professional indemnity, public liability or other specialist classes of policy may not provide coverage for cyber related losses. Health practitioners and healthcare providers are advised to consult with their brokers or insurers to consider whether there are other products such as cyber policies that may provide the necessary cover.
The bottom line here is that practices must take the risk of even a single record breach seriously and be able to show that they have taken reasonable steps to minimise breach risk.
In passing I would note I do not agree with the Authors on the inevitability of adoption and use of the myHR but that said the article is well worth a close read!


Anonymous said...

David gets it, the authors don’t. The authors said – essentially My Health Record is the future of digital health in Australia. David said he did not agree with the Authors on the inevitability of adoption and use of the myHR. The have burnt their brand to a cinder.

Anonymous said...

Probably fishing for some work, let's see if they pop up as consultants