The following appeared the day before yesterday.
70 substantiated privacy breaches in 2009: Medicare
- Karen Dearne
- From: Australian IT
- March 12, 2010
MEDICARE Australia's eBranch head Sheila Bird has told a Senate inquiry that there were 70 substantiated privacy breaches from investigations into around 950 employees suspected of having had unauthorised access to client records.
The figures on alleged snooping, contained in a statutory report to the federal Privacy Commissioner and revealed in The Australian, indicate around one in six staff were being tracked on an “unauthorised use” database. The database held records relating to "approximately 948 staff members as at June 30, 2009", out of a total 5887 employees.
In the previous year, 750 individuals were identified on the unauthorised access database as being under surveillance for possible access to confidential personal information, including medical and financial details.
The story sparked particular concern about the potential for staff to browse client records without a valid reason during a Senate inquiry into the Rudd Government's Healthcare Identifiers Bill.
The bill will empower Medicare to issue a unique, 16-digit patient identity number to every Australian from July 1, in support of greater exchange of medical information across the health sector.
Ms Bird said the report in The Australian was "wrong".
However, the story included comment and information provided by Medicare, including the agency's claim that 1058 cases had been investigated since 2006, with 54 per cent found to be unauthorised access - although 30 per cent of these incidents involved staff browsing their own records.
Ms Bird provided the same information to the inquiry, and agreed under questioning that approximately 948 staff members had been investigated for possible unauthorised access to records in the year up to June 2009.
"That is the number that were investigated," she told the inquiry. "They were not found, in more than half those cases, to have actually had unauthorised access.
"(Most) involved a staff member looking at their own record. This is contrary to policy and staff are disciplined for doing so, however it is not a privacy breach.
"In 2008-09, there were 70 privacy breaches. In the first half of this financial year, there have been 16 privacy breaches."
Ms Bird said a range of disciplinary measures were available, from "a rap over the knuckles, demotion, fines and dismissal".
The issue is also covered here:
Medicare staff fined for prying in records
12th Mar 2010
DOCTORS have voiced alarm at revelations that nearly 1000 Medicare staff have been investigated in the past four years for accessing client records without proper authority.
In a statutory report submitted to the Office of the Privacy Commissioner, Medicare stated that since November 2006, monitoring systems had identified 948 employees who may have accessed confidential client records.
Further investigations found breaches of protocol in 54% of cases, though a third of these related to Medicare staff accessing their own records. ranging from counselling to fines and even termination of employment were taken against those found in breach.
One person has been sacked and more than 70 have resigned as a result of accessing client files without authority.
Dr Rod Pearce, chair of the AMA council of general practice, said the figures vindicated previous GP fears about handing over patient records for Medicare compliance audits.
“It’s terrible – this is exactly what we were always concerned about,” he said.
A spokesperson for Medicare said there would be an audit log of all access to healthcare identifier systems, which would be used to identify potential inappropriate access. Customers would also be able to use the log to learn when their UHI record had been accessed.
More here (registration required):
A few comments:
First we all need to appreciate the difficulty Medicare is under in managing this sort of thing. It happens with all sorts of ‘honey pot’ databases. That however is not real excuse for having good monitoring and firm rule enforcement, as well as ongoing education programs, to keep the level as low as possible.
Second, given we now know provider identifiers will not have real audit trails in place for a few years there needs to be a public discussion about how the HI service should be introduced to minimise the risks seen here.
Third, from the Senate evidence it seems all is not well despite some ill constructed claims to the contraty.
Last it was the second report that got me a mention in the House of Reps debate. Funny that you blog away and its only the published comments elsewhere that get picked up. Oh well!