Thursday, May 18, 2017

A Useful Summary, For The Layman, On Upcoming Health Data Breach Law Implementation.

This appeared a few days ago:

How will Australia’s mandatory data breach notification law affect health service providers

Australia May 10 2017
The apparent privacy breach illustrates the potential harm to reputation of health service providers and underscores the need to improve information handling practices in order to minimise the need to comply with the mandatory data breach obligation.
This article briefly summarises the incident at the John Fawkner Privacy Hospital and explains, in general detail, the obligations health services providers assume when the mandatory data breach notification obligations begin to apply.
Between now and 22 February 2018 (when the data breach notification obligations take effect, according to the Privacy Commissioner), health service providers should:
  • Review their privacy policies and internal data handling procedures to ensure that they are up to date, accurate and comprehensive;
  • Review arrangements with suppliers to ensure that suppliers are maintaining the privacy of personal information disclosed to the supplier by health service providers;
  • Train staff on the importance of privacy, including how to spot a potential data breach; and
  • Formulate a plan to implement in the event a data breach is detected.
What happened at the John Fawkner Private Hospital?
According to a report, a collection of patient records were inadvertently left in a public street near the John Fawkner Private Hospital. The information included patient names, diagnoses, treatment plans, medications, living arrangements and other highly sensitive information.
The hospital operator, Healthscope, is not obliged to inform patients of the apparent privacy breach. The Privacy Commissioner and the Health Services Commissioner both confirmed that they would investigate the circumstances of the apparent privacy breach.
Healthscope, declined to confirm whether it would contact the patients to inform them that their personal and health information had been lost.
What happens when the mandatory data breach notification law comes into effect?
When the notification obligation takes effect, health service providers must report a data breach to the Privacy Commissioner and to affected individuals if the breach is likely to result in serious harm to any individual affected by the breach (as determined on an objective basis).
The following factors are relevant to determining whether the breach is likely to result in serious harm:
  • the kind(s) of information;
  • the sensitivity of the information;
  • whether security measures protect the information;
  • the likelihood that such measures can be defeated;
  • the person(s), or kind(s) of person(s) who have obtained or who could obtain access to the information; and
  • the nature of the harm.
When personal information collected and held by a health services provider is inadvertently released, the chances are quite high that such information is highly sensitive and that the information is not protected by sophisticated security measures. For example, in the case of John Fawkner Private Hospital, the information was recorded in hand-over notes.
Are there exceptions to the obligation?
There are several exceptions to the reporting obligation. If the health services provider takes remedial action to prevent the serious harm from occurring, then the provider is not obliged to report the data breach to the Commissioner or to affected individuals.
Whether the provider has taken remedial action is judged objectively, as the test is whether a reasonable person would conclude that the breach is unlikely to result in serious harm to any affected individual. The legislation is vague on the nature and extent of the remedial action.
If the action taken removes the risk of being seriously harmed for some but not all affected individuals, then the provider must still notify the Commissioner and the affected individuals, but the obligation is reduced to exclude an obligation to notify those individuals protected by the remedial action.
Additionally, an unauthorised access, unauthorised disclosure or loss of personal information cannot give rise to an eligible data breach if that access, disclosure or loss has been, or is required to be, notified under the mandatory data breach notification requirement in the My Health Records Act 2012 (Cth).
More here:
Well worth reading if you have any accountability for protecting and maintaining health information. As always, in any uncertainty exists, seek professional advice!
David.

No comments: