Mandatory breach notification is back on the Australian Government's agenda for the Spring 2016 sittings, when it is expected the government will (once again) consider implementing a mandatory breach notification regime requiring Australian businesses to report data breaches that compromise personal information collected or held by those businesses. Yet, unbeknownst to some, such a requirement already exists for certain Australian businesses. Health service providers take note – if you are handling certain types of health records, you may already be legally required to report breaches affecting those records.
What is 'mandatory reporting' – and is it relevant for my business?
The Privacy Act applies to Australian individuals and businesses with a turnover of over AUD3 million, and to those providing a health service and who hold health information irrespective of turnover. Currently, the Privacy Act does not require that your customers or the Office of the Australia Information Commissioner (OAIC) be notified of a data breach that compromises their personal information. That is likely to change in time – and draft legislation could (if implemented) extend such mandatory reporting obligations to all businesses subject to the Privacy Act. In the meantime, notifications are encouraged by the OAIC as part of a data breach response plan, where the disclosing party thinks there may be a real risk of serious harm to the individual as a result of the breach.
I run a health services business – how does this affect me?
In addition to the requirements of the Privacy Act, healthcare providers accessing, processing and storing 'My Health Records' are subject to a mandatory data breach reporting regime. This regime has been in place since the inception of the My Health Record scheme in 2012 and requires notification, in certain circumstances to the My Health Record System Operator (i.e. the Secretary of the Department of Health) and the OAIC, of data breaches affecting an individual's My Health Record.
What is My Health Record?
Essentially, it is the future of digital health in Australia.
My Health Record is described by government as "a secure online summary of your health information". It is an opt-in scheme, operating from an online platform, which stores in one place important health information relating to individuals. Healthcare providers including doctors, specialists and hospital staff can access these details online from anywhere, at any time, for the purpose of providing healthcare and in accordance with access controls set by the individual patient or default access controls, as the case may be.
Considering the sensitive nature of an individual's health information that is being stored in the individual's My Health Record, the provisions relating to mandatory breach reporting have been seen as an important element of the system and a safeguard for those providing their details for storage in the system.
However, the slow uptake of the system by Australian health providers and practitioners means that industry awareness of the mandatory reporting requirements attaching to the My Health Record platform is unlikely to be widespread.
Why is this now more important than ever?
A digital health records system has been on the radar for many years.
In June 2016, the My Health Record "opt-out" trials commenced in the Nepean region of Western Sydney and North Queensland where 1 million individuals have been provided with a My Health Record. Trials are due to close in October 2016 and reports indicate that there has been a very low opt-out rate.
In July 2016, the National E-Health Transition Authority became the Australian Digital Health Agency, and is expected to become the system operator for the My Health Record system. In August 2016, the Government appointed as the agency's CEO, the former National Director for Patients and Information in the UK National Health Service (NHS) who was responsible for the digital transformation of the NHS. And, the Government has launched a public consultation on the development of a framework for secondary use of My Health Record data, which is expected to open in the coming months and will conclude before the end of 2016.
It seems to us that this shift of focus and the move towards widespread implementation of the My Health Record system is indicative of the Government's continued support for the expansion and development of digital health in Australia. While important building blocks in the digital health system (such as universal use of secure messaging and standardised system interoperability) may be several years away, we believe that mandatory adoption and use, in the short to medium term, of the My Health Record system across health service providers in Australia is inevitable.
What are the challenges for healthcare providers operating (or soon to be operating) in the My Health Record platform?
The transition to digital health poses a wide range of challenges for healthcare providers, including:
- ensuring that the onboarding of personal and sensitive information into the platform is done in compliance with all legal and regulatory requirements;
- achieving ongoing technical and systems security integrity and compliance;
- ensuring staff are properly trained in and aware of the risks associated with operating on an online platform;
- implementing robust information handling policies and procedures and breach response plans; and
- managing and tackling the increasing risk of malicious cyber incidents, such as malware and ransomware attacks, against healthcare providers (for example the recent virus attack on Royal Melbourne Hospital).
A comprehensive awareness of the obligations that arise under privacy and digital health legislation in Australia will be required for those operating in the health services industry, so as to avoid the potentially disastrous effects of improper use of health information and poorly managed responses to breaches.
What happens if I breach the My Health Record system requirements relating to reporting breaches?
Where a participating healthcare provider suspects, becomes aware of, or knows a data breach has or may have occurred, they must notify the OAIC or the System Operator. What constitutes a 'data breach' is all encompassing - any unauthorised collection, use or disclosure of health information included in an individual's My Health Record involving the entity or an event or circumstances involving the entity that compromises, may compromise, has compromised or may have compromised the security or integrity of the My Health Record system. A penalty of up to AUD90,000 applies for failing to report such an incident.
As well as notifying of the data breach, there are other prescribed procedures a healthcare provider must undertake following an actual or suspected breach, including:
- taking steps to contain and evaluate the breach;
- if there is a reasonably likelihood that a breach has occurred with serious impacts for at least one healthcare recipient (i.e. one patient), the healthcare provider must ask the System Operator to notify all healthcare recipients that would be affected;
- if the healthcare provider knows that a data breach has occurred, it must ask the System Operator to notify all healthcare recipients that would be affected; and
- if a 'significant' number of healthcare recipients are affected, the healthcare provider must notify the general public.
Although there are no fines for failing to follow these additional prescribed procedures after a suspected or actual breach, there may be other more significant consequences such as cancellation of registration of operating licences, which would have reputational and commercial impacts for healthcare providers.
The OAIC also has investigative powers and can, as a result of a complaint, initiate an investigation. This could result in the healthcare provider being subject to injunctions, enforceable undertakings, court orders, and civil penalties for breaches involving an individual's My Health Record.
What can healthcare providers do?
Digital health is coming and healthcare providers should start preparing now. All healthcare providers, in particular those operating in the My Health Record system, should consider the following:
- Review how your organisation manages its data: Know the kinds of data your organisation handles, and the value of the data. Know where it is stored, who has access to it and how it is secured.
- Know your obligations in operating within the My Health Record system: What obligations are imposed under the Privacy Act and under the My Health Record system on you as a business handling such sensitive information?
- Identify and understand relevant risk frameworks suited to your business: Consider different risk frameworks that may apply to your business. Decide on a framework, implement it and use it to evaluate your cybersecurity. Test the framework regularly and consider how it can be improved.
- Be prepared: Have a breach response plan in place. Consider the different types of breaches your business could suffer. Your plan should set out roles within your breach response team, and identify third parties or experts (IT security, legal, public relations) that will assist you in a critical situation.
- Consider insurance options available to your organisation: The terms of professional indemnity, public liability or other specialist classes of policy may not provide coverage for cyber related losses. Health practitioners and healthcare providers are advised to consult with their brokers or insurers to consider whether there are other products such as cyber policies that may provide the necessary cover.