The apparent privacy breach illustrates the potential harm to reputation of health service providers and underscores the need to improve information handling practices in order to minimise the need to comply with the mandatory data breach obligation.
This article briefly summarises the incident at the John Fawkner Privacy Hospital and explains, in general detail, the obligations health services providers assume when the mandatory data breach notification obligations begin to apply.
Between now and 22 February 2018 (when the data breach notification obligations take effect, according to the Privacy Commissioner), health service providers should:
- Review their privacy policies and internal data handling procedures to ensure that they are up to date, accurate and comprehensive;
- Review arrangements with suppliers to ensure that suppliers are maintaining the privacy of personal information disclosed to the supplier by health service providers;
- Train staff on the importance of privacy, including how to spot a potential data breach; and
- Formulate a plan to implement in the event a data breach is detected.
What happened at the John Fawkner Private Hospital?
According to a report, a collection of patient records were inadvertently left in a public street near the John Fawkner Private Hospital. The information included patient names, diagnoses, treatment plans, medications, living arrangements and other highly sensitive information.
The hospital operator, Healthscope, is not obliged to inform patients of the apparent privacy breach. The Privacy Commissioner and the Health Services Commissioner both confirmed that they would investigate the circumstances of the apparent privacy breach.
Healthscope, declined to confirm whether it would contact the patients to inform them that their personal and health information had been lost.
What happens when the mandatory data breach notification law comes into effect?
When the notification obligation takes effect, health service providers must report a data breach to the Privacy Commissioner and to affected individuals if the breach is likely to result in serious harm to any individual affected by the breach (as determined on an objective basis).
The following factors are relevant to determining whether the breach is likely to result in serious harm:
- the kind(s) of information;
- the sensitivity of the information;
- whether security measures protect the information;
- the likelihood that such measures can be defeated;
- the person(s), or kind(s) of person(s) who have obtained or who could obtain access to the information; and
- the nature of the harm.
When personal information collected and held by a health services provider is inadvertently released, the chances are quite high that such information is highly sensitive and that the information is not protected by sophisticated security measures. For example, in the case of John Fawkner Private Hospital, the information was recorded in hand-over notes.
Are there exceptions to the obligation?
There are several exceptions to the reporting obligation. If the health services provider takes remedial action to prevent the serious harm from occurring, then the provider is not obliged to report the data breach to the Commissioner or to affected individuals.
Whether the provider has taken remedial action is judged objectively, as the test is whether a reasonable person would conclude that the breach is unlikely to result in serious harm to any affected individual. The legislation is vague on the nature and extent of the remedial action.
If the action taken removes the risk of being seriously harmed for some but not all affected individuals, then the provider must still notify the Commissioner and the affected individuals, but the obligation is reduced to exclude an obligation to notify those individuals protected by the remedial action.
Additionally, an unauthorised access, unauthorised disclosure or loss of personal information cannot give rise to an eligible data breach if that access, disclosure or loss has been, or is required to be, notified under the mandatory data breach notification requirement in the My Health Records Act 2012 (Cth).
What happens if more than one entity is affected by the breach?
Where an eligible data breach affects multiple entities, then only one of the entities must make the report. From the health services provider’s perspective, controlling the message and the method by which the message is communicated may be more important than allowing a similarly affected entity to discharge the statutory duty.
What goes into the notification? How should a health services provider notify affected individuals?
Under the Act, the provider is required to include in the notification its name and contact details, a description of the breach, the kind(s) of information involved and steps the provider recommends affected individuals should take to minimise the risk of harm.
The provider should take reasonable steps to notify the affected individuals directly. However, if the provider determines that it is not practicable for it to notify the individuals directly, then the Act requires the provider to publish a statement on its website and otherwise take reasonable steps to publicise the statement.
What happens if the provider fails to notify the Commissioner or affected individuals?
A failure to notify the Commissioner or affected individuals of a data breach is deemed to be an interference with the affected individuals’ privacy. This triggers the Commissioner’s powers under the Act to investigate the breach, make determinations with respect to the breach and to order remedies for non-compliance. Ultimately, if a provider fails to comply with its statutory obligations, it is exposed to the risk of having to pay civil penalties of up to $1.8 million.
What steps should a provider now take?
Health service providers have some time to put in place processes and procedures to ensure that they comply with their statutory obligations.
First, health service providers should review their privacy policies to ensure that the policy is complete, up-to-date and accurate with respect to the collection, handling and disclosure of personal information (including sensitive and health information).
Secondly, health service providers should review the personal information they hold to determine whether they are capable of destroying or de-identifying personal information they no longer need.
Health service providers should consider requiring staff to undergo privacy refresher training to emphasise the importance of respecting individuals’ privacy, with an emphasis on spotting potential data breaches.