Unlike other non-health businesses in Australia, mandatory data breach notification is already a reality for Australian health organisations participating in the My Health Records system. New eligibility requirements for the Practice Incentive Program (PIP) eHealth Incentive mean that organisations wanting to gain the benefit of the incentive must participate and upload a prescribed number of shared health summaries to the My Health Records system.

It appears therefore that the government is intent on rolling out the digital health record system despite lacklustre take up by patients and health organisations alike.

And so, organisations making the transition to digital health records need to understand their legal and regulatory obligations in handling both My Health Records and more broadly, personal information. The regulatory framework surrounding personal information and digital health records is complex and involves overlapping legislative schemes. We've broken some of the key obligations down, and set out below a snapshot of what Australian health organisations need to consider below.

  1. Have an up to date privacy policy: Your privacy policy should clearly disclose how the personal information you collect, access and use in your health organisation is managed in accordance with the requirements of the digital health regime and the broader privacy regime. It should also provide guidance on how your organisation manages complaints and unauthorised disclosure. Are you handling Medicare numbers or My Health Records? If so, additional obligations apply. Remember that a policy is only as good as the procedures behind it – make sure you have detailed procedures so you can effectively manage all the information you are handling.

  2. Achieve technical compliance: Managing sensitive health information such as Medicare numbers or My Health Records requires an added layer of security. If you participate in the digital health system, your organisation must adhere to prescribed guidelines concerning how patient records are accessed, transmitted, stored and used – know these guidelines and make sure you're compliant. This will impact the management of your internal stakeholders, third party service providers and also your patients and customers. Remember that good compliance should include ongoing training and education for your staff as to privacy and the management of information. Know the resources available to assist you - for example, the National E-Health Transition Authority (NEHTA) provides resources to assist your organisation with the transition to digital health.

  3. Have a breach response plan: Mandatory breach reporting is already in place for those participating in the digital health system. A breach response plan plays an important role in the effective management of that information. For those not yet participating in the My Health Records system, it's still essential to have in place an effective breach response plan that responds to breaches of personal information. Your response plan will guide you through the most critical stage of the breach and will determine how your organisation contains, reports and notifies an incident. Make sure your plan is detailed and tested regularly. An effective plan will mitigate the harm caused by a data breach, including reputational damage, resulting customer claims, legal proceedings, and regulatory investigations. The OAIC provides health organisations with a guide to mandatory data breach notification. The published guide is based on the Personally Controlled Electronic Health Record (PCEHR) system, the predecessor to the My Health Records system, however, the guide continues to provide useful guidance.