KPMG and Information Integrity Solutions recently released their report into privacy and security of information at ACC (Report). The Report's opening comments recognise that while information is "arguably the most critical asset in any organisation", keeping it safe is one of the most difficult challenges that an organisation faces.

Along with the release of the Report, the growing trend of greater electronic information sharing in the health sector (both within and between different organisations and different sectors) means that it is timely for health sector organisations to consider their compliance with the Health Information Privacy Code 1994 (HIPC).

We have set out below some recent sector developments, followed by key lessons from the Report that are likely applicable to all health sector organisations.

Sector developments

The way health information is shared is a key area of ongoing development within the health sector.  It is widely recognised that better information sharing improves the quality of healthcare services, while at the same time reducing costs.  A key concept in the National Health IT Plan is development of a virtual health record for every patient, making patient information accessible regardless of location.

However, health information can be highly sensitive.  Security and privacy concerns associated with information sharing need careful consideration.  In this regard, the National Health IT Board is currently carrying out a series of public and community seminars to discuss improvements to the way personal health information is shared electronically.

On the legislative front, the Government has agreed with a Law Commission recommendation that the Privacy Act 1993 be replaced with new legislation.  Parliament has also heard the first reading of the Privacy (Information Sharing) Bill.  This amends the rules relating to information sharing within and between agencies.  It also amends the rule regarding disclosure of information where there is a "serious and imminent threat", so that only a "serious" threat is required before disclosure is permitted without authorisation from the individual concerned.

Why does privacy matter?

Fundamentally, health professionals rely on their patients providing full and accurate information about their conditions, in order to provide appropriate care to those patients.  Poor information management impacts on the trust and confidence that the community has in a health provider and could impact on the information that patients provide to carers.  The Report notes that for agencies "whose interaction with people and personal information is critical and central to their function, effective privacy management and a culture of respecting personal information must be a clear priority and given appropriate strategic importance."

In addition, health providers have legal obligations to manage information appropriately.  In part, this requires compliance with the Privacy Act and the HIPC.  Public sector organisations also have obligations under the Public Records Act 2005 and the Official Information Act 1982.  In addition to legal obligations, registered health professionals are required to comply with ethical obligations of confidentiality.

Failure to comply with privacy obligations can have significant consequences for all involved.  A good example of this is found in a Health Practitioners Disciplinary Tribunal case, where a nurse accessed mental health records about the mother of her partner's children.  She was able to access records held by her employer (a DHB), and by another DHB, through a regional information sharing system.  The records were used in Family Court proceedings.  The employing DHB decided to dismiss the nurse (although she resigned before this occurred), and the Tribunal found her guilty of professional misconduct.

Key lessons from the report

The Report resulted from an inadvertent disclosure of claimant information by ACC.  Given that much of the information collected by ACC is sensitive health information about individual claimants, the issues and recommendations raised in the Report are relevant to all organisations that hold health information.

Overall, the Report emphasised that organisations need to develop a culture where client information is respected, and both board members and senior management "walk the talk" in regard to privacy.  It also stressed the importance of an appropriate privacy programme and accountability.

Importantly, an organisation's data needs to be appropriately protected by "thorough and effective" risk mitigation strategies.  Without such strategies the organisation will be at risk of significant reputational damage.  Risk mitigation strategies include:

  • Developing and implementing appropriate privacy policies and procedures
  • Providing privacy education and training for staff
  • Making privacy part of the organisation's risk management framework
  • Ensuring that responsibility for privacy matters (including escalating and resolving issues) is clear
  • Using secure portals where possible, and taking care when information is instead shared by email.

The Report also stressed that privacy should be "built-in", rather than "built-on", to business systems and processes.  In this regard, the Office of the Privacy Commissioner has a Privacy Impact Assessment (PIA) tool to help organisations assess the privacy impact of a system.  For privacy to be "built-in", a PIA should be carried out early on in the development of any new system or process.

Compliance with privacy requirements needs to be monitored.  Electronic "footprint" records can be built into IT systems to ensure that the organisation has a record of information that has been accessed, and who accessed them.  This type of information needs to be regularly audited, and where potentially inappropriate access is identified, acted upon promptly.

If a privacy breach occurs, it is important that the agency responds appropriately to that breach.  The Office of the Privacy Commissioner has issued guidelines on managing privacy breaches, which are available here.  The Report recommends a centralised reporting system for recording privacy complaints, so that information about breaches and near misses can be collated and analysed, and trends, systemic issues and risk areas can be identified and addressed.