According to the Office of the Australian Information Commissioner (OAIC), health service providers have consistently been among the top three sources of privacy complaints over the last three years.
In light of this data, the OAIC has urged health service providers to improve their privacy practices, commenting that:
“health information is considered to be some of the most personal information about an individual, and it must be handled responsibly and transparently.”
The Commissioner further reminded health service providers of the importance of complying with their privacy obligations under the Privacy Act, not just for the sake of upholding their reputation and customers’ confidence in their practices, but to avoid significant financial penalties.
In particular, the OAIC can seek civil penalties of up to $2.1 million per privacy breach.
This amount is expected to increase in light of proposed new legislation and in line with other international jurisdictions (see our articles here and here on recent fines issued under the GDPR). We will keep you updated as this new proposed legislation progresses.
New Guide for Health Service Providers
To assist health service providers improve their privacy practices, the OAIC has released a new guide, which outlines key practical steps that health service providers should take to embed good privacy in their practice, and how key privacy obligations apply to and operate in the healthcare context.
Some of the key concepts included in the Guide are as follows:
Who is a Health Service Provider?
Providers of health services are subject to more onerous duties under the Privacy Act. However, organisations are often unaware of whether or not they are subject to such duties.
The Guide confirms that ‘health service providers’ include doctors and private sector hospitals, allied health professionals (e.g. dentists, podiatrists, optometrists), pharmacists, private aged care and palliative care facilities, disability service providers, private schools and childcare centres, gyms, weight loss clinics, and more.
If your organisation falls within one of the above categories (or a related category), you need to be aware of your privacy obligations.
What is Health Information?
Health information is all personal information collected in the course of providing a health service, for example:
- information about an individual’s physical or mental health;
- appointment and billing details;
- records held by a fitness club about an individual;
- an individual’s healthcare identifier when it is collected to provide a health service; and
- any other personal information (such as information about an individual’s date of birth, gender, race, sexuality or religion), collected for the purpose of providing a health service.
How do health service providers comply with their privacy obligations?
The Guide features the following eight-step plan  for better privacy practice:
- Develop a privacy management plan
- Develop clear lines of accountability for management
- Create a documented record of the types of personal information handled
- Understand privacy obligations and implement processes to meet them
- Hold staff training sessions on privacy obligations
- Protect the information held
- Develop a data breach response plan
The Guide also explains how health service providers should collect and use personal information, including how they should seek and maintain proper consent for collection from individuals, how they should store the information once collected (i.e. secure storage, de-identification requirements, etc.), how authorised disclosure to third parties may be made (e.g. disclosure to other medical practitioners), and how (and when) such information must be destroyed.
The Guide and accompanying statements released by the OAIC shows just how seriously the OIAC is taking privacy compliance, particularly when it comes to health service providers.
We are able to assist organisations become and remain privacy compliant. We can also provide additional practical tips to assist organisations minimise the risk of data breaches and instances of non-compliance occurring.