Within the next 12 months, all health service providers in the private sector will be subject to mandatory data breach notification laws recently passed by the Australian Government. Under the new laws, private health service providers will have 30 days upon being made aware that there are reasonable grounds to believe a data breach has occurred, to investigate the breach and—if the risk of serious harm to affected patients cannot be excluded—publish a statement notifying the affected patients and the Privacy Commissioner of the breach.
As with all industries moving toward automation and digitisation, healthcare providers are responsible for protecting personal data they collect from inadvertent disclosure and malicious attacks by cyber criminals. However, the stakes can be much higher for medical institutions, as:
• the data collected relates to personal identification and health records, which are inherently sensitive to the individuals concerned and are more valuable to cyber criminals than credit card details because of the longer shelf life for exploitation; and
• cyber-attacks such as Ransomware, which render an organisation’s computer services inoperable until the ransom is paid, can have serious consequences if the health service’s ability to access test results and provide urgent and appropriate medical treatment is compromised.
While mandatory notification of unauthorised access to eHealth information is already a requirement for participants in Australia’s My Health Record system1 , data breach notification for all other healthcare providers has to date been voluntary.
However, on 13 February 2017, the Federal Government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)2 which establishes a mandatory data breach notification regime with respect to all organisations subject to the Privacy Act 1988 (Cth).
Who do the new laws apply to?
In recognition of the sensitivity of health information, the Privacy Act extends its operation beyond Federal Agencies and private corporations with an annual turnover of more than $3 million to all organisations which provide a health service and hold health information, regardless of size or annual turnover.
The broad definition of “health service” under the Privacy Act means that private hospitals, pathology laboratories, pharmacists, aged care and palliative care providers, allied health practitioners and medical practitioners providing health services in a private capacity are all likely to be subject to the data breach notification regime.
In comparison, public healthcare providers, such as public hospitals, are subject to state privacy legislation and are not covered by the Federal mandatory data breach notification regime.
Where the application of the Privacy Act becomes less clear is in circumstances where private and public healthcare services are provided by the same practitioners in co-located public and private hospitals. Internal policies regarding collection and maintenance of health records should clearly address which individual or entity has possession or control of the records and advice should be sought if there is any doubt regarding the potential application of the data breach notification regime.
What do the new laws require?
Under the new regime, private health service providers will be required to notify the Privacy Commissioner and affected individuals when they become aware that there are reasonable grounds to believe that an “eligible data breach” has occurred. An eligible data breach is defined as unauthorised access to or disclosure of information which is reasonably likely to result in serious harm to the individuals to whom the information relates or the loss of such information in circumstances where unauthorised access or disclosure is likely to occur.
The sensitivity of the information, the nature of the breach and the security measures in place (such as encryption) are all factors which should be taken into account in determining whether access to or disclosure would reasonably be likely to result in serious harm. Affected organisations have only 30 days in which to investigate and make a decision as to whether there are reasonable grounds to believe that an eligible data breach has occurred and notification is required. The notification statement must disclose the type of data breach, the particular information affected and how the affected patients should respond to the data breach.
Failure to comply with the new laws could result in fines of up to $360,000 for individuals and $1.8 million for organisations, where the Privacy Commissioner finds a serious or repeated interference with privacy.
Exemptions to the mandatory notification requirements include:
• where mandatory data breach notification is already required in the event of unauthorised access to eHealth information under the My Health Records Act, to avoid imposing a double notification requirement; and
• where the organisation takes action in the initial 30 day investigation period and, as a result of that action, a reasonable person would conclude that the breach is not likely to result in serious harm.
How should health service providers prepare?
Data security is rapidly becoming a serious corporate governance issue in Australia3 and health service providers should not wait for a suspected data breach to occur before determining whether their systems for protecting patient health records are adequate.
Similarly, having a robust data breach response plan in place at the time of a suspected breach both increases the prospects for mitigating the risk of serious harm before the 30 day deadline for notification, and allows an organisation time to seek appropriate advice from public relations and legal consultants to ensure that any required notification does not expose it to unnecessary legal and reputational risk.
Time is running out before the data breach notification regime comes into effect. To avoid being caught unawares, healthcare providers should be taking the following minimum steps:
1. Determine whether you or your organisation are subject to the Privacy Act and have access to or control over personal health records.
2. Ensure that you or your organisation have appropriate data security policies for collecting, storing and protecting health records, including regularly updating anti-virus and antimalware software, providing ongoing cyber security training to staff and considering the adequacy of password protection and encryption programmes in use.
3. Review contracts with third party data storage or management service providers to ensure that they require compliance with your obligations under the data breach notification regime and contain appropriate remedies for breach.
4. Prepare a data breach response plan, including identifying in advance appropriate IT, public relations, loss adjusting and legal consultants with specific expertise in investigating a potential data breach and mitigating the risk of serious harm to individuals, as well as reputational and legal risk to you or your organisation.
5. Consider whether existing insurance cover will respond to the compliance costs of mandatory data breach notification, including the costs of engaging consultants, and any liability to third parties arising out of civil claims.