Patients and the data breach notification maze
The Office of the Australian Information Commissioner (OAIC) recently released its second quarterly report on the operation of the Notifiable Data Breaches scheme.
This scheme was introduced into the Commonwealth Privacy Act in February and means organisations subject to the Act must tell the Commissioner about data loss, or unauthorised access or disclosure of information, that is likely to result in serious harm.
The people affected by the data loss or unauthorised disclosure must also be notified.
The new report shows that the health sector continues to make up the largest proportion – some 20 per cent – of entities reporting data breaches. Other leading sectors are finance, legal, accounting and management services.
Almost 60 per cent of health sector breaches were because of human error, like personal information being sent by email or post to the wrong person, or loss of paperwork. The remainder were due to malicious or criminal attack.
The report’s findings are troubling.
People are rightly concerned about their health data, including doctors’ observations, lists of illnesses and injuries, prescription information and test results, being accessed unlawfully.
This could lead to emotional distress, embarrassment, risk to a person’s safety, and discrimination for the patient and their family.
Exceptions to the rules
Of greater concern is the report’s confirmation that the health sector in Australia is especially prone to data breaches when most health services – specifically, public hospitals and community health centres – are exempt from the breach notification requirements.
There are almost 700 public hospitals in Australia that provide two thirds of all hospital beds in the country and employ some 365,000 staff. They care for millions of Australians and hold their confidential medical information.
But because public hospitals are regulated by states rather than the Commonwealth, they are not subject to the Privacy Act and its Notifiable Data Breaches scheme. State parliaments haven’t enacted similar schemes to mandate breach reporting by state-based entities, like public hospitals.
This inconsistent maze of breach notification requirements is about to get worse with the full-scale implementation of the national My Health Record.
Adding to the maze
By the end of 2018, every Australian who hasn’t opted-out will have one of these records. Information can be uploaded to the record by patients as well as by public and private hospitals, health care providers including GPs and specialists, pathology and diagnostic imaging services and pharmacies.
The My Health Record has its own breach notification provisions that use a different legal test than the scheme in the Privacy Act.
This means that if patient information is lost or accessed unlawfully, one of three laws could come into play, depending on where a person’s medical information sits at the time.
Breach notification is mandatory in some instances but not in others, even for the same type of information about the same patient and the same episode of care.
Different rules apply
Here’s an example.
Ms Smith visits a private specialist, Dr Jones, for advice on a health problem that requires surgery. Dr Jones enters notes about Ms Smith’s condition into the (private) clinic’s record. Ms Smith is then admitted to a state public hospital for surgery as a private patient under the care of Dr Jones.
While she is there, information about her surgery and recovery are entered into the (public) hospital record by nurses and junior doctors. Both Dr Jones and the hospital also upload some information about Ms Smith’s treatment to the national My Health Record.
In this scenario, if information about Ms Smith’s surgery is accessed by hackers then whether Ms Smith must be told about the breach depends on where the information was taken from.
If it was held in Dr Jones’ private rooms (and assuming certain criteria are met), under the Commonwealth Notifiable Data Breaches scheme, Dr Jones must tell her about the breach as well as inform OAIC.
If the same information is taken from the My Health Record, Ms Smith must still be informed but the specific notification criteria and the procedures are different.
Finally, if the information is taken from the public hospital records, there is no legal obligation to tell her at all.
Confusing and disjointed
Consumers may rightly expect that similar rules govern data breaches of their sensitive health information, no matter where they seek healthcare and where that information is held.
It is absurd that they will be informed about data loss from a private healthcare provider or from the statutory My Health Record, but not from a major public hospital.
The latest report from OAIC confirms the risk present in the healthcare sector in Australia, creating very real cause for concern that lack of a joined-up system is not serving Australian healthcare recipients well.
This article was published by Pursuit.
Megan Prictor is a Research Fellow at the Melbourne Law School in the University of Melbourne. She researches in the fields of law and emerging health technologies, such as biobanking, genomic medicine, and data regulation.