Australia’s answer to HIPAA: Notifiable Data Breaches Act 2017

The data privacy amendment, Notifiable Data Breaches Act 2017, was recently enacted by the Australian federal parliament, to protect users from malicious internet attacks, which can include data breaching, security, content, and so on.

The new regulations come into effect as of February 22nd, 2018.

Banner - HIPAA Australia

The act draws cues from the Privacy Act 1988, and states that any business or individual must report if there is a known data breach.

It is important to notify the Australian Information Commissioner if you believe a data breach has occurred.

An entity must give notification if it has reasonable grounds to believe that an eligible data breach has happened; or it is directed to do so by the Commissioner.”

The new amendments define what constitutes as a breach:

An eligible data breach happens if there is; unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates

Data breaches are a common occurrence, however, determining if a breach requires notification be given to the OAIC and any patients effected about can be difficult.

Useful information about the steps that should be taken to report a data breach is available from The Office of the Australian Information Commissioner’s website

The guide is currently being updated to reflect the new legislation and clarifies that a “data breach” is not limited to hacking or data theft, but it also covers accidental loss or disclosure of data.

The OAIC Data Breach Notification Guide, which can be found on the OAIC website, aims to educate users about how to handle personal information security breaches.

What to do if you suspect a privacy breach

You need to take the following steps if you suspect that a data breach may have occurred;

  • Contain the breach
  • Evaluate the risks associated with the breach
  • Check that the breach affords reporting to the OAIC
  • Prevent future breaches and engage with your IT service provider (if they didn’t cause the breach in the first place)
  • Notify the people potentially affected by the breach and notify the Office of the Australian Information Commissioner

Exposing sensitive medical information of others is not the only risk. Breaches could also include the accidental release of names, addresses, phone numbers, Medicare details, etc.

The fines for breaches under the Act are significant and failing to notify may result in significant penalties, including fines of $360,000 for individuals and $1.8 million for organisations and business entities.

The OAIC is empowered to compel the offending entity to make a public apology or pay compensation to affected individuals.

Have the discussion with your software vendor/IT consultant about the security of your practice records and management software. This includes any software that stores sensitive information such as names, addresses, etc.

Practices are generally doing the correct thing by using remote backups with cloud storage to protect their data and by operating software directly from the cloud.

Any information (both physical and virtual) must be secure. Check with your service providers that cloud data is encrypted during transport and at rest.

Consider the following:

  • How are workstations, servers and devices protected? Does your Wifi network link to your practice network?
  • Who is authorised to take backups offsite? Does your backup provider use local datacentres for storage?
  • How alert and educated are the staff members in data privacy matters?
  • Do your staff members understand what a breach is, when, and who to report to in the practice? Has the matter been discussed in staff meetings?
  • Do your staff members feel empowered without fear to report errors or incidents?

Fostering a culture in your practice that encourages open conversations about possible risks in data security is advisable. You could later be held liable if you do not have such a culture in your workplace. Make data breaches a common topic in meetings to ensure awareness in clinic staff.

Disposal of sensitive records is also important. Incorrect disposal can be considered a potential data breach. Destroying radiographs, record cards, practice printouts and so forth must be carried out in a way which ensures compliance with the standard.

The ADA suggests clinic owners consider obtaining Cyber Risk insurance to provide financial protection in the event that a data breach occurs in spite of your best efforts.

If you have any questions or concerns about the issues raised in this article, please contact an IT consultant at Analog Digital Services on 1300ANALOG.