Privacy Matters Part 1 – How to embed privacy in your health service

Ensuring privacy of patient data is a cornerstone of delivering a safe and effective health service.

Health professionals routinely handle sensitive health information about their patients, and the collection, storage and disclosure of this information is something that needs to be performed carefully.

In Australia, health service providers who work in the private sector have professional and legal obligations to protect their patients’ health information. While those professionals who also operate a telehealth service, have additional privacy issues to consider. In this two-part series of articles, we take a look at privacy obligations in the health sector, and how you can embed good privacy habits in your practice.

According to the Privacy Act 1988, all private health providers – big and small – are required to be proactive in establishing, implementing, and maintaining privacy processes in their practice.  

Having effective privacy processes in place helps manage the risk of a privacy breach, as well as the response if one occurs.

Ultimately, good privacy governance builds trust in the provider-patient relationship and enhances reputation.

To ensure that you collect, store and disclose patient information correctly and meet your privacy obligations, the Office of the Australian Information Commissioner (OAIC) has created eight key steps to follow.

Step 1: Develop and implement a Privacy Management Plan

A ‘Privacy Management Plan’ is an overarching document that identifies specific, measurable goals and targets to help you meet your privacy obligations.

Creating a plan like this, right from the beginning, helps you to understand the where, why, when and who of embedding privacy processes in your practice, and how to integrate it into your daily business routines.

The OAIC has a fill-in-the-blanks template that you can modify to suit your practice’s unique privacy requirements.

When drafting your Privacy Management Plan, there is a framework that includes four broad categories, which you need to consider:

1. Embed a culture of privacy that enables compliance.
   For example, assign key roles and responsibilities for privacy management; establish a reporting mechanism for privacy issues.
2. Establish robust and effective privacy practices, procedures, and systems.
   For example, define record-keeping protocols; expand staff training to include privacy processes; assess risk regularly, and create a data breach response plan.
3. Evaluate your privacy practices, procedures, and systems to ensure continued effectiveness.
   For example, regularly monitor and review privacy processes, policies and notices; create channels for customer and staff feedback.
4. Enhance your response to privacy issues.
   For example, an external audit of privacy processes; keep up to date with changing legal obligations; consider privacy changes when new technology is deployed.

You can read more about the process of creating a privacy management plan here

Step 2: Develop clear lines of accountability for privacy management

Ensure that everyone in your practice knows who has responsibility for managing privacy requirements. In larger practices, there can be a number of people who manage this role. This person (or persons) can quickly respond to privacy issues and provide guidance including:

• how to handle personal information and meet compliance obligations
• assisting with privacy related complaints or queries from a patient
• promptly addressing a data breach.

Step 3: Create a documented record of the types of personal information you handle

In health services, there are many types of patient information that are required – for example personal details, health notes, medications, referral letters, test results etc.

And there are many ways that information is collected and stored.

Creating a documented record that outlines the scope of patient information your health service handles will help you meet your privacy obligations. It will inform the creation of your privacy policy; help you choose the best data security options; and also confidently and efficiently provide individuals with access to their personal information.

The record should include:

• Types of personal information handled in your practice – clinical notes, contact details, Medicare details, test results, referral letters.
• How personal information is received – records generated in your practice, written and verbal information from patients, other healthcare providers, insurers, lawyers.
• Where personal information is held – physical and electronic records within your control including on premises, off site, and cloud storage providers.

Step 4: Understand your privacy obligations and implement processes

Before you can put processes in place to protect patient privacy, you need to fully understand your privacy obligations. The OAIC recommends you read the Guide to Health Privacy, and use it as the basis to implement privacy processes that cover:

• the collection, disclosure, storage, and security of personal information
• staff protocols for the handling of personal information
• ease of access for individuals to correct their personal information
• receiving and responding to patients’ privacy enquiries and complaints.

Step 5: Staff training

Use training programs to create a confident team that can apply follow privacy processes and meet privacy obligations when handling personal information.

Suggestions include:

• train all new staff about privacy requirements and current privacy practices and expectations
• develop clear and consistent processes to ensure everyone is aware of their obligations and who to ask for assistance
• make privacy related resources available to staff eg via email or intranet
• hold ongoing information sessions for updates on emerging privacy issues/risks, privacy breaches, complaints etc
• professional development opportunities to up-skill staff roles that require a deeper understanding of privacy/security.

Step 6: Create an Australian Privacy Principle (APP) privacy policy

As a healthcare provider, you are required to have a clearly expressed and up-to-date privacy policy. The policy must be readily accessible to clients and patients –  for example, it can be printed on paper, available on a website or displayed on a mobile device screen.

If, at any time, you change your information handline practices, you must update your privacy policy accordingly and publicise the update, for example on your website, via email or post. When devising a privacy policy, it must align with the 13 Australian Privacy Principles.

Your privacy policy must include:

• Your organisation’s name and contact details.
• What kinds of personal information you collect and store.
• How you collect personal information and where it is stored.
• The reasons why you need to collect personal information.
• How you will use and disclose personal information.
• How a patient can access their personal information or ask for a correction.
• How a patient can lodge a complaint if they think their information has been mishandled, and how you handle complaints.
• A statement regarding how likely you are to disclose patient information outside Australia and, if practical, which countries you are likely to disclose the information to.

Your privacy policy may also include:

• How long you keep personal information.
• If personal information must be scanned.

Step 7: Take reasonable steps to protect and secure personal information

Health providers are required to take “reasonable steps” to protect personal information and, when the information is no longer required, to ensure that it is correctly destroyed or de-identified.

So that your practice has adequate protection and security measures in place, consider implementing strategies in the following areas:

• Governance, culture and training.
• Internal practices, procedures and systems.
• ICT security
• Access security
• Third party providers (including cloud computing)
• Data breaches
• Physical security
• Destruction and de-identification.
• Standards.

For further detail, read the OAIC’s Guide to securing personal information. (Please note, the OAIC is currently in the process of updating its guide)

Step 8: Develop a data breach response plan

A data breach is when personal information is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Perhaps a practice laptop is lost or stolen, a data base is hacked, or personal information is mistakenly provided to the wrong person.

Whatever the situation, having a response plan ready to go will help you respond quickly and effectively to a data breach.

So, what do you include in your data breach response plan? Here is a checklist from the OAIC:

• What a data breach is and how staff can identify one
• Clear escalation procedures and reporting lines for suspected data breaches
• Members of the data breach response team, including roles, reporting lines and responsibilities
• Details of any external expertise that should be engaged in particular circumstances
• How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions
• An approach for conducting assessments
• Processes that outline when and how individuals are notified
• Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted
• Processes for responding to incidents that involve another entity
• A record-keeping policy to ensure that breaches are documented
• Requirements under agreements with third parties such as insurance policies or service agreements
• A strategy identifying and addressing any weaknesses in data handling that contributed to the breach
• Regular reviewing and testing of the plan
• A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan

Read Part 2 of this privacy series, where we take a look at privacy concerns for health professionals who provide a telehealth service.

The Australian Government Office of the Australia, Information Commissioner is the independent national regulator for privacy and freedom of information.

Read more about what to include in your data breach response plan.

Find more information on embedding privacy in your health practice.