Data penalties ‘may cripple practices’

2 minute read

GPs could be in for a bumpy ride as data breach notification laws come into effect


General practices will face hefty fines for failing to notify patients of data breaches under legislation that passed both houses of parliament this month.

The Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 on 13 February.

Under the new law, businesses that handle sensitive information, including all general practices, are required to disclose serious data breaches or face fines of $360,000 for individuals and $1.8 million for organisations.

General practices have 30 days to notify patients following a significant breach, but need not notify patients about minor breaches that have been remedied and have not caused serious harm. Organisations are also obliged to report the incident to the Privacy Commissioner.

“Serious harm” could include (but is not limited to) identity theft, financial loss, threat to physical or emotional wellbeing, harm to reputation and humiliation.

“It is not intended that every data breach be subject to a notification requirement,” the bill’s explanatory memorandum states.

Dr Nathan Pinskier, chair of the RACGP Expert Committee – eHealth and Practice Systems, said the College was concerned the heavy penalties could put general practices out of business.

“[The fines] could potentially cripple a general practice,” he told The Medical Republic.

“Many general practices would not be covered for data breach fines under their medical indemnity insurance. I imagine the cost of insurance would be prohibitive for many practices as well.”

Dr Pinskier said the College would be providing guidance to GPs over the next six months about the new legislation through webinars and updated tools.

“The critical thing is awareness,” he said. “[General practice] is not necessarily ideally equipped to identify these breaches and it is not necessarily adequately protected.”

Eric Lowenstein, the CEO of medical indemnity insurance company Tego, said general practitioners could mitigate their risk by checking if their insurance covered data breaches, including related fines, notification and remedy costs, legal defence and claims from patients.

I imagine the cost of insurance would be prohibitive for many practices.

“[The laws] may have an impact on a doctor’s medical indemnity insurance as a result of increased litigation and complaints,” he said.

Mr Lowenstein recommended that GPs review their existing cyber security systems and develop procedures for identifying and responding to a data breach.

“Map out how your patient records are kept, where they are located and who has access to them,” he suggested.

End of content

No more pages to load

Log In Register ×