Data breaches: less stick, more carrot?

3 minute read

Concern remains that a threat of heavy financial penalties could deter reporting errors in electronic health records


Concern remains that a threat of heavy financial penalties could deter healthcare providers from reporting errors in electronic health records.

New privacy legislation before parliament provides penalties for breaches of up to $1.8 million for organisations and $360,000 for individuals, giving the Office of the Australian Privacy Commissioner plenty of clout to enforce tight data protection standards.

Dr Nathan Pinskier, chair of the RACGP’s eHealth and Practice Systems Committee, told The Medical Republic the college had argued against stiff fines for fear they might work against errors being corrected in My Health Records.

“Our concern is about wrong information getting into people’s records,” Dr Pinskier said. “We want to make sure in the private sector the penalties are not so onerous that people are deterred from reporting because it will be too much of a financial headache.”

He noted that public servants did not operate under the same threat.

Medicare recently revealed multiple cases of patients’ claims data being uploaded to the wrong My Health Records because of mix-ups over individuals with similar identifying information, with five cases of “intertwined” customer records in the year to June.

In other cases listed in the privacy office’s annual report, fraudulent Medicare claims had resulted in wrong data being uploaded to Medicare records, which then flowed to My Health Records, and problems with MyGov accounts, where individuals were linked to other people’s electronic health records.

Georgie Haysom, head of advocacy at Avant, said doctors and practice staff needed to be educated about changes under the proposed Privacy Act amendment. “The new test is whether a reasonable person would consider the breach likely to result in serious harm to an individual. In that determination, they look at things like the kinds of information, the sensitivity of it, who is likely to access it, and whether security measures could be circumvented,” she said.

A doctor would have 30 days to notify a patient in the event of a serious breach. But they would not need to notify the patient of a minor matter where the breach had been remedied and the likelihood of serious harm was erased.

“We are pleased to see in the new bill the legislators have balanced up the need to protect privacy with the notion of an unreasonable administrative burden,” Ms Haysom said.

On principle, the information commissioner was unlikely to seek a civil penalty for minor or inadvertent breaches where the person responsible co-operated with an investigation and took steps to avoid a recurrence.

Data breach notifications to Medicare remain mandatory under the My Health Records Act.

End of content

No more pages to load

Log In Register ×