The fine for a GP or registered practice co-worker to breach the privacy rules surrounding the PCEHR are set to go up 500% to $108,000 following the introduction of legislation to Parliament this week to amend the Health Information Act. Fines for corporations rose by the same proportion from $108,000 to $540,000. The main intent […]
The fine for a GP or registered practice co-worker to breach the privacy rules surrounding the PCEHR are set to go up 500% to $108,000 following the introduction of legislation to Parliament this week to amend the Health Information Act.
Fines for corporations rose by the same proportion from $108,000 to $540,000.
The main intent of the legislation is much needed changes to the management of the e-Health record system, specifically, changing PCEHR from being opt-in to opt-out.
The hike in fines for doctors isn’t likely to make passing the legislation any easier. The government may have a hard time explaining why last week a doctor had to pay $21,800 if they stuffed up a PECHR and let someone get hold of it who isn’t properly authorised, and this week they are intending that they start paying $108,000 and risk going to gaol.
They might also have to explain why corporations got treated relatively leniently. They have exactly the same increase proportionally that a personal breach incurs.
Companies have much great potential to damage because they hold so many more records than an individual. Regulators generally expect that their security and data management is a key part of their corporate compliance undertaking.
Companies are in also in a much better position to invest in making sure they don’t breach.
So why did corporations get the same percentage increase as an individual?
Federal Health Minister Sussan Ley said of the increase “ the penalty is not too high, with the highest pecuniary penalty that can be imposed being only 600 units.” (units are ‘penalty units’, each unit is worth $180 therefore 600 units is worth $108,000…sorry, that’s high if you think that it was $26,800).
She doesn’t explain the reason for either increase very well.
“ This penalty is justified as the My Health Record system deals with privacy sensitive information and the misuse of this information needs to have proportionate penalties to the potential damage to healthcare recipients.”
In light of this analysis, the nature and application of the civil penalty provisions suggest that they should not be classed as criminal under human rights law.”
So what did we miss? What changed to cause the increase? Essentially Ley is saying that suddenly the material in an individual’s personal health record just got five times more dangerous.
Its not like medical records are particularly secure now. Most people could obtain key medical stats on someone by impersonating a doctor and ringing a path lab.
The likely reason, which isn’t given, is that now that the government is moving robustly to get e-Health records up and running in volume, the potential for damage will be much greater with so many more records being held electronically.
OK, some logic there.
But why do they lay that problem mostly at the feet of GPs only, why aren’t corporations slugged relatively harder and why isn’t there any help on offer if, as seems likely, GPs are going to have to get their acts together and be far more careful with their electronically held data?
