Data security: Key requirements for healthcare providers | Aug19 Newsletter
Data has become the lifeblood of businesses operating in the digital economy, and healthcare providers have had a front-row seat in the big data revolution. Whether collecting patient data for on-site storage and use, or participating in the My Health Record system, Australian healthcare providers must comply with a range of data privacy and security regulations that have been designed to protect patients’ personal health data.
But negotiating these regulations is anything but simple. The key is to understand the difference between the patient data you collect and store on-site, and the data you access and share on the My Health Record system – and the regulations that apply to each.
Protecting your on-site data
When it comes to collecting and protecting the personal patient data you collect and store on-site at your healthcare practice, you must comply with the Privacy Act 1988. And if you practise in New South Wales, Victoria or the ACT, you must also meet any additional obligations under the relevant state or territory laws.
The Privacy Act sets out 13 Australian Privacy Principles (APPs), which act as detailed guidelines for how you should manage your patient data. This includes stipulations on the collection of solicited and unsolicited personal data, how you can use or disclose that data, and your obligations in the correction of personal information you hold. Check out this APP quick reference tool for more information.
Healthcare providers should pay particular attention to APP 11 that governs the security of personal data. It states: “An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.” For a full list of what constitutes ‘reasonable steps’, see Chapter 11 of the official APP guidelines.
Using the My Health Record system
The My Health Record system has been designed to bring all patients’ personal health data together into a single digital portal that healthcare providers can access to provide better overall treatment outcomes.
Patient records may include diagnosis data, prescription records, pathology and imaging reports, and discharge summaries. However, all healthcare providers must meet legal obligations when accessing and sharing patient data on the My Health Record system.
In addition to the Privacy Act 1988 and the Australian Privacy Principles, healthcare providers must also comply with regulations set out in the My Health Records Rule 2016. This includes the proper identification of staff accessing the system, monitoring individual user accounts, providing regular staff training, implementing reporting procedures for privacy breaches and conducting regular risk assessments. Refer to this helpful checklist for more information.
Securing your IT infrastructure
Your healthcare practice is responsible for ensuring that the IT systems you use to collect and store on-site data and access the My Health Record system are secure. The Australian Digital Health Agency and Stay Smart Online have created an Information Security Guide to help small healthcare businesses understand what they can do to stay safe from cybercrime.
Recommendations include keeping your operating systems and application software updated to ensure you have access to the latest built-in security measures, maintaining an up-to-the-minute server infrastructure for the safe backup and storage of your data, and using an IT service provider to securely manage your systems. Check out the guide for a full list of what you can do to protect your practice from a costly cyberattack.