[BreachExchange] Mandatory data breach reporting for health service providers - what you need to know

[Audrey McNeil]

http://www.lexology.com/library/detail.aspx?g=dacaa739-39c4-4c17-9661-
4ec0d2182d63

Mandatory breach notification is back on the Australian Government's agenda
for the Spring 2016 sittings, when it is expected the government will (once
again) consider implementing a mandatory breach notification regime
requiring Australian businesses to report data breaches that compromise
personal information collected or held by those businesses. Yet,
unbeknownst to some, such a requirement already exists for certain
Australian businesses. Health service providers take note – if you are
handling certain types of health records, you may already be legally
required to report breaches affecting those records.

What is 'mandatory reporting' – and is it relevant for my business?

The Privacy Act applies to Australian individuals and businesses with a
turnover of over AUD3 million, and to those providing a health service and
who hold health information irrespective of turnover. Currently, the
Privacy Act does not require that your customers or the Office of the
Australia Information Commissioner (OAIC) be notified of a data breach that
compromises their personal information. That is likely to change in time –
and draft legislation could (if implemented) extend such mandatory
reporting obligations to all businesses subject to the Privacy Act. In the
meantime, notifications are encouraged by the OAIC as part of a data breach
response plan, where the disclosing party thinks there may be a real risk
of serious harm to the individual as a result of the breach.

I run a health services business – how does this affect me?

In addition to the requirements of the Privacy Act, healthcare providers
accessing, processing and storing 'My Health Records' are subject to a
mandatory data breach reporting regime. This regime has been in place since
the inception of the My Health Record scheme in 2012 and requires
notification, in certain circumstances to the My Health Record System
Operator (i.e. the Secretary of the Department of Health) and the OAIC, of
data breaches affecting an individual's My Health Record.

What is My Health Record?

Essentially, it is the future of digital health in Australia.

My Health Record is described by government as "a secure online summary of
your health information". It is an opt-in scheme, operating from an online
platform, which stores in one place important health information relating
to individuals. Healthcare providers including doctors, specialists and
hospital staff can access these details online from anywhere, at any time,
for the purpose of providing healthcare and in accordance with access
controls set by the individual patient or default access controls, as the
case may be.

Considering the sensitive nature of an individual's health information that
is being stored in the individual's My Health Record, the provisions
relating to mandatory breach reporting have been seen as an important
element of the system and a safeguard for those providing their details for
storage in the system.

However, the slow uptake of the system by Australian health providers and
practitioners means that industry awareness of the mandatory reporting
requirements attaching to the My Health Record platform is unlikely to be
widespread.

Why is this now more important than ever?

A digital health records system has been on the radar for many years.

In June 2016, the My Health Record "opt-out" trials commenced in the Nepean
region of Western Sydney and North Queensland where 1 million individuals
have been provided with a My Health Record. Trials are due to close in
October 2016 and reports indicate that there has been a very low opt-out
rate.

In July 2016, the National E-Health Transition Authority became the
Australian Digital Health Agency, and is expected to become the system
operator for the My Health Record system. In August 2016, the Government
appointed as the agency's CEO, the former National Director for Patients
and Information in the UK National Health Service (NHS) who was responsible
for the digital transformation of the NHS. And, the Government has launched
a public consultation on the development of a framework for secondary use
of My Health Record data, which is expected to open in the coming months
and will conclude before the end of 2016.

It seems to us that this shift of focus and the move towards widespread
implementation of the My Health Record system is indicative of the
Government's continued support for the expansion and development of digital
health in Australia. While important building blocks in the digital health
system (such as universal use of secure messaging and standardised system
interoperability) may be several years away, we believe that mandatory
adoption and use, in the short to medium term, of the My Health Record
system across health service providers in Australia is inevitable.

What are the challenges for healthcare providers operating (or soon to be
operating) in the My Health Record platform?

The transition to digital health poses a wide range of challenges for
healthcare providers, including:

ensuring that the onboarding of personal and sensitive information into the
platform is done in compliance with all legal and regulatory requirements;
achieving ongoing technical and systems security integrity and compliance;
ensuring staff are properly trained in and aware of the risks associated
with operating on an online platform;
implementing robust information handling policies and procedures and breach
response plans; and
managing and tackling the increasing risk of malicious cyber incidents,
such as malware and ransomware attacks, against healthcare providers (for
example the recent virus attack on Royal Melbourne Hospital).

A comprehensive awareness of the obligations that arise under privacy and
digital health legislation in Australia will be required for those
operating in the health services industry, so as to avoid the potentially
disastrous effects of improper use of health information and poorly managed
responses to breaches.

What happens if I breach the My Health Record system requirements relating
to reporting breaches?

Where a participating healthcare provider suspects, becomes aware of, or
knows a data breach has or may have occurred, they must notify the OAIC or
the System Operator. What constitutes a 'data breach' is all encompassing -
any unauthorised collection, use or disclosure of health information
included in an individual's My Health Record involving the entity or an
event or circumstances involving the entity that compromises, may
compromise, has compromised or may have compromised the security or
integrity of the My Health Record system. A penalty of up to AUD90,000
applies for failing to report such an incident.

As well as notifying of the data breach, there are other prescribed
procedures a healthcare provider must undertake following an actual or
suspected breach, including:

taking steps to contain and evaluate the breach;
if there is a reasonably likelihood that a breach has occurred with serious
impacts for at least one healthcare recipient (i.e. one patient), the
healthcare provider must ask the System Operator to notify all healthcare
recipients that would be affected;
if the healthcare provider knows that a data breach has occurred, it must
ask the System Operator to notify all healthcare recipients that would be
affected; and
if a 'significant' number of healthcare recipients are affected, the
healthcare provider must notify the general public.

Although there are no fines for failing to follow these additional
prescribed procedures after a suspected or actual breach, there may be
other more significant consequences such as cancellation of registration of
operating licences, which would have reputational and commercial impacts
for healthcare providers.

The OAIC also has investigative powers and can, as a result of a complaint,
initiate an investigation. This could result in the healthcare provider
being subject to injunctions, enforceable undertakings, court orders, and
civil penalties for breaches involving an individual's My Health Record.

What can healthcare providers do?

Digital health is coming and healthcare providers should start preparing
now. All healthcare providers, in particular those operating in the My
Health Record system, should consider the following:

Review how your organisation manages its data: Know the kinds of data your
organisation handles, and the value of the data. Know where it is stored,
who has access to it and how it is secured.
Know your obligations in operating within the My Health Record system: What
obligations are imposed under the Privacy Act and under the My Health
Record system on you as a business handling such sensitive information?
Identify and understand relevant risk frameworks suited to your business:
Consider different risk frameworks that may apply to your business. Decide
on a framework, implement it and use it to evaluate your cybersecurity.
Test the framework regularly and consider how it can be improved.
Be prepared: Have a breach response plan in place. Consider the different
types of breaches your business could suffer. Your plan should set out
roles within your breach response team, and identify third parties or
experts (IT security, legal, public relations) that will assist you in a
critical situation.
Consider insurance options available to your organisation: The terms of
professional indemnity, public liability or other specialist classes of
policy may not provide coverage for cyber related losses. Health
practitioners and healthcare providers are advised to consult with their
brokers or insurers to consider whether there are other products such as
cyber policies that may provide the necessary cover.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160920/8e26c9d6/attachment.html>