Written by 

Important Privacy Update for allied health private practitioners (Part 2)

Last week we outlined the upcoming change regarding your obligations as an allied health private practitioner under the Privacy Act with an amendment taking effect on the 22 February, that involves mandatory reporting of data breaches (e.g. client or employee personal or sensitive information) in some circumstances. If you missed it, click here to read now. Today we are going to look at how you can be proactive and confident that you are prepared in your practice.

The steps below are not only advisable due to the introduction of the Notifiable Data Breach Scheme, they represent best practice in any allied health private practice, and adopting this approach illustrates your commitment to your privacy obligations.

Step 1. Conduct a Privacy Audit

A Privacy Audit enables you to review what you are currently doing in your practice, and ensuring you have the necessary framework in place to meet your obligations under the Privacy Act. It could be worthwhile re-familiarising yourself with the Australian Privacy Principles during this step, as well as conducting a review on the type of information you collect, who collects it and when, the storage location(s) for this information, and the movement of this information in/out of your practice. If you employ staff, is everyone aware of the privacy obligations within the practice?

Step 2. Update your Privacy Policy

All allied health private practices should have a Privacy Policy. The purpose of a Privacy Policy is to clearly communicate how your practice collects and manages personal information and follows the terms and conditions of privacy and confidentiality in accordance to the Australian Privacy Principles (APPs) under the Privacy Act. Your Privacy Policy can be updated to include a statement on how your practice will meet the requirements of the amendment with regard to identifying, assessing and managing data breaches in your practice.

3. Update your Collection Statement

You would be familiar with a Personal Information Collection Statement (also often known as a Privacy Consent Form, or Personal Information Consent Form). This provides notification to your clients that certain information will be collected for a specific purpose (i.e. for the purposes of their treatment). Similarly, this should be updated to include a brief statement on how your practice will meet the requirements of the amendment with regard to identifying, assessing and managing data breaches in your practice.

4. Prepare a Data Breach Response Plan

This might sound daunting, but it’s quite simple. The aim of your data breach response plan is to provide a framework to effectively managing identified data breaches in your practice and to mitigate (reduce) the risk of likelihood of identified data breaches causing serious harm to the individuals(s) affected. It also provides a clear path to identify and notify eligible data breaches under the Notifiable Breaches Scheme. It will include things like who in your practice is responsible for assessing an identified data breach, what steps will be following in the event of a data breach etc. The last thing you want if you have identified that data has been lost or had unauthorised access is to be scrambling around wondering what to do!
As part of this step, it is also worthwhile educating employees (if you employ staff) so they understand what constitutes a data breach, and what their role is in not only maintaining privacy standards in the practice, but what steps they need to take if a breach occurs (e.g. they lose paper notes they scribbled down when seeing a patient).

6. Review Third Party Contracts

Do you have a contract with a cloud service provider for your patient data? Maybe you use an online practice management system to organise all your patient health information and billing? The critical aspect of this step is to ensure you seek and maintain control over your practice data. Ensure contracts with these third parties include information on how and when they notify you of any identified breach of your practice information. It is your responsibility to assess the breach, and take necessary action according to your data breach response plan. 

Would you like to read more about the amendement? Head to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme 

Need help with the steps above? Get in touch with us for guidance.

Read 611 times Last modified on Wednesday, 21 February 2018 09:36