As a medical business, compliance with privacy laws is not optional, there's no $3 million annual revenue starting point - as is the case for many non-healthcare businesses. You're expected to have a 'privacy framework' - right from $1. If you don't know where to start, or require assistance to develop your privacy framework - we can assist.
Designed for Australian medical practices who require information and templates to commence their privacy compliance journey.
1. Australian Privacy Legislation overview;
2. Privacy & Patient Consent Notices for New Patient Registration Form;
4. Data Breach Response Plan Template;
5. Privacy Training PowerPoint Template; and
6. One (1) hour of advice.
We consult to medical practices on a day rate to guide and assist them develop a privacy framework.
Firstly, it's the law! Failing to have a 'privacy framework' in simple terms is a breach of the legislation. Should a practice come to the attention of the privacy commissioner - failing to be able to demonstrate the practice takes patient privacy seriously, exponentially increases the risks of privacy fines (which at the time of writing are up to $2.1 million for entities and $420,000 for individuals).
Secondly, and equally important - doctors have ethical obligations to 'do no harm' - and to inform patients about adverse events, including breaches of privacy and confidentiality. So even if a breach is not deemed to require mandatory reporting under the Notifiable Data Breach (NDB) scheme, the patient may still need to be informed under the doctor’s ethical obligations. Failing to take patient privacy seriously can create a PR disaster, along with the potential fines and other costs.
Complying with privacy law just makes good business sense. A good privacy framework can help prevent things going wrong in the first place, and if they do, then the practice is far better prepared to manage the breach.
Failing to take the time to understand obligations under the Privacy Act (ignorance is no excuse). No appointed ‘Privacy Officer’ - so nobody takes overall accountability, nor is privacy a regular topic at management meetings and it’s only when something goes wrong, does management get involved.
Staff have received no induction or ongoing privacy training - both in terms of privacy law obligations (e.g. what to do when a patient has a complaint or requests a copy of their medical record) – and on areas including IT security training to identify phishing emails.
No idea what to do in the event of WHEN, not IF, a privacy breach or suspected breach occurs. Having a 'Breach Response Plan' and understanding areas like mandatory reporting of privacy breaches under the NDB scheme is a fundamental requirement.
Signing poor (or no) contracts with their IT suppliers. There is no obligation in the contract to state the IT contractors must comply with the Privacy Act, or any confidentiality requirements written into the contract. Even worse, the IT contract often excludes any liability of the IT contractor, leaving the practice completely exposed (and potentially voiding any insurance they may have).
No IT security assessment – either from asking their IT providers to do this, or from having an independent company provide an assessment/audit report. They have no guarantee their back-up works (and how long it would take to get back online), the strength of their IT controls and whether they are taking reasonable steps to protect patient privacy.