Protecting your practice from a notifiable data breach

Morgan Liotta

17/05/2019 10:19:26 AM

The RACGP has again collaborated with the Office of the Australian Information Commissioner for Privacy Awareness Week.

Dr Penny Burns
Dr Penny Burns believes strong policies and procedures are ‘the cornerstones’ for data protection and management in general practice.

The annual initiative is aimed at raising awareness of privacy issues and promoting the importance of protecting personal information, including general practice patient data.
Dr Penny Burns, GP and RACGP Expert Committee – Practice Technology and Management (REC–PTM) member, recently delivered an RACGP eHealth webinar on the Notifiable Data Breaches (NDB) scheme.
The RACGP webinars are designed to assist GPs and general practice teams understand the NDB scheme and their obligations for assessing and responding to potential data breaches in their practice.
The NDB scheme came into action in February 2018 and all general practices are obliged by law to report data breaches which meet the criteria of an ‘eligible data breach’.
Dr Burns told newsGP it is important to have high standards to protect personal data, which general practice has historically done.
‘With the increasing use of technology in managing patient data, the NDB scheme is a logical next step,’ she said.
‘Patients trust GPs and they trust them with very private data – GPs are not new to the need to keep this data private and safe from unauthorised access, and in general, have a high level of understanding of their responsibility in handling confidential patient data.’
According to Dr Burns, most data breaches in healthcare occur due to human error or malicious attack, when personal information held by an organisation is accessed by an unauthorised party, disclosed to an unauthorised party, or is lost.

But not all data breaches are notifiable. To meet the NDB criteria:

  • the breach needs to be likely to result in serious harm to one or more individuals (serious harm may include physical, psychological, emotional, financial, or reputational harm)
  • the general practice entity has not been able to prevent the risk of serious harm with remedial action.

Dr Burns reminds practices to be aware of some of the common scenarios:

  • patient results are left on a train or at a cafe
  • a referral letter to a specialist is handed to or emailed to the wrong person
  • a staff member accesses a patient’s file without authorisation
  • a hacker accesses files
  • a staff member leaves their computer on a train.
‘Personal information is information that enables an individual to be identified or reasonably identifiable,’ Dr Burns said.
‘This might be name or Medicare number, or date of birth, address, phone contact or a combination of these.’
In the event of a data breach, Dr Burns advises immediate action.

‘This requires prompt action, days not weeks,’ she said.
‘If the data was shared by another entity, both entities are responsible.’
She outlines the first step is to identify that a data breach has occurred and recommends practices refer to their medical defence organisations for further guidance.

‘Then, immediate steps need to be taken to contain the breach as much as possible, whether that is preventing further data being accessed or further spread of the same data,’ Dr Burns said.
‘The next step is for the practice to make an assessment of what has occurred. The situation and risks need to be examined and if there is risk of harm to one or more individuals, remedial action to reduce [that risk] should be undertaken immediately.
‘If serious harm is likely and the risk hasn’t been able to be averted, then the breach must be notified to all individuals at risk of serious harm, [as well as] the OAIC [Office of the Australian Information Commissioner].
‘The final step is to review what happened and look at how your practice can prevent future breaches.’
Dr Burns believes that implementing sound information security, and data protection standards and procedures through provision of staff training will help protect practices from risk of a data breach – and will continue to build on the trust that patients have in their GPs.
‘Strong policies and procedures are one of the cornerstones for data management,’ she said.
‘Training staff on secure information handling and helping them understand why this is important.
‘An important part of data breach management is how your patients perceive how honestly, transparently and promptly you have managed the data breach. They need to continue to trust you into the future.’
The RACGP offers a suite of resources to assist general practices in data protection:



data breach notifiable data breaches scheme OAIC patient data privacy

newsGP weekly poll Which of the RACGP’s 2022 Advocacy Priorities would most benefit your practice?

newsGP weekly poll Which of the RACGP’s 2022 Advocacy Priorities would most benefit your practice?



Login to comment