The eight step plan to better health privacy

Michael Gorton AM, Andrew Chalet, Stephanie McHugh

Organisations in the health sector are handling sensitive health information on a daily basis, which is why it’s so important that these organisations clearly understand their privacy obligations, effectively manage health information and proactively implement privacy and data breach policies.

It is not just doctors who are defined as “health service providers”, privacy obligations apply to a broad range of providers from aged care through to childcare.

As we reported in the Health Insights, back in August 2018, the health sector is particularly vulnerable to notifiable data breaches. This has become very apparent since mandatory reporting under the scheme began in February 2018.

In the Office of the Australian Information Commissioner’s (OAIC) most recent 2019 Notifiable Data Breaches Statistics Report, health sector providers reported the most notifiable data breaches during the quarter, just above the financial sector.

Against this background, the OAIC has released a comprehensive Guide to Health PrivacyThe Guide is a helpful tool health service providers can use to ensure they are complying with their privacy obligations under the Privacy Act 1988 (Cth) (the Act) and minimise the risk of privacy breaches. 

Why is the Guide important?

Privacy compliance is an area that is only growing in importance and complexity.  This is particularly the case in the health sector in light of the recent advances in technology which have led to the digitalisation of health information. 

Staying on top of privacy obligations should be a key priority for health sector organisations.  Those who do not properly manage their obligations risk the OAIC exercising their broad regulatory powers and auditing the organisation's privacy practices, determining complaints against them adversely, making compensation awards or, in the most serious cases, seeking heavy penalties in the Federal Court.

Who is the Guide for?

The Guide has been written for health service providers who are handling health information.  But, it is not only doctors and hospitals who fall under the definition of “health service providers” — privacy obligations also apply to a broad range of other providers such as:

  • Aged care providers
  • Disability providers
  • Allied health
  • Gyms
  • Weight loss clinics
  • Childcare centres
  • Traditional Chinese medicine practitioners
  • Massage therapists.

The eight step plan

The Guide uses practical examples directly applicable to health sector organisations to explain key topics. It provides the following eight “best practice” steps that can be taken by organisations to plan for and respond to any privacy issues that may arise:

  1. Develop and implement a privacy management plan that identifies specific and measurable targets for:
    • Embedding a culture of privacy that enables compliance
    • Establishing robust and effective privacy processes
    • Evaluating privacy process to ensure effectiveness
    • Enhancing responses to privacy issues when they arise.
  2. Develop clear lines of accountability for privacy management and ensure staff are aware of who has responsibility.
  3. Create a documented record of the types of personal information you handle, how such information is received and where it is held.
  4. Understand your privacy obligations and implement processes to meet those obligations.
  5. Hold staff training sessions on privacy obligations to create a privacy-aware culture.
  6. Create a privacy policy in accordance with the Australian Privacy Principles.
  7. Protect and secure the personal information you hold.
  8. Develop a comprehensive data breach response plan.

Also covered are issues around collection, use, disclosure (including use and disclosure of genetic information in the case of a serious threat), dealing with requests for access, patients with impaired capacity, correcting records and health management activities.

How can we help?

If you need assistance or advice with privacy related matters, or how best to implement any of the Guide’s eight steps into your health sector organisation, get in touch with Michael Gorton, Andrew Chalet and Stephanie McHugh.

If you would like to keep in touch with alerts and insights from our expert health team, you can subscribe to our mailing list here.

Learn more about Russell Kennedy's expertise in the Health sector here.


View related insights

doctor-working-at-the-medical-network-on-the-tablet 360 x 240

Health Bulletin 4 June 2021

4 Jun 2021

The latest insights from our Health Law team.


Health Bulletin 25 May 2021

25 May 2021

The latest insights from our Health Law team.

stethoscope-on-white-background 360 x 240

Can trainees’ personal reflections be used in Court? (Revisited)

17 May 2021

The 2019 case in the UK of Dr Bawa-Garba has raised concerns in Australia and New Zealand for young doctors and trainees.