How to Maintain Patient Confidentiality in Healthcare
Patient data and individually identifiable health information is regarded by many as one of the most sensitive types of personal information.
The healthcare industry is also one of the most targeted sectors for malicious or criminal attacks on patient medical information.
However human error and system faults can also cause breaches in patient confidentiality.
Your entire practice team, not only medical professionals and healthcare providers, have a responsibility to know how to protect patient confidentiality, protected health information and ensure cybersecurity measures are in place to protect your practice’s electronic health records, patient data and information systems from cybercrime and online threats.
Why is patient confidentiality important in healthcare?
The Medical Board of Australia in its Good medical practice: A code of conduct for doctors in Australia states ‘a good doctor–patient partnership requires high standards of professional conduct’. Among other principles, this involves ‘protecting patients’ privacy and right to confidentiality, unless release of information is required by law or by public-interest considerations’.
According to this code of conduct, ‘patients have a right to expect that doctors and their staff will hold information about them in confidence, unless release of information is required by law or public interest considerations’.
There are circumstances where health professionals are not only exempted from the duty of patient confidentiality but are required to act contrary to this obligation by disclosing information to other authorities. These include:
- Notification of births and deaths;
- A reasonable suspicion of child sexual abuse;
- Notifying the coroner of a death in certain circumstances (for doctors);
- Doctors being required to take a blood sample when a patient presents for treatment of motor vehicle accident injuries;
- Blood test results are required for a needlestick injury for a health worker; and
- Notification of the relevant authority is required for positive test results for certain diseases (e.g. HIV/AIDS, cholera, smallpox).
The Privacy Act 1988 (Cth) (Privacy Act) regulates how most personal information is managed.
Australian privacy law, including the Privacy Act and State based health records laws, has strict rules about how health service providers can collect, use and disclose an individual’s health information. For example, generally a health service provider may only collect an individual’s health information if the individual consents to it. Most of the time, health information should be provided directly to a health service provider by a patient.
General practice is subject to stringent privacy obligations by virtue of their handling of health information.
Individuals found liable of privacy infringements can face penalties of up to $444,000 and corporations up to $2,220,000, although the Government is planning to increase these maximum penalties, via the Online Privacy Bill, to:
- The greater of $10 million, three times the benefit obtained through the misuse of personal information or 10% of the company’s annual domestic turnover – for corporations; and
- $532,800 (based on current penalty unit values) – for individuals.
Victoria, New South Wales and the Australian Capital Territory each have their own patient health records legislation regulating the handling of health information, as detailed in sets of principles, that operate concurrently to the Privacy Act.
Health information is de-identified if it is ‘no longer about an identifiable individual or an individual who is reasonably identifiable’. Care should be taken to ensure no re-identification of the information can occur. Unlike Individually identifiable health information, if health information is de-identified it falls outside of Australian privacy legislation.
Malicious and criminal attacks
Healthcare providers should be aware of malicious or criminal attacks deliberately crafted to exploit known vulnerabilities for financial or other gain, which can include:
- Theft of paperwork or data storage device storing patient data;
- An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations;
- An attack by an employee or insider acting against the interests of their employer or other entity;
- A cyber incident which targets computer information systems, infrastructures, computer networks or personal computer devices;
- Short for ‘malicious software’, a malware attack which is software used to gain unauthorised access to computers, steal information and disrupt or disable networks. Types of malware include trojans, viruses and worms;
- Ransomware, which is malicious software that makes data or systems unusable until the victim makes a payment;
- Untargeted, mass messages sent to many people asking for information, encouraging them to open a malicious attachment, or visit a fake website that will ask the user to provide information or download malicious content;
- A brute-force attack, which is typically an unsophisticated and exhaustive process to determine a cryptographic key or password that proceeds by systematically trying all alternatives until it discovers the correct one;
- Credentials that are compromised or stolen by methods unknown;
- Hacking or the unauthorised access to a system or network (other than by way of phishing, brute-force attack or malware), often to exploit a system’s data or manipulate its normal behaviour; and
- Business email compromise, a form of cybercrime that uses email fraud to attack business, government and non-profit organisations to achieve a specific outcome that negatively impacts the target organisation.
The single leading potential risk in a general practice’s information security is an internal breach through human error or malicious intent.
Patient confidentiality can be compromised by an unintended action of an individual, for example inadvertently disclosed by sending a document containing personal information to the incorrect recipient via SMS, email, fax, mail or another channel.
Other examples include:
- Failing to use blind carbon copy (or ‘BCC’) when sending an email to a group, thereby disclosing all recipient email addresses;
- Insecure disposal of personal information that could lead to unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin;
- Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on a bus;
- Failure to effectively remove or de-identify personal information from a record before disclosing it;
- Disclosing personal information verbally without authorisation, for example, calling it out in a waiting room; and
- Unauthorised disclosure of personal information in a written format, including paper documents or online.
A business or technology process error not caused by direct human error, or system fault is a less common means for patient confidentiality to be breached.
How to maintain patient records
Information security involves prevention of inappropriate access, protection of personal information and preservation of practice data.
Your practice should not collect health information unless the patient consents and the information is reasonably necessary for delivery of healthcare services.
Obtaining a patient’s informed consent should be the key guiding principle for GPs. To provide informed consent, patients must be informed about the likely uses and disclosures of their information, and the ability to then make appropriate decisions.
Your practice must collect personal information only by lawful and fair means (without being unreasonably intrusive or using methods of intimidation).
However, consent is not required where:
- the health information is collected in accordance with the law or rules established by ‘competent health or medical bodies’;
- it is unreasonable to seek it and the collection is necessary to ‘lessen or prevent a serious threat to life, health or safety’ of an individual or the public; or
- Other exceptions apply.
Unsolicited information (received without asking) must be destroyed unless your practice would ordinarily have lawfully collected that information.
In the modern medical environment, holding regular training sessions for healthcare professionals and other staff members as well as regularly reminding staff of their obligations and threats to look out for will help maintain patient confidentiality.
Privacy policies must accurately reflect your practice’s actual procedures and address certain prescribed requirements.
- the types of personal information you collect and hold
- the purposes for which you collect, use and disclose personal information
- how personal information is collected, used and disclosed within the practice
- how a patient may access and correct their information in their electronic health record
- how privacy complaints can be made and how the complaint will be dealt with
- whether information is likely to be disclosed overseas and, if so, where.
What to do when a data breach has occurred
A data breach occurs when information held by an organisation is compromised or lost, or is accessed or disclosed without authorisation. For example, unauthorised access to patient medical records, or lost client data.
The Notifiable Data Breach scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.
Under the scheme, any organisation or government agency covered by the Privacy Act must notify individuals affected and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Health service providers are the top industry to notify data breaches, so it’s important to maintain patient confidentiality in healthcare, and to know what to do if patient confidentiality isn’t maintained and a data breach may have occurred.
Containing and managing a data breach
The OAIC, Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia have developed a four-step plan for health service providers to use to contain and manage a data breach involving personal information, including the My Health Record system.
- Take action to contain the breach
- Assess any risks associated with the breach
- Contact all relevant parties
- Minimise the likelihood and effects of future data breaches
All data breaches related to the My Health Record system must be reported to the Australian Digital Health Agency. The Agency will contact affected healthcare recipients when this is required under the My Health Records Act 2012 (Cth). Where a significant number of people are affected, the general public will be notified.
You may wish to contact Services Australia to discuss options for protecting customers’ Medicare, Centrelink or Child Support records. If there is a risk of compromise to these records, Services Australia may place additional security measures on such records.
Maintaining patient confidentiality in healthcare
To understand where and how your practice may be vulnerable to cyber-attacks, MedicalDirector offers cybersecurity assessments and recommendations to safeguard your healthcare business against common cyber threats.
Shield by MedicalDirector is a comprehensive cybersecurity solution for medical practices that provides:
- 24/7 monitoring by an experienced Cyber Security Operations Centre
- Physical plug-in for hardware to protect from physical intrusion
Contact us to find out more.
RACGP’s Privacy and managing health information in general practice
RACGP Managing notifiable data breaches in general practice
RACGP Notifiable data breaches fact sheet
Office of the Australian Information Commissioner
Assessing an eligible data breach
Report a notifiable data breach
Report a My Health Record data breach