Ensuring patients’ medical data is secure

medical data

The rollout of My Health Record has raised questions surrounding the security of medical data. What measures must be taken in pharmacies to preserve the sanctity of patients’ private details?

Pharmacists are well aware that their first priority is the health and wellbeing of their patients.1

This duty, however, doesn’t simply begin and end with providing the correct prescription and offering relevant professional services. In today’s digital age this duty extends to ensuring a patient’s personal details are stored safely and remain private – especially since the My Health Record (MHR) rollout.

‘As health professionals, we are privileged to be able to hold some of our patients’ more personal information, and are obligated to protect that,’ explains Andrew Robinson MPS, Principal Owner Amcal Plus Tooronga and Co-Owner of Wattle Park Amcal Pharmacy.

‘Often the people most concerned about (data breach) issues are the most vulnerable patients. Mental health, for example, would potentially be damaged by someone already su­ffering anxiety, worried about what a data breach may mean for them and their relationships.’

MHR protection measures

The healthcare potential of MHR has been well documented. As Mr Robinson points out: ‘The benefits for patient and clinicians is huge. Used correctly it will save time, lives and money.’

However, its rollout has raised serious concerns and questions surrounding the security of citizens’ medical data.

As such, pharmacists must take extra measures to preserve the sanctity of patients’ private details.

‘Pharmacies need to ensure clear security and access policies and procedures are in place, and enforced, to ensure access to a patient’s MHR is only by authorised personnel,’ says Dr Kenneth Lee MPS, Senior Lecturer, Pharmacy Practice, at the University of Western Australia.

It’s important to ensure sta­ff are well aware that all access to a patient’s MHR is data-logged and that there are the legal ramifications for unauthorised access, says Dr Lee.

‘Access should only be for the purpose of providing direct patient care. For example, a pharmacy assistant not involved in a particular patient’s care must not be allowed to view that patient’s MHR.’

To reduce the likelihood of unauthorised sta­ff access, where practicable a patient’s MHR should be viewed directly from the conformant dispense software and closed after use.

‘Also, training all sta­ff about the site’s security and access policies and procedures can ensure that everyone is aware of their requirements,’ Dr Lee says.

Stephanie McGrath, Senior Associate with Robert James Lawyers, adds that pharmacies should have legal policies in place for what the pharmacy will do in the event of a breach.

Pharmacies should also engage the services of an IT or risk assurance company to ensure the highest level of encryption for patient files.

‘That could include things like two step login for your sta­ff to access the portal,’ Ms McGrath says.

Ms McGrath adds that if your pharmacy has arrangements in place with third parties that store data on the business’s behalf, then legal agreements need to be drawn up that outline who is responsible for a breach.

‘What we have to accept is a breach is probably going to occur, whether intentional or not, because that’s the age of technology we live in. Then you can be prepared from the outset when it does,’ Ms McGrath says.

Breach rami­fications

Avoiding a breach is paramount for a pharmacy’s survival. After all, says Ms McGrath, the penalties can be costly (see ‘Long arm of the law’, opposite) if the Office of the Australian Information Commissioner (OAIC) believes there’s been ongoing non-compliance or a serious breach.2

‘Your pharmacy could also be a­ffected by potential compensation claims by the patients,’ says Ms McGrath.

Meanwhile, Mr Robinson adds that the fines available to the Australian Digital Health Agency (ADHA) are also significant: $126,000 for individuals and $630,000 for bodies corporate.3

‘There wouldn’t be many pharmacists or pharmacy businesses that could a­fford that sort of fine. It would likely put them out of business if the reputational damage didn’t,’ Mr Robinson says.

Speaking of reputational damage, Ms McGrath points out that the pharmacy industry is a unique one in respect of the high levels of customer loyalty and dependency on the pharmacist.

‘Customers trust the pharmacist for their health advice and if they feel their information hasn’t been protected, that could have severe implications for whether that customer stays loyal to that pharmacy,’ Ms McGrath says.

The patient

A data breach can obviously also have a serious negative impact on the patient.

‘First and foremost, identity theft – that’s the biggest issue at the moment,’ Ms McGrath says.


Prepare your pharmacies against data breaches and unauthorised My Health Record (MHR) access.

  • Devise clear security policies for staff when it comes to accessing patients’ data and MHR.
  • Ensure staff are aware that access to a patient’s MHR is data-logged and there are legal ramifications for access that’s not linked to providing direct patient care.
  • Ensure staff know that they should never login to a patient’s MHR and leave it open.
  • Put in place legal and notification policies outlining the pharmacy’s course of action in the event of a breach.
  • Engage the services of an IT or risk assurance company to ensure the highest level of encryption for patient files.
  • Draw up legal arrangements with third parties that store data on your business’s behalf, outlining who is responsible for a breach under different scenarios.
  • Ensure patients cannot access records, such as through dispensing computers located at the front-of-shop or on the prescription counter.
  • When possible, let the patient know you are accessing their record and why, as they may get a message that you did.
  • If some of the above arrangements have been in place for several years then it’s likely time for them to be reviewed as they may be out of date.

‘If you put certain personal details together – it could be as simple as a name and date of birth – you can access quite a lot of information about a person.’

Then there’s leaking of private health information into the wrong hands.

‘There could be someone wanting to use that information inappropriately or even illegally,’ Ms McGrath adds.

Mr Robinson says he recommends that pharmacists regularly review their password and only login to a record where there is a real need to help with patient care and dispensing.

‘For example, discharge from hospital and when a medication pack needs to be prepared,’ he says.

Mandatory data

So if your pharmacy has a small data breach, it’s nothing to worry about, right? Wrong. Gone are the days when businesses could sweep data breaches under the rug.

Mandatory data breach notification laws came into e­ffect earlier this year, which require agencies and organisations regulated under the Australian Privacy Act 1988 (Privacy Act) to notify a­ffected individuals and the OAIC when a data breach is likely to result in possible harm to individuals whose personal information has been breached.4

‘And for those who think they won’t breach noti­fications get caught, that is unlikely as the ADHA monitoring is designed to detect abnormal access,’ Mr Robinson explains.

‘From the patient side of things, they can get notifications when anyone accesses their record.’

Making the most of your privacy systems

Once you’ve got your own MHR security systems and procedures in place, you’ll still need to allay patients’ privacy concerns. Mr Robinson says he believes honesty is the most e­ffective tool to get people on side.

‘Their concerns should be acknowledged, as for some people this is a new frontier that’s quite intimidating,’ says Mr Robinson.

‘If you can speak confidently about the benefits and that it helps you as a pharmacist, as a healthcare provider, to better manage, assess and ensure safety, save time for them and you, and ultimately improve health outcomes, then the benefits seem clear.’

It also helps to remind them that it is their health record.

‘It will have what they want in it, and that is important to note for us as healthcare providers,’ Mr Robinson says.

‘It is not gospel, it may well be missing information. But it will have a lot more information than what we have ever had timely access to previously and this is a great way to reduce errors, improve patient safety and improve efficiency.’


Failure to notify penalties5

The Office of the Australian Information Commissioner (OAIC) can apply to the court for a civil penalty if a breach has occurred. The maximum penalty that the court can order for a body corporate that has failed to comply with the Notifiable Data Breaches (NDB) scheme is a fine of up to $2.1 million.

My Health Record (MHR) information misuse penalties6

  • Unauthorised collection, use or disclosure of health information in an MHR: civil penalty of up to $126,000 for individuals and up to $630,000 for bodies corporate.3 Criminal penalty of up to two years imprisonment and/or $25,200 for individuals.
  • Failing to notify an actual or potential data breach in which a person was directly involved: civil penalty of up to $21,000.
  • Holding, taking, processing or handling records held for the purposes of the MHR system outside Australia, or causing someone else to do so: civil penalty of up to $126,000. Criminal penalty of up to two years’ imprisonment and/or $25,200.

Refer to the My Health Record Guidelines for Pharmacists here.

Build your skills with PSA Short Courses at: www.psa.org.au/s/education-catalogue


  1. Pharmaceutical Society of Australia. Code of Ethics. Available from: psa.org.au/membership/ethics/
  2. Office of the Australian Information Commissioner. Mandatory data breach notification comes into force this Thursday [Media Release]. 19 Feb 2018. Available from: oaic.gov.au/media-and-speeches/media-releases/mandatory-data-breachnotification-comes-into-force-this-thursday
  3. The Parliament of the Commonwealth of Australia. My Health Records Amendment (Strengthening Privacy) Bill 2018. Explanatory Memorandum. Available from: https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:%22legislation/ems/r6169_ems_c96bab03-e9e0-48ce-91b9-cc60a2a6ec64%22
  4. Office of the Australian Information Commissioner. Notifiable Data Breaches scheme. Available from: oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
  5. Office of the Australian Information Commissioner. Mandatory data breach notification comes into force this Thursday [Media Release]. 19 Feb 2018. Available from: https://www.oaic.gov.au/media-and-speeches/media-releases/mandatory-data-breach-notification-comes-into-force-this-thursday
  6. Australian Digital Health Agency. My Health Record. Penalties for misuse of health information. Available from: www.myhealthrecord.gov.au/about/legislation-and-governance/penalties-for-misuse-health-information