What new data privacy laws mean for pharmacies

In February, the Federal Government substantially increased responsibilities around personal data for businesses who handle it, with healthcare providers given particular focus. So what does the new privacy regime mean on the ground?

As a pharmacy owner in 2018, you’ve committed yourself to building a prosperous future for your practice in an ever-changing physical and digital landscape.

The latter, with a specific focus on handling your patient’s data, is perhaps the most challenging, as our largely clinically focused training covers little on our obligations in securely handling personal information under the Australian Privacy Act 1988.

Now before your eyes roll back and you think to yourself, ‘Understanding my pharmacy’s data is just for the big ones who can afford an IT department’, you should know that not taking patient data privacy seriously could cost you and your business a fine of up to $1.8 million if you suffer a data breach – not to mention causing your patients serious harm.

What you need to know

The Mandatory Notifiable Data Breach scheme came into force on February 22, and means that any organisation covered by the aforementioned Privacy Act (which includes all pharmacies) is obliged to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.

This notification is to occur as soon as practicable after becoming aware of a breach.

What is a data breach?

A data breach happens when personal information (such as a person’s name, contact details, medical records, or banking details) is:

  • accessed or released without proper authorisation
  • lost and likely to be accessed or released without authorisation.

An example could be accidental publication of sensitive information by a pharmacy. Imagine if a pharmacy became aware that it had accidentally made its record of patients and dispensed prescriptions publicly available online due to an error made by a team member, but removed the record from public view an hour after the error was discovered.

In this instance, the pharmacy’s IT/security consultant might find that the record had not been accessed during the time it was publicly available.

As such, the pharmacy owner could determine that it is unlikely that any of its patients will experience serious harm, and that notification is not required.

In that case, the pharmacy would undertake a review of the incident and will retrain staff responsible for managing customer information.

How you can better prepare your pharmacy

  1. Review your data collection processes and policies, and ensure personal information is collected and stored only when needed.
  2. Create a comprehensive list of all locations of your pharmacy data.
  3. Create or update your pharmacy’s IT management policies to cover accepted uses and handling practices of sensitive data.
  4. Strengthen your cybersecurity defences (eg. anti-virus software, firewalls, encryption software, Windows security updates).
  5. Understand how you will be notified if your pharmacy’s data becomes compromised in a third-party environment (e.g. offsite cloud backup).
  6. Understand how you can identify if the data breach qualifies as an eligible data breach (e.g. when information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure).
  7. Consider whether your current pharmacy insurance policy will cover you for eligible data breaches (eg. compliance costs, rectification costs and third party claims).

Robert Stzar is a pharmacist, pharmacy owner and the founder of Pharmactive.

References

  1. Allied Health Professions Australia: New data breach notification obligations https://ahpa.com.au/newsevents/new-data-breach-notification-obligations/
  2. Office of the Australian Information Commissioner (OAIC). Sample Data breach response plan https://www.oaic.gov.au/resources/about-us/corporate-information/key-documents/data-breach-response-plan.pdf
  3. Office of the Australian Information Commissioner (OAIC). Notifiable Data Breaches Scheme (NDB) https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
  4. Office of the Australian Information Commissioner (OAIC). Privacy Regulations https://www.oaic.gov.au/privacy-law/privacy-act/privacy-regulations
  5. Office of the Australian Information Commissioner (OAIC). Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response
  6. Commonwealth of Australia Explanatory Memoranda. PRIVACY AMENDMENT (NOTIFIABLE DATA BREACHES) BILL 2016 Explanatory Memorandum http://www7.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/bill_em/padbb2016356/memo_0.html
  7. Office of the Australian Information Commissioner (OAIC). Receiving data breach notifications https://www.oaic.gov.au/individuals/data-breach-guidance/receiving-data-breach-notifications