Why pharmacies need privacy management plans

As trusted custodians of personal health information, pharmacists need to be transparent and detailed on exactly how they keep customers’ data confidential and secure.

A regular patient walks into their local Sydney pharmacy and asks to pick up her husband’s prescriptions, as she’s done with permission many times in the past.

The husband walks in a week later, asks to pick up his Viagra prescription, only to be informed his wife had beaten him to it.

‘We’re divorced,’ the husband replied.

While it sounds like a joke, the above scenario is a real life example of a confidentiality breach that happened at one of Catherine Bronger’s three Sydney pharmacies, as she recalled at the Australian Pharmacy Professional Conference on the Gold Coast last week.

Ms Bronger was speaking on the issue of patient privacy ahead of Privacy Awareness Week from May 13, and used this incident to highlight how important it is for pharmacies to have an open and honest approach to privacy.

‘We had this “uh oh” moment in the store, but it was okay, in case you’re wondering,’ said Ms Bronger, who was PSA NSW Young Pharmacist of the Year in 2015 and is also a Pharmacy Guild of Australia National Councillor.

‘We explained the situation to the husband and he remains a really good customer of ours.’

‘In that pharmacy and in other pharmacies, we then changed our protocols and made sure that we only give prescriptions out on written consent or if the patient actually comes and asks for it themselves.’

Assistant Commissioner of Regulation and Strategy from the Office of the Australian Information Commissioner, Melanie Drayton said it was more important than ever for pharmacies to have privacy management plans in place, as the Notifiable Data Breaches Scheme is now in effect.

Robert Sztar provided a full explanation of the scheme to Australian Pharmacist in his article entitled What new data privacy laws mean for pharmacies.

‘Of course, you risk facing regulatory action if you’re not complying with your legislative obligations. But perhaps more significant to a business’s bottom line is that failing to meet the community’s privacy standards can result in significant damage to the trust patients place in pharmacists as healthcare professionals,’ Ms Drayton said.

Ms Drayton said when your business is transparent and people trust how you use their personal information, they’re also more likely to provide you accurate information which will give you a more complete picture of their situation.

‘Further, they’re more likely to come back and seek your advice about their treatment,’ she said.

As a result, your approach to data management should be primarily a communication tool with your customers, not a compliance tool, added Ms Drayton.

‘Explain how you handle information to your customer in a way that is easy to understand and that’s fair.

‘Think of innovative ways to do this. Simplify language, incorporate visuals and prominently draw attention to privacy notices,’ she said.

And of course, what you say must also be backed up by practices and processes that minimise privacy risks.

‘One thing that we’ve done as a regulator to help you with that, is to develop a privacy management framework to assist you in creating your own privacy management plan,’ she said.

‘A privacy management plan identifies the specific risks and measurable privacy goals that will help you foster a privacy culture that’s responsive to the evolving risk environment.’

Concerns have been raised in the community regarding patient privacy and the My Health Record (MHR) rollout.

Pharmacists should discuss the system with their patients, including details of the types of information that could be shared via their MHR and the implications of not sharing key pieces of their health information.

Patients should be supported with knowledge that the MHR system has been designed to enable the patient to control the content of their record, and who can access their health information. Further MHR information can be accessed here.