Privacy and data breaches are increasing. How to protect your practice.

Privacy and data breaches in businesses across different sectors are becoming increasingly common. Recent news reports of data breaches at telecommunications and private health insurance businesses remind us of the importance of maintaining data security and meeting your privacy legislation obligations.

With more sensitive patient and practice information being stored electronically, we can expect the risks of a practice experiencing a data breach or cyber attack to be ever-increasing. And ASIC has recently warned company directors that a failure to adequately address cyber risk or comply with disclosure and reporting requirements may be a breach of directors’ duties. Fines can be crippling, with the Federal Court of Australia recently ordering one business to pay $750,000 in costs to ASIC in connection with failing to adequately manage its cyber risks.

Here, we’ll look at privacy principles, and how you can plan to mitigate risk of a privacy and data breach or cyber attack at your practice.

Know the privacy principles and your obligations

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), persons who collect, deal with or disclose personal information are subject to certain obligations.

‘Personal information’ is defined as:

  • any information or opinions about an identified individual (or an individual who is reasonably identifiable), and
  • includes sensitive information.

Businesses have an obligation to meet 13 APPs, and certain additional obligations may be imposed under your relevant state or territory privacy laws.

How might a cybersecurity incident or privacy breach impact your practice?

A data or privacy breach, or cyber attack, can have devastating financial, operational and reputational impacts for your practice. You may experience business interruption if the Office of the Australian Information Commissioner (OAIC), the body responsible for the enforcement and regulation of the Privacy Act, investigates a breach.

Serious and repeated breaches of the APPs may carry civil penalties of up to $2.2 million (for a body corporate) or $444,000 (for individuals).

Accredited medical practices may face potential impacts on continued certification with potential related financial implications, including access to Practice Incentive Program (PIP) payments.

To help avoid these impacts, it’s crucial to adopt a whole-practice approach to complying with your privacy obligations, from directors and managers to admin staff. ASIC’s Cyber resilience good practices guide is helpful, covering how to meet the 11 elements below in more detail:

  1. Board engagement
  2. Governance
  3. Cyber risk management
  4. Third party risk management
  5. Collaboration and information sharing
  6. Asset management
  7. Cyber awareness and training
  8. Protective measures and controls
  9. Detection systems and processes
  10. Response planning
  11. Recovery planning.

How your practice can mitigate cyber and data breach risks 

Up-to-date and APP-compliant policies and procedures are one of the key ways to manage and mitigate your potential exposure to cyber risk.

With an online practice management platform like PracticeHub, you have customisable and compliant policy and procedure templates on board, so they’re easy to adapt and implement into your daily practice operations. Templates include:

  • Privacy and confidentiality policy: transfer of information, informing patients how to access their health records, sharing information with third parties
  • System security and responsibilities: firewalls, system backup, confidentiality, remote access
  • My Health Record security and access
  • Email use policy: obtaining and recording patient consent to email communication, verifying email addresses, password protection and encryption.

PracticeHub also includes registers for your practice equipment, contracts and insurances, to help you comply with point 6 of ASIC’s Cyber resilience guide: Asset management. In the contracts register, you can include subscriptions to software platforms, such as antivirus, and other third-party products or services, including your IT provider.

Keeping all your processes and documentation in one place with PracticeHub allows for easy access among your team, and oversight by the practice manager.

Training is another important part of managing your privacy and cybersecurity risk. PracticeHub’s onboard learning modules include one on privacy and confidentiality which covers privacy legislation and APPs, IT security, technology and privacy, as well as the importance of visual and auditory privacy in your practice.

And of course, regular review of your systems and processes is essential to stay current with cyber risks and your practice’s obligations.

Managing a notifiable data breach

The Privacy Act includes a Notifiable Data Breaches scheme which requires an organisation to notify the OAIC and affected individuals when a data breach is likely to result in serious harm to an individual whose personal information is involved. 

According to the OAIC, an eligible data breach occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
  • this is likely to result in serious harm to one or more individuals, and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

As part of managing a data breach, you are required to take immediate action to investigate the cause of the breach and prevent any further breaches from occurring. This is where, again, your policies and procedures will help maintain your practice’s cyber security.

For more strategies and insights on this important topic, watch our recent webinar, Cybersecurity and privacy: risks and obligations for your practice.

Start building a better practice today. Phone us on 1300 469 866.

This article is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on its content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this article must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2023.

Learn more about

Overcome the complexities and administrative burden of medical and surgical billing, and boost income with end-to-end billing support. Our Smartphone Billings+ App and expert Billings+ team provide convenience and certainty, managing your invoices, insurance claims and follow ups for fast and accurate payment. So you can enjoy the highest possible return for your services and focus on delivering the best patient care.
Transform your healthcare business with a software platform that makes managing administrative complexity, simple. Track the administrative health of your business and improve team collaboration with a centralised dashboard for all your important information. So you can focus on what matters the most – patient care.
We understand that Bookkeeping and Payroll has become complex and labour intensive – taking time away from your Practice Manager managing staff and working on your business. Our team is dedicated to providing professional bookkeeping and payroll services to help simplify managing the financial health of your medical practice. Our full suite offering includes services like bank reconciliations, customer and supplier invoice management and filing, reporting on balance sheets, profit and loss, payroll, accounts receivable and more.
Our Team Medical dashboard is designed to help streamline the purchasing and budgeting of all your medical consumables in one place. Get a 360 view and easily see what you are spending and saving when purchasing Team Medical supplies via PracticeHub!
Grow a thriving medical practice with support from the experts in practice management. From high-level strategic planning, in-depth performance measurement and financial analysis to HR management support, we help you minimise risk and maximise business opportunities. We free up your time so you can focus on providing the best possible care.
Engage a high-quality, offsite practice administration team for your practice using our Virtual Administration Reception Service. Enhance your busy in-house team using Call Overflow Virtual Reception to manage in-bound calls and complete administration tasks. Our personal, prompt and professional staff increase reception capabilities for busy GP clinics, single doctor specialised practices, large multidisciplinary services and everything in between. Supporting you and your patients when and how you need it.
Dictate anytime, anywhere and get accurate, on-time transcripts you can trust. Our fully secure and data protected VoiceBox Intelligent Transcription Smartphone App is designed to record and rapidly format transcripts for your approval, file them safely in medical notes and deliver correspondence with ease.

More helpful resources

Six actions to improve governance in your medical practice

Most medical practice owners have been trained in the concepts of clinical governance, in hospital and university. These are the importan...

Strategic planning to future-proof your practice

The healthcare industry is transforming at a rapid rate, placing increased pressure on practices. Key factors driving these changes in...

Make hiring top staff enjoyable, with these five easy tips

The healthcare job market is an increasingly competitive space – for practices as much as the candidates seeking to work in them. Hiring ...

Tips for preparing for accreditation and beyond

In the lead up to accreditation, adopt a whole team approach to prepare, including the doctors. Always remember, accreditation is a proce...

How to use your practice data to improve your processes and patient experience

Running a healthcare practice is a continual quality improvement journey. Your practice’s data can streamline this process, giving you in...

5 ways to improve how you manage difficult patient situations

From time to time in your practice, you may encounter a ‘difficult’ patient, someone angry, stressed, demanding or dissatisfied with a se...

Seeking NSQHS accreditation? Learn the top 5 areas you need to meet

Accreditation can be a daunting and complex experience, especially when it comes to understanding which set of standards apply to your me...

How to recruit and retain the best staff for your practice: five top tips

As healthcare practices continue to face daily challenges, they’re relying on the strength and connection of their teams as never before....