5 minute read
Managing Risk: Confidentiality, privacy & record storage
Tom Ballantyne,
Greg Emsley, Karen Brown
Record storage and cyber security are important aspects of occupational therapy practice across all settings and funders. When collecting health information, it is essential that clinicians protect their client’s privacy by storing all records safely and securely. By doing so, occupational therapists can proactively minimise the risk of a data breach impacting their practice or health service and, more importantly, their clients.
Occupational Therapy Australia’s Karen Brown spoke with Tom Ballantyne (Principal Lawyer) and Greg Emsley (General Manager Digital & Technology) from Maurice Blackburn Lawyers to discuss record storage and cyber security in the context of occupational therapy practice.
KAREN: I am delighted to have Tom Ballantyne and Greg Emsley join us to share their expertise and practical strategies on how occupational therapists can minimise their risk when it comes to record keeping. Tom, could you start by telling us a little about the legal framework governing personal & health records?
TOM: Firstly, it’s important to note that health record storage is governed by the Privacy Act 1988 at the federal level, as well as state-level legislation in all states and territories except South Australia and Western Australia.
The Privacy Act 1988 sets out 13 privacy principles and applies to all entities which provide a health service or otherwise hold health information (other than in an employee record).
KAREN: Are there any particular principles in the Act that you would like to highlight for our members?
TOM: One that is particularly relevant to this discussion is Principle 11 – Security of personal information. Under this principle, the health professional needs to take reasonable steps to protect their client’s personal information from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.
What “reasonable steps” looks like will depend on the situation, including the amount and sensitivity of the information held, and the possible adverse consequences for the individual in case of a breach.
KAREN: Thanks Tom, that’s very helpful. When it comes to obtaining consent for collecting, using or disclosing personal information from clients, is there anything that occupational therapists should be aware of?
TOM: Yes, it’s important to ensure that consent is informed, voluntarily provided, current, specific and given with full capacity. A clear privacy policy can support the provision of informed consent. This may include:
• The name and contact details of the organisation or entity;
• The kinds of information being collected and stored;
• How and why that information is collected and stored;
• How to lodge a complaint about the handling of information; and
• How the information can be used, accessed and disclosed, including whether the information may be disclosed outside of Australia.
KAREN: On that note, could you tell us more about what occupational therapists’ obligations are if they use a third-party service that stores information overseas?
TOM: Good question. You must take all reasonable steps to ensure that an overseas third party storing sensitive information does not breach the legal obligations outlined in the Privacy Act. Australian practitioners and organisations who allow sensitive information to be stored overseas can be held liable for acts or omissions committed by overseas third parties.
KAREN: But I understand there are some exceptions to that?
TOM: That’s correct. In general, an Australian practitioner would not be liable if:
• You reasonably believe that the overseas third party is subject to laws or binding schemes that are substantially similar to the Australian legal framework; or
• An individual consents to the information being stored overseas, as long as they are informed of the consequences of providing consent.
KAREN: Thank you, Tom, it’s useful to understand the legal frameworks which underpin our responsibilities as health practitioners in the context of privacy and records.
Greg, it would be great to get some insights from you in regards to how occupational therapists can meet their obligations in practical terms.
GREG: I know that it can be quite overwhelming for busy health practitioners to think about how their data is collected and stored, especially those operating smaller practices or as sole traders. However, there are some relatively simple steps anyone can take to improve the security and privacy of their records.
KAREN: Could you talk us through some of those steps?
GREG: Most definitely. Firstly, review who has access to what information and make any changes as required. I would suggest following the principle of least privilege, which is an information security concept in which a user (such as a member of staff) is given the minimum levels of access –or permissions – needed to perform his or her job functions, and no more. This is considered cyber security best practice and reduces the risk of a data breach.
Secondly, if you haven’t already, consider digital file storage solutions which offer advanced security features. Many providers such as Microsoft or Google offer business software at a monthly cost with added security features.
KAREN: What sort of features should members look out for in their cloud storage provider?
GREG: Some key features to look out for would be advanced threat protection (ATP), advanced security, cyberthreat protection, data encryption, advanced endpoint management, multi-factor authentication and access and data control.
KAREN: Thanks Greg, that’s very valuable advice. In addition to storing data, occupational therapists often need to share sensitive information, such as reports based on assessments of their clients. How would you suggest they do this?
GREG: While email is generally the most common and convenient method of sharing information, digital file sharing platforms, such as Dropbox, Google Drive or OneDrive, offer the most secure option. When comparing your options, consider security features such as secure file sharing, access control, backup, encryption in transit, encryption at rest, data retention and multi-factor authentication.
KAREN: Thanks Greg. Given all this talk about digital platforms, it would be remiss of me not to ask you about cyber security. Do you have some top tips that members might be able to implement in their practices?
GREG: Absolutely.
1. Institute a training process to ensure that your employees can detect and respond to cyber security threats, such as fraudulent emails.
2. Improve your protocols around password management. Consider using complex password phrases, a password manager or, ideally, multifactor authentication.
3. Turn on automatic updates for your software wherever possible, or regularly check for updates if auto-updates are unavailable.
4. Ensure you have a regular and accessible backup of all of your critical information.
KAREN: If you had one key take away for our members to improve the privacy and security of their records, what would it be?
GREG: You don’t have to be perfect and doing a little is better than doing nothing at all. If your members can take one suggestion from this article and action it in their health service or practice, that would be a great step towards minimising their risk and protecting their client’s data.
KAREN: Thank you Tom and Greg for sharing your knowledge and insights with us.
About the authors:
Tom Ballantyne is a Principal Lawyer and the head of Maurice Blackburn’s Victorian medical law practice. Tom joined the firm as a trainee lawyer in 2006 and has practiced exclusively in medical negligence since 2007. He is also a member of the Law Institute of Victoria Council and the Australian Lawyers Alliance Victorian committee.
Greg Emsley is the General Manager of Digital and Technology, based at Maurice Blackburn’s Melbourne office. Greg has worked in IT for more than three decades in corporate and consulting roles, including the past 11 years as chief information officer for two of Australia’s largest professional services organisations.
Karen Brown is the Divisional Manager for NSW and the ACT at Occupational Therapy Australia. Karen has over 20 years of experience as an occupational therapist working primarily in public health across acute and rehabilitation hospitals, transition care and in the community in clinical, project and health management roles.
Maurice Blackburn offers OTA members free telephone advice and a free first consultation. For more information, contact Andrew McKenzie, National Relationship Manager: Phone: (07) 5430 8746
Email: AMcKenzie@mauriceblackburn.com.au
Website: www.mauriceblackburn.com.au/partnerships/ota/ article
