OAIC: Are our eHealth breach requirements enough?

OAIC: Are our eHealth breach requirements enough?

Summary: The Office of the Australian Information Commissioner has drafted its guide on how eHealth service providers must respond to data breaches, and is seeking public comment to ensure nothing is missed.

SHARE:

The Office of the Australian Information Commissioner has released its draft guide (PDF) on how mandatory data breach notifications should be handled under the personally controlled electronic health record (PCEHR) system, and is once again polling the public on whether its approach to the issue is adequate.

The draft guide states that organisations dealing with eHealth records must notify the System Operator (SO) — currently, the Secretary of the Department of Health and Ageing — and the OAIC, as soon as they are aware of a data breach occurring. The SO is the only entity that is permitted to inform customers of the breach.

The SO is able to put in place administrative sanctions and cancel, suspend, or vary the offending service provider's registration in the PCEHR system, but it is unable to put in place civil penalties. Instead, the role of issuing penalties will be given to the OAIC, which will for the first time, under the PCEHR legislation, be able to fine organisations for not reporting data breaches. Penalties will be AU$11,000 for an individual, and up to AU$55,000 for organisations.

Unless the organisation is a state or territory entity (which is only required to report breaches to the SO), failing to report to both the SO and the OAIC constitutes as a failure to notify.

If the SO, itself, is involved in a data breach, it must report it to the OAIC, but there are no penalties if the SO fails to do so. However, the OAIC is free to investigate the SO if it suspects that a breach has occurred and has not been reported.

The guide also sets out the two situations that the OAIC believes constitutes a notifiable data breach. The first is where a person uses, discloses or collects health information from an eHealth record in an unauthorised manner; while the second is where the security or integrity of the PCEHR system has been compromised, for example, by an external attack on a health portal.

When reporting a data breach, under the current draft, organisations will need to include a minimum level of detail, including what information was affected, how many individuals were affected, what caused the breach, what it has done to try to contain the breach, and whether there were any steps in place to prevent the breach in the first place.

The draft guide specifies the minimum level of detail that the SO must provide affected customers when notifying them. The notification includes much of the information that is reported from the offending organisation to the OAIC and SO, but also has the requirement to inform affected customers of what steps they can take to reduce the risk of harm to themselves, a point of contact with the SO or breached organisation, and how they can make a complaint to the organisation responsible of the SO.

The guide also outlines the actions that a breached organisation should follow to remedy the situation.

The OAIC is now polling the public for feedback on whether the guide will help service providers fulfil their obligations to report data breaches. It has released a consultation paper, which raises a number of issues it believes the public may be interested in commenting on. In particular, it is looking to the public to raise any additional steps or factors that should be considered when responding to a breach, and any other policies the OAIC could take to help affected organisations meet their reporting obligations.

Those interested in submitting comments on the draft guide will have until September 25 to do so.

The OAIC only last week released its broader draft enforcement guidelines on how it will enforce privacy regulation related to the PCEHR system and whether they are adequate.

Topics: Health, Government, Government AU, Privacy, Security, Australia

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • BEST HEALTH CARE TIPS AND HEALTH ARTICLES

    At http://healtharticlesntips.com we are committed to provide you with a wide array of resources and content related to the Health area. Thru this web site you will be able to review articles posted by experts(from a variety of fields and companies!), other people looking to improve their health as well, and even your article/comment, if you wish to contribute.
    This information is free and the website is maintained with the help of sponsors that provide goods and services that are also related to the Health and Nutrition; as well as tools to simply make your Health related search more effective and easier to find ! http://healtharticlesntips.com
    I highly encourage you to leave any comments or feedbacks on the articles you read here. Also feedback on products or services you found on this website would help your fellow health conscious buddies in making a decision for themselves on what they could use. http://healtharticlesntips.com
    Please only post helpful and positive articles,no negative language, spam, sexual content and derogatory comments not will be allowed and translated into every language and have to option on this website.
    Arina Saher
  • BEST HEALTH CARE TIPS AND HEALTH ARTICLES

    At healtharticlesntips.com we are committed to provide you with a wide array of resources and content related to the Health area. Thru this web site you will be able to review articles posted by experts(from a variety of fields and companies!), other people looking to improve their health as well, and even your article/comment, if you wish to contribute.
    This information is free and the website is maintained with the help of sponsors that provide goods and services that are also related to the Health and Nutrition; as well as tools to simply make your Health related search more effective and easier to find ! healtharticlesntips.com
    I highly encourage you to leave any comments or feedbacks on the articles you read here. Also feedback on products or services you found on this website would help your fellow health conscious buddies in making a decision for themselves on what they could use. healtharticlesntips.com
    Please only post helpful and positive articles,no negative language, spam, sexual content and derogatory comments not will be allowed and translated into every language and have to option on this website.
    Arina Saher