Privacy and information security
Creating an informed, proactive cyber secure workplace culture requires continuous learning and is essential to the resilience and success of your practice in the provision of safe, high-quality healthcare.
Effective information security and privacy in general practice is not optional. It is an ongoing process rather than a one-off investment that involves prevention of inappropriate access, protection of sensitive information and preservation of practice data. General practice has a fundamental role in protecting the privacy of patient health information. It is essential for your practice to be familiar and compliant with the current legislative framework for the management of health information.
Patient or practice team data that is lost, stolen, or inappropriately used or accessed can have adverse implications including identity theft or privacy breaches, reputational damage, substantial fines, disruption of daily business activities, and create a significant emotional burden on all involved.
Areas of information security
Information security spans across several areas including:
- information that is stored electronically or on paper within your practice
- information that is in transit to or from your practice
- checking and preserving information integrity
- being able to audit changes made to it
- protecting information from unauthorised access
- protecting information from loss.
Security agreements
All practice team members should complete confidentiality and privacy agreements. These, in conjunction with an appropriate internet and email use agreement, act to protect practice owners in the event of legal action should a security breach occur.
The RACGP have developed the Information Security in General Practice and Privacy and Managing Health Information in General Practice resources. They are designed to give you and your practice team the confidence to protect your information systems. Please visit the RACGP website to download the resource.
Notifiable data breaches
A data breach occurs when personal information held by your practice is lost or subject to unauthorised access. All breaches or suspected breaches should be recorded in a data breach register and practice management must be notified whether they are from a cybersecurity attack or otherwise.
Data breaches can occur:
- through unauthorised access to your databases
- through intentional and inappropriate disclosure of information by practice team members
- when personal information is incorrectly disclosed
- when sending a patient’s personal details and/or health information to the wrong recipient
- if a practice team member is deceived into improperly releasing the personal information of another person
- through loss or theft of laptops, mobile devices, or removable storage devices
- when discarded hard drives or digital storage media still contain your practice information
- through lost or stolen paper records.
Under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach. General practices can also contact their medical indemnity insurer for advice on how to manage a data breach.
-
Resources
-
link
RACGP - Information security in general practice
-
pdf
RACGP computer and information security template
-
document
RACGP – Social media guide template
-
document
RACGP - Confidentiality agreement
-
link
How to report a notifiable data breach
-
link
Office of the Health Ombudsman (Qld)
-
link
OAIC – Privacy guidance for health service providers
-
link
OAIC – Guide to health and privacy
-
link
RACGP – Privacy of health information
-
link
RACGP – Managing practice information
-
link
RACGP – Privacy considerations
-
document
RACGP – Privacy Policy template for general practices
