Australians’ sensitive health information, including data on women who have had abortions, is not being properly protected, a News Corp investigation has found.

Under a new mandatory notification scheme, businesses must now report a data breach to the Office of the Australian Information Commissioner. 

The first 37 days of the new mandatory notification scheme has revealed that a breach occurred in the health sector every two days, yet no financial penalties are being applied; instead the government agencies are merely giving undertakings to do better.

Yes, there is a provision for the OAIC to order compensation payments to victims which have occurred in at least one case, and there is also a civil penalty of $420,000 for a serious or repeated interference with privacy for individuals, and $2.1 million penalty for body corporates. However so far it has not been used.

Following the Facebook privacy saga, a plethora of local and international privacy laws, with big fines to protect users, either have come into effect or will do so, affecting your patients and staff.

You may not be aware that in February 2018, a new Privacy Law legal requirement that affects every single medical and healthcare business came into force. For practices with a turnover of over $3m the conditions are particularly onerous. If you fail to act you could potentially end up losing your practice.

This is thee‘Notifiable Data Breach Scheme’. The bottom line is within 30 days you may be required to notify your patients and the Privacy Commissioner of any breaches. Depending on the seriousness of the breach you may need to publish details on your website! For more information see Notifiable breaches scheme.

If the breach causes serious harm to others, you may be liable. Serious harm could include (but is not limited to) identity theft, financial loss, the threat to physical or emotional well being, and harm to reputation and humiliation.

If you fail to notify, the fines can be as high as $2.1m. So it cannot be ignored.

For those who employ contractor medical personnel (e.g. GPs) it gets worse. If your contractor does something which should be notified and they don’t, your business is jointly responsible, even if you argue you did not know of the incident.

Any of the following will constitute a breach:

– Sharing staff passwords e.g. of former staff

– Lost phones with data on it (including apps)

– Hacking of any kind

– Breaches involving emails

– Loss of USB flash drives/ laptop or mobile devices

– A third party (e.g. a data analytics software company) receives information about your patient

The latest craze is patient data mining. Patient information is the new data oil for well intended tech companies around the world. There are a plethora of third party (data analytical) companies showing you how to bill patients using their software programs. Many data mine, track and SMS your individual patients for care plans or specific types of high dollar value and or clinically necessary visits.

To upload this information, the treating practitioner must receive informed consent (preferably in writing) from their patient. If not, no third party software company must receive their non-de-identified personal health information. If so, this is a serious and reportable breach. Read carefully the software vendors terms and conditions. They make it the practices or doctors/providers ultimate responsibility. What seems like a great idea can become a nightmare. This can be confusing. The government are paying grants to practices for patient healthcare information. This does not automatically protect the provider and the practice from a privacy breach.

Another example, if you tell a nurse to provide an opioid to someone in the waiting room and another patient hears it, then strictly speaking the practice has to report it to the Privacy Commissioner. (In practice, serious cases are more likely to be an issue, such as where demonstrable harm is caused and the person is identifiable).

Now is the time to update your policies, procedures and train all your staff. Computer passwords and agreements may need to be changed. You will also need to get expert advice on your IT systems. Update your data privacy policy details on your website, in your waiting room and on your ‘hold’ messages and refer people to your website for further information. Remember, ignorance of the law is no excuse.

Contact your professional indemnity insurer and/or local healthcare professional body for more information. Be careful not to provide them with any patient information they should not be receiving. If unsure, consult an experienced legal adviser. Ensure you have the correct documentation and processes  in place. Be wary of the vexatious staff member or patient, which is often where these problems originate.

Contact us for further information.

Please note we are not lawyers, we are accountants and practice advisers. Please seek specific legal advice in relation to your own circumstances. We cannot be held responsible for any errors or omissions in this article. This article is for discussion purposes only.

For more insights visit our blog.

About me: David Dahm BA (Acc.), CA., FCPA, CTA, FFin, CPM, FAAPM, FAIM, FGLF.

Chartered Accountant, Chartered Tax Adviser, Registered Tax Agent, Former AGPAL Surveyor 10 years of service

David Dahm is CEO and founder of the national medical and healthcare chartered accounting firm Health and Life and global Founder and CEO of the not for profit project the International Healthcare Standards and Ethics Board (

After a serious work related car accident in 1989, and nine operations later I continue to be a patient and provider advocate. I enter my third decade as a national Chartered Accountant for Medical and Healthcare practices in Australia. I am a former 10-year Australian General Practice Accreditation surveyor. I come from a medico family. I have served on the AAPM national Board and was the inaugural national Chair of the Certified Practice Manager CPM post nominal. I continue to provide accounting tax and practice management advice to many practices all over Australia.

You know who you are and I thank you for this real honour and privilege to serve you and your community through you. Note, I am not a lawyer please seek appropriate legal and accounting advice. This information is for general information and discussion only.

Recommended Posts

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *