The latest insights from our Health Law team.
In this edition:
Learn more about Russell Kennedy's expertise in the Health sector here.
If you'd like to stay up to date with Russell Kennedy's insights, please sign up here.
Special summit of experts to assess rural maternity services in Queensland
In a media statement dated 12 August 2018, the Queensland Government announced that it will convene a special summit of experts to assess the provision of maternity services in rural and remote parts of Queensland.
The media statement provided that Queensland Health takes into a range of factors when assessing the ongoing viability of services, and clinicians need to be undertaking sufficient levels of activity in a specialist clinical area to ensure the quality of the service.
The Minister for Health and Minister for Ambulance Mr Steven Miles emphasised the need for sufficient number of clinicians to ensure a viable service model that includes on-call, access to a skilled extended clinical support team and access to intensive care or other more specialised services should things go wrong.
Read the Media Statement here.
Tribunal upholds patient Review Panel refusal to provide IVF treatment to couple
A couple, with the pseudonyms RGJ and OMU, sought IVF treatment as RGJ had Polycystic Ovarian Syndrome and they had struggled to conceive. However, they were refused treatment because OMU had been convicted of a violent offence, which trigged a presumption against treatment under the Assisted Reproductive Treatment Act 2008 (Vic) (Act).
The Victorian Civil and Administrative Tribunal (VCAT)reviewed the merits of the decision of the Patient Review Panel to deny treatment. VCAT found that, because of the historical threat to inflict serious injury, there was a barrier to treatment under the Act. Allowing treatment was held to be inconsistent with the best interests of the child who would be born because there would be a significant risk of harm arising from the violence and conflict the couple had experienced in their relationship.
In making their determination, VCAT emphasised that they were “not making a value judgment about RGJ and OMU as people or as potential parents” or “predicting that a child born to RGJ and OMU would be harmed”. However, VCAT was nevertheless obliged to refuse IVF treatment by putting the welfare and interests of the potential child at the forefront of their inquiry.
You can read VCAT’s full reasons for the decision here.
The Australian Medical Association (AMA) raises concerns on revised Code of Conduct for Doctors
The AMA submitted commentary on the revised Code of Conduct for Doctors in Australia to the Medical Board of Australia.
The AMA’s President Dr Tony Bartone stated that the “Good Medical Practice: A Code of Conduct for Doctors in Australia (2018)” includes several vague and unclear statements which would likely cause difficulties for doctors in complying with their ethical and professional requirements under the Code.
The AMA found section 2.1- Professional values and qualities of doctors to be particularly problematic, as this appears to restrict the public commentary of doctors. It also outlined that doctors must comply with relevant laws such as the Border Force Act 2015 (Cth) which previously threatened imprisonment for whistle-blowers. This was deemed to oppose doctor’s code in relation to acting in the patient’s best interests and make this their primary concern.
For the AMA’s general and specific comments please click here.
Health sector most vulnerable to data breaches
In July 2018, the Office of the Australian Information Commissioner (OAIC) released a report summarising about notifications received under the notifiable data breaches (NDB) scheme between 1 April-30 June 2018.
These statistics reveal Australia’s health sector organisations remain vulnerable to data breaches. Approximately 20% of the reports were made by organisations in the health sector. Of those notifications from health sector-based organisations, the single largest cause of the breach was human error (responsible for 59% of the data breaches), with the remaining cause (responsible for 41% of the data breaches) being a malicious or criminal attack.
The OAIC’s report highlights that health sector organisations should proactively manage data security and to take steps to minimise the possibility of a reportable data breach. These steps include:
- taking steps to destroy or de-identify information that is no longer required (including information that is no longer required to comply with statutory obligations) to reduce the likelihood of a data breach;
- reviewing and updating the organisation’s information handling processes, procedures and systems (including the organisation’s privacy policy and collection statements) to ensure that they are consistent with the organisation’s legal obligations;
- embedding a culture of respect for privacy in the organisation through regular staff training on privacy; and
- developing, implementing and testing a data breach response plan.
Reduce the likelihood of a breach
Health sector organisations are required to destroy or de-identify personal information if the information is no longer required for the purpose(s) for which the information was collected and there are no legal requirements to keep the information. Lawfully reducing the amount of information held by an organisation is a good start to reducing exposure to a data breach.
Review and update information handling processes
This involves ensuring that technological measures, such as anti-virus software and firewall software, are up-to-date and that the security updates and releases are installed as soon as possible. But it also involves reviewing and discussing with contractors and suppliers how they handle personal information they receive from the organisation. Further, it requires the organisation to ensure that its privacy policy and statements on how it handles personal information are up-to-date, accurate and comprehensive.
Develop and embed a culture of respect for privacy
Most organisations in the health sector have a healthy respect for privacy, as it is part and parcel of the work they do. But, as the statistics demonstrate, a key contributor to notifiable data breaches are employee mistakes. Therefore, regular training on the importance of privacy and how the organisation handles the issue will contribute to minimising the risk of a notifiable data risk occurring. The training should focus on how a data breach might occur, what employees should do if they see or suspect a data breach occurring and how the organisation will handle the data breach.
Develop, implement and test a data breach response plan
The plan should set out how the organisation will respond to a report of a data breach and include information on who within and outside the organisation will manage the response to a data breach. It is important to regularly test the plan to make sure that if and when a data breach is detected, staff and executive can rely on the plan to address and resolve the breach.
Number of breaches reported - all sectors
Data breaches notified to the OAIC between February-June 2018 rose each month since the mandatory reporting scheme took effect on 22 February 2018:
Number of individuals affected - all sectors
Most reported breaches affected up to 1,000 individuals per breach (200 breaches notified). The OAIC was notified of 23 breaches affecting 1,001-5,000 individuals, six breaches affecting 5,001-10,000 individuals, three breaches affecting 10,001-25,000 individuals, two breaches affecting 50,001-100,000 individuals and one breach affecting over 1 million individuals.
Kinds of information affected - all sectors
Data breaches tend to involve multiple categories of personal information. Per the OAIC:
- 89% of reported breaches involved “contact information” (e.g., an individual’s home address, phone number and/or email address);
- 42% involved financial details;
- 39% involved “identity information” (e.g., information used to verify an individual’s identity, such as driver’s licence and passport details);
- 25% involved “health information (e.g., information about an individual’s current health, the health services the individual received and/or the individual’s wishes regarding future health services);
- 19% involved tax file number information; and
- 8% involved other sensitive information.
Source of data breaches - health sector
Of the 49 breaches notified from health sector organisations, human error caused 29 breaches, and malicious or criminal attack caused the remaining 20 breaches.
The OAIC further broke down the “human error” causes of data breaches as follows:
The OAIC reported that three types of malicious or criminal attack data breaches affected information held by organisations in the health sector (compared to all sectors), namely:
According to the OAIC, “cyber incidents” could be classified as follows:
For further information, contact Michael Gorton AM, Andrew Chalet and Craig Subocz.