Fines levied for e-health data breaches

Patient records available to law enforcement and courts.

The Federal Government will penalise health practitioners to the tune of $66,000 for any personally controlled electronic health record compromised, leaked or “inappropriately accessed” under draft e-health legislation released today.

Health Minister Nicola Roxon said in a statement that she expected the PCEHR system to be “more secure and private” than paper-based records.

The draft legislation [pdf] includes strong penalties of $13,200 per instance of a record being accessed without authorisation or confidential information leaked.

“If more than one record is accessed without authorisation then the penalty multiplies by the number of records,” Roxon said.

As expected, the legislation states that a healthcare provider can only upload patient data to the system with their consent.

It also ensures an Australian citizen can apply to access their own records at any time and binds healthcare providers to supply services regardless of whether a patient is registered in the e-health system.

Exceptions

The draft bill allows for several special circumstances under which a patient's records can be accessed.

Healthcare practitioners can collect, use or disclose a patient’s record to “prevent a serious threat to an individual’s life, health or safety” or to “public health and safety”. 

Further, a practitioner can collect, use or disclose a record if they can prove the patient is “incapable of consenting”.

The provisions, allowed for use in a "break glass" or emergency situation, were strengthened in a revised concept of operations released this month by the Department of Health.

Under the revised document, patients would be required to "effectively remove" any documents from their e-health record that they did not wish to be seen by practitioners. These could be reinstated at any time by the individual.

The Department of Health can also allow access to patient records if “required or authorised”  under any relevant Federal, State or Territory law, or ordered for proceedings in a court or tribunal, the legislation said.

Law enforcement officers can seek access to a record through the department under certain conditions, such as the “prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law” or for the “prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct”.

It appears that even the Australian Tax Office could potentially apply to view patient records. Exceptions have been made for law enforcement to access an individual’s e-health record for the “protection of the public revenue".

Not quite a mandatory data breach notification

The legislation binds both the Department of Health and those IT companies hosting the register to notify the Privacy Commissioner in the case of unauthorised access.

The organisations are asked to contain the leak as best as possible and take steps to prevent such a breach re-occurring.

But those calling for mandatory data breach notifications may be disappointed: the legislation only asks the Department of Health to “consider” notifying affected patients.

The public can comment on the legislation here with final legislation due to be put before Parliament before the end of the year.

What do you think of the draft legislation? Should the Department of Health and its service providers be forced to inform patients when their records are inappropriately accessed? Should law enforcement have access to health records? Have your say below...