With the My Health Record system expanding, it is time for health care providers to review and update their Privacy Policies. Necessary changes will likely include amendments to how personal information is collected, used and shared.
Notably many Privacy Policies claim they do not share information with any third parties, this may no longer be true if a patient’s information is being uploaded to the My Health Records system. Similarly claims that the provider only collects information from the patient directly, will not be accurate if the provider accesses information from the My Health Record system. Furthermore, the My Health Record Act defines ‘use’ to include accessing, viewing, modifying and deleting information. As such, representations regarding how you use patient’s information may need redefinition.
While it is mandatory for health care providers, who hold health information, to have a compliant Privacy Policy many are falling short of their obligations. Often Privacy Policies are implemented by a web developer when the website is built. These Privacy Policies usually refer to the collection of personal information via the website. However, its far more likely the bulk of the personal information held is derived from sources including, paper forms filled out in waiting rooms, records generated in providing the health services and telephone conversations with patients.
Privacy Policies relate to how businesses deal with personal information from all sources, not just that derived from their websites.
With the notifiable data breach scheme in full force, the last thing you want to do is rush to get compliant during a data breach event before you are required to notify the commissioner.
Get in early, get compliant and avoid the $420,000 maximum penalties.