As you may already know, both winter and privacy breach notifications are coming. And while you may have already prepared for winter and its influx of colds and flu, it’s also important to prepare for mandatory breach notifications, so that your agency is ready when the requirements kick in.

New Zealand currently falls into a group of countries for which privacy breach reporting is voluntary - but the privacy law reform underway in Parliament will change that. The Privacy Bill, which is likely to be passed by Parliament this year and become law in 2020, will introduce a mandatory breach notification regime.

The effect of this is that your agency will have to notify both the individual and the Privacy Commissioner in certain circumstances if the agency experiences a serious privacy data breach.

What will I have to notify?

Agencies won’t have to notify every single breach. The threshold for notifiable breaches isn’t finalised, but it is likely to only cover privacy breaches where there is the risk of serious harm. The threshold aims to balance the compliance burden on agencies, while making sure that affected individuals are notified, and minimising the risk of ‘notification fatigue’.

Once the Privacy Bill has passed, the Privacy Commissioner will publish more information on how the breach notification reporting will operate, and when privacy breaches must be reported.

In the meantime, this is a great time to take stock of your existing policies and procedures to prevent, mitigate, and report data breaches, check that they’re still best practice (update them if they’re not), and make sure your staff all understand what they need to do.

Avoid human error

A significant cause of data breaches is from simple errors like sending emails or attachments to the wrong people (or failing to BCC an email list); putting patient letters in the wrong envelopes or falling prey to a phishing attack.

These kinds of mistakes are easy to make. We’ve all had an email auto-populate in the ‘To’ field to the wrong John Smith or wondered whether we really do have that Nigerian fortune waiting to be claimed.

Setting up systems to prevent or catch these human errors will help stop sensitive information going out to the wrong person. For example, name documents clearly so that attachments are identifiable immediately if they’re the wrong file; set up a delay send rule on emails and provide regular refresher training to staff on email security and avoiding phishing scams. Other options include encrypting attachments with sensitive information, so that the recipient needs a password to read the file.

Think through the risks

Risks can appear in unexpected ways. At a medical practice, a patient was handed a form to give to the doctor. On the front of the form was the patient’s information but on the back of the page was another patient’s information in the form of an invoice. When asked, staff at the medical centre explained they were motivated by a desire to recycle paper. They had blanked out the patient's details on the back, but this had been done poorly. When it was held up to the light, the other patient's information, such as their name and address, could be clearly seen.

The recycled paper was not intended to leave the clinic. But it had created a risk. The recycled paper should have been destroyed or disposed of in the first instance.

Review your policies and procedures for best practice

How do you get rid of your agency’s rubbish? Put it into a regular rubbish collection? What if it includes patient information like prescription labels with a person’s name, address, and the condition of that patient who was being treated? We received a breach incident notification last year when a member of the public noticed patient documents strewn along a street.

The health agency’s rubbish was supposed to have been double-bagged, which would usually prevent spillages but not in this case. We discovered the agency had access to a secure shredding service and it quickly moved to adopt this method of disposing patient information.

In another embarrassing breach, patient notes were found scattered along a busy Brisbane inner-city street having literally fallen off the back of the van or truck taking them to be disposed of.

It’s up to agencies to work out practical policies and solutions that work for their circumstances. But agencies should also make sure their procedures appropriately mitigate privacy risks, including the risk of health data breaches.

Make sure policies are being followed

Do you ever take patient files home, or keep them in your car or bag? We’ve received notifications of multiple incidents where staff have suffered burglaries of their home or car, and as a result, patient records have gone missing. Or a receptionist has left a client file on the desk overnight, leading to the risk that someone else could pick up and read the file.

Many agencies will have a policy that hard copy files must be locked up at the end of the day, and that laptops or other devices used to access the digital files must be password protected. If your staff don’t follow the policies, it only increases the risk your agency will suffer a data breach.

Reducing your data breach notifications

The best way to make sure you don’t have to explain why a data breach occurred is to practice data breach sanitation. Think of it as the equivalent of making sure you wash your hands regularly or cover your mouth when coughing. Prevention, as we know, is better than the cure.

But despite the best precautions, some people will still get sick, and privacy breaches will occur (hopefully less often and with less seriousness). Just like staying at home when you come down with a cold, data breach notifications to our office and to the people affected are intended to help agencies prevent a breach from worsening while giving people the opportunity to take steps to protect themselves, if their information is lost.

This article was first published in NZ Doctor magazine.

Image credit: Shutterstock

Health Information Privacy Code, health, breach