Privacy law changes for medical practices in Australia
Understanding the privacy law changes for your medical or allied health practice
When it comes to privacy and data security, there have been two recent significant changes to the privacy and legal framework governing patient data in Australia:
The Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA); and
Western Australia's Privacy and Responsible Information Sharing Act 2024 (PRIS).
These developments mean that medical and health practices in Australia must re-assess how they handle personal and sensitive information, and ensure they keep their patient’s trust in the way they handle sensitive information.
While these reforms aim to enhance patient privacy, clarify obligations for healthcare providers, and introduce new compliance requirements, it means your medical or allied health practice needs to get up to speed with the changes and ensure you comply.
In this article we provide an in-depth look at these recent privacy law developments in relation to medical practices in Australia and sets out actionable steps for you to take to ensure your medical practice remains compliant.
Overview of the Privacy and Other Legislation Amendment Act 2024 (Cth)
Introduced in December 2024, the POLA impacts medical practices with key changes including:
Clarification of reasonable steps
The POLA clarifies that a medical practice must take 'reasonable steps' to protect personal information.
In this case ‘reasonable steps’ means both technical and organisational measures and includes the implementation of:
Robust cybersecurity protocols;
Regular staff training; and
Comprehensive and legally compliant privacy policies within the medical practice.
Enhanced individual rights
Under the changes implemented by the POLA, patients of your medical practice now have increased personal rights, including:
Access and correction rights allowing patients to request access to their personal information and seek corrections if necessary; and
Transparency, noting that medical practices must be transparent about how they collect, use, and disclose personal information.
If an individual’s rights are breached, they can sue your medical practice for serious invasions of privacy, including intrusion into seclusion or misuse of personal information.
Introduction of a statutory tort for invasions of privacy
A new statutory tort has also been introduced under the POLA for breach of privacy. If an individual’s rights are breached, they can now sue your medical practice for a serious invasion of privacy, including intrusion into seclusion or misuse of personal information. This right is only available to individuals and not companies. It applies to any business (even those under the small business threshold), and not just those who are regulated by the Privacy Act 1988 (Cth).
The Office of the Australian Information Commissioner (OAIC) has been given increased authority to investigate privacy breaches and impose penalties, including civil penalties and compliance orders.
These developments demonstrate the importance of rigorous data protection measures in your medical practice.
Criminalisation of Doxxing
The POLA also introduced a criminal offences for 'doxxing' in Australia by amending the Criminal Code Act 1995 to create two new offences relating to doxxing.
Doxxing refers to the sharing of an individual’s personal information online with the intent to cause harm or in a way that is menacing or harassing.
This provision carries significant penalties (up to 7 years in prison) and again highlights the need for careful handling of patient data in your medical practice.
The Privacy and Responsible Information Sharing Act 2024 (WA)
Western Australia's Privacy and Responsible Information Sharing Act (PRIS) also commenced recently with the aim of facilitating responsible data sharing and strengthening privacy protections for personal information held by public organisations. The PRIS extends to the Western Australian public sector and includes public healthcare providers in Western Australia and has implications for medical practices in Western Australia. Those entities that must comply with the PRIS are known as IPP entities (or IPP entity) under the Privacy and Responsible Information Sharing Act.
These implications include:
Information Privacy Principles (IPPs)
The PRIS Act outlines eleven Information Privacy principles (or IPPs) that govern the collection, use, and disclosure of personal information.
These IPPs mandate that when dealing with personal information, IPP:
Must be collected lawfully and fairly (IPP 1 Collection);
Must be used only for the purposes for which it was collected (IPP 2 Use and disclosure);
The IPP entity must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date (IPP 3 Information quality);
All IPP entities must take reasonable steps to protect any personal information it holds from misuse, loss, modification, disclosure or unauthorised access (IPP 4 Information security);
All IPP entities must have an appropriate privacy policy in place which includes privacy procedures describing how the IPP entity handles personal information (IPP 5 Openness and transparency);
An IPP entity must have privacy policies and practices in place for dealing with requests by individuals to access their personal information (IPP 6 Access and correction);
It is against the law for IPP entities to assign unique identifiers to an individual (like name or birth date) unless it is necessary for the organisation to performs its functions or activities (IPP 7 Unique identifiers);
Individuals must have the option of anonymity when dealing with the IPP entity unless one of two exceptions are met: when the IPP entity is legally required or authorised by law to deal only with identified individuals; or when it is not practicable for the IPP entity to deal with someone who has not identified themselves (IPP 8 Anonymity);
The disclosure of personal information to an overseas recipient is prohibited unless an exception applies, such as it is necessary for the performance of a contract, where the contract is in the interests of an individual or the disclosure is for an individual’s benefit (IPP 9 Disclosure outside Australia);
All IPP entities must be transparent about their use of automated decision making processes that involve personal information (IPP 10 Automated decision making); and
De-identified information must be safeguarded with reasonable security measures (IPP 11 De-identified information).
Notifiable information breaches
Entities must notify the Information Commissioner and affected individuals of data breaches that are likely to result in serious harm. This requirement necessitates the development of robust data breach response plans.
Privacy Impact Assessments (PIAs)
Before undertaking activities that may have a significant impact on privacy, medical practices are required to conduct privacy impact assessments, which involves assessing the potential privacy risks and implementing measures to mitigate them.
Actionable steps for medical practices to ensure the privacy obligations are met
To navigate these legislative changes in the POLA and PRIS effectively, medical practices should consider and implement the following 4 steps:
Step 1: Review and update your medical practice privacy policy
Ensure your medical practice privacy policy reflects the new requirements under the POLA (and PRIS where relevant), clearly outlining how personal information is collected, used, and protected. It should also Include details on patients' rights and the procedures for accessing and correcting information and all other requirements set out in the new laws. This will include updates to cover if you are now using AI in your medical practice.
If your medical practice has not updated your privacy policy for some time, it is essential that this takes place now.
Step 2: Implement technical and organisational measures
Your medical practice should review its existing cybersecurity measures and consider where these can be improved. For example, you might consider encryption and other secure access controls if you do not already have them in place in your medical practice.
You should also commit to a regular staff training protocol on privacy obligations and establish clear protocols for handling personal information. Evidence shows that data breaches most often come from humans, so do everything you can do to ensure that they are well trained to spot risks as and when they arise.
Step 3: Develop a data breach response plan
Create a detailed plan for responding to data breaches, including procedures for containment, assessment, notification, and review.
Ensure staff are familiar with this plan and conduct regular drills.
Experts suggest that almost 100% of businesses will experience a data breach, which makes the investment in the process very worthwhile.
Step 4: Conduct privacy impact assessments
Consider conducting privacy impact assessments (or PIAs) to identify and mitigate privacy risks in your existing system. Document the findings and implement recommended safeguards.
Implications for Australian medical practices of these privacy law changes
The POLA and PRIS Act signify a substantial shift in Australia's approach to privacy, with direct implications for medical practices when a breach occurs in your business.
By proactively updating policies, enhancing security measures, and fostering a culture of privacy awareness, healthcare providers can ensure compliance and maintain the trust of their patients.
Staying informed and prepared is essential in this evolving legal landscape. For personalised advice and support, consider reaching out to legal experts specialising in healthcare privacy law.
Need Expert Advice?
Our team has extensive experience in legal advice for medical practices, including privacy and data issues. To discuss your needs, contact our team here, and we will put you in touch with the best professional for your needs.
Related Articles: