The AMA is concerned proposed changes to the Privacy Act will treat GP practices like huge medical insurers with increased administrative, financial and legal burdens, and may “inadvertently inhibit the delivery of health care”.
In a submission to the Attorney General’s department consultation on the government response to the Privacy Act Review Report, the AMA detailed its objection to 32 of the 115 proposed changes to the Act.
When it comes to the security, destruction and retention of personal information, many of the proposed changes to the Act would place an undue burden on small businesses like GP practices, the AMA said.
“In the context of medical practices, particularly small GP and non-GP specialist practices, reasonable steps may be different to the steps that would need to be taken by private health insurers who hold vast amounts of patient data,” they said.
“Reasonable steps should be commensurate with the risk of organisations being exposed to security breaches. Larger ‘honey pots’ are more attractive targets for hackers.”
The AMA said it was supportive of proposals for strong requirements for data governance frameworks that support “the quality, security and privacy of the patient data”.
“However, we anticipate that GPs and non-GP specialists in private practice will need financial and other assistance to meet these requirements,” it said.
The Privacy Act 1988 has been under review since October 2020, following the ACCC’s 2019 Digital Platforms Inquiry report, which made several privacy recommendations. An issues paper followed, and then a discussion paper. The AMA responded to both papers, and three of its recommendations were included in the latest Privacy Act Review report.
Another proposed change to the Act would require third parties to take “reasonable steps” to satisfy themselves that the information was originally collected from the individual.
“A GP should not be required to verify that personal information contained in a report from a non-GP specialist, allied health provider or hospital was originally collected from the individual,” said the AMA.
“There may also be instances where a GP receives information from a third party (such as a pathologist or an instant script provider) but has no direct dealings with that third party.
“Again, it is reasonable for the GP to assume that the original collection was fair and reasonable.”
Proposals of continuing concern to the AMA include one which would require “entities”, including GP practices, to conduct a privacy impact assessment (PIA) for “all activities with high privacy risks”. Currently that is a requirement only for government agencies and is optional for other entities.
“It is not reasonable to expect every doctor who wants to start a new private practice, or a new GP clinic opening in rural area, to conduct a PIA,” said the AMA.
“PIAs are generally conducted for government agencies by in-house privacy teams or specialist privacy lawyers or consultants.
“The changes to the Privacy Act are likely to further increase the cost of (and demand) for PIAs.
“GP clinics (particularly in rural areas) and small specialist practices simply do not have the capacities of government agencies to pay for these types of assessments.
“The burden on the health sector will be even greater if this change is intended to apply to existing practices.”
Other proposals of concern include one which recommends that the government “amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous”.
The AMA pointed out that doctors would need guidance about what the recommendation requires in practice.
“For example, when a patient visits their GP, do they need to expressly consent to their records being provided to other GPs at the practice (including locums); other specialists (as part of a referral); administrative staff; billing agencies and debt collectors; Medicare; third parties who take over the practice or its records (as part of a sale or closure); the PSR or AHPRA; medical defence organisations and/or legal advisors; the primary health network (as part of research and practice improvement)?
“The AMA wants clarity that ‘current’ does not require that practices send out letters to patients at regular intervals (eg 12 months) to confirm they still consent to their personal information being used and collected.”
Another proposal expressly enshrines the patient’s ability to withdraw consent. The AMA pointed out that patients already have the choice to “opt out” by deleting their My Health Record, changing access controls to it, or telling their doctor not to record certain information, as well as telling their specialist to stop sending updates to the referring GP, or telling their GP they no longer want to be treated.
“However, the patient’s right to withdraw consent should not trump the doctor’s rights to use and disclose the doctor’s existing records,” the AMA said. “These records are generally owned by the practice and are separate to the records held on My Health Record.”
The AMA’s nix list also includes proposals that would:
- require a designated senior employee to be responsible for privacy – “For many practices there will be no senior staff beside the doctors, such that a doctor will need to be formally designated as responsible for privacy. If this doctor is a director then they are already legally responsible for the privacy of the entity but a failure to appoint or designate them as having this responsibility would be a breach and technically an ‘interference with the privacy of an individual’”;
- enshrine the right of a patient to have their records erased – “While patients have a statutory right to control (or erase) their My Health Record, this does not extend to the health practitioner’s own records. Best practice is for medical records to be held for 7 years or, where the patient is under 18, until they are 25. In some States this is also a legislative requirement”; and,
- give the Office of the Australian Information Commissioner the ability to force practices to identify, mitigate and redress any actual or reasonably foreseeable loss or damage suffered by a data breach – this would “continue to put the onus on the organisation (which may be a sole practitioner) to identify any loss or damage that could be suffered because of a breach – something that they would need to outsource,” said the AMA. “We continue to submit it should be the OAIC to identity the reasonable loss and the mitigation steps required, so that doctors know what they are being directed to do. Otherwise, doctors are exposed to ‘double jeopardy’ for the same original breach.”