Summary of the OAIC's assessment of Healthscope Group's information security controls to protect Individual Healthcare Identifiers (IHIs)

1.1 The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers that protect the privacy of individuals by ensuring the proper handling of personal information. These functions and powers are conferred by the Privacy Act 1988 and by other legislation containing privacy protection provisions.

1.2 This report outlines the findings of a privacy assessment undertaken by the OAIC in September 2017. The assessment considered Healthscope Group’s[1] (Healthscope’s) information security controls to protect Individual Healthcare Identifiers (IHIs).

1.3 The assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the Australian Privacy Principles (APPs).

Background

1.4 The OAIC has a Memorandum of Understanding (MOU) with the Australian Digital Health Agency (ADHA). Under this MOU, the OAIC was required to conduct at least two assessments during the period 1 July 2016 to 30 June 2017, with one assessment in relation to Healthcare Identifiers.

Objective and scope

1.5 The objective of this assessment was to establish whether Healthscope is taking reasonable steps to:

• secure IHIs and the associated personal information collected and held in its systems and databases in accordance with APP 11, and
• protect the IHIs it holds in accordance with the requirements prescribed by the Healthcare Identifiers Act 2010 (HI Act)  and Healthcare Identifiers Regulations.

1.6 For the purposes of this assessment, the OAIC confined Healthscope’s handling of IHIs to the processes for uploading admission and discharge summaries.

Timing, location and methodology

1.7 The assessment was conducted in September 2017. The OAIC examined Healthscope’s policies, procedures and practices for accessing, securing, and managing risks relating to the My Health Record system. In addition to Healthscope’s broad obligations to protect personal information and IHI under the Privacy Act and HI Act respectively, the OAIC also considered specific obligations under the My Health Records Act 2012 and My Health Records Rule 2016.

1.8 The assessment included visits to Healthscope’s head office and Nepean Private Hospital. The OAIC conducted interviews with relevant Healthscope staff.

1.9 The assessment was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with APP 11.

1.10 The OAIC made recommendations for Healthscope to address ‘medium’ and ‘high’ privacy risks in accordance with the privacy risk guidance at Appendix A of Chapter 7 the OAIC’s Guide to Privacy Regulatory Action.

Summary of findings

1.11 The assessment found that Healthscope:

• was developing staff awareness of information security risks and had implemented measures to mitigate these risks; however, there was significant work to be done in this area
• did not have a centralised approach to privacy governance
• did not provide staff with adequate privacy training
• needed to improve certain ICT and access security controls to address privacy risks
• did not have an access security policy as required by the My Health Records Rule, and
• had limited awareness of data breach reporting requirements under s 75 of the My Health Records Act.

1.12 The OAIC made four recommendations in this assessment report to address these privacy risks.

1.13 Healthscope accepted the four recommendations. In the time since the assessment was conducted, Healthscope has taken steps to implement the recommendations, and is continuing to implement the recommendations.

1.14 The OAIC will continue to monitor the implementation of the recommendations by Healthscope.