Gone with the Wind – Ensuring medical record security

Two recent reports in the media which caught my attention highlight the importance of ensuring the security of medical records. 

1. Medical records of at least a dozen patients were found blowing around a local park. The records had reportedly been stolen from a local general practice which was relocating premises.

2. A patient was contacted by a stranger who informed him that he had found a copy of the patient’s hospital records on a street near the hospital. A hospital investigation revealed that the records had been copied by an intern as part of his end of term assessment, and inadvertently lost.

MDA National commonly hears about:

• theft or loss of computers, mobile phones and removable storage devices which contain medical records, especially  where there is no password protection
• theft of medical records from a car, where the records were being used for home visits
• inadequate storage or disposal of paper-based records.

The Office of the Australian Information Commissioner (OAIC) has a range of enforcement powers for privacy breaches

Aside from the impact on patients, and the reputational damage for organisations, these types of privacy breaches can be investigated and prosecuted by the OAIC. Potential penalties include:

• payment of financial compensation, or an apology
• penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

There are government plans to introduce a mandatory data breach notification scheme

Although legislation has not yet been passed, the OAIC recommends that all medical practices and organisations have a response plan that includes notifying affected patients and the OAIC, especially if there is a risk of serious harm as a result of the data breach.

Four key steps to consider when responding to a breach:

1. Contain the breach and do a preliminary assessment
2. Evaluate the risks associated with the breach
3. Notification
4. Prevent future breaches.

This blog contains general information only. We recommend you contact your medical defence organisation or insurer when you require specific advice in relation to medico-legal matters.