Healthcare Compliance
Ever wondered if your practice is compliant or not? Do not make Healthcare Compliance any more complex than it already is. Answer these three simple questions to check your Healthcare Compliance.
What is required
We have written several articles on the topic of Healthcare Compliance although none of them specifically list what is required to be a Healthcare compliant organisation. Healthcare compliance can be a complex topic although we have simplified it for you. This article provides you with three simple questions to answer which will provide you with an indication of where you stand. Before we get into the questions, it is important to understand what we are trying to comply with.
Regulation and compliance
The Department of Health administer regulations and compliance for Healthcare providers in Australia. Information from the Department of Health and the various Acts that they audit can be found here. What is relevant to you as an Australian Healthcare provider is the Privacy ACT 1988 when it comes to collecting, storing and transmitting patient data. There are other Healthcare Compliance requirements that are relevant although the Privacy ACT is our main focus here.
The Privacy ACT 1988
The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations handle personal information. Broadly, the act states “with an annual turnover of more than $3 million. The Privacy Act has specific clauses for healthcare professionals stating the annual turnover rule does not apply to allied health professionals. This is a catch all clause that covers anyone holding any patient data. The Office of the Australian Information Commissioner actually states “Australian privacy law has strict rules about how a health service provider can collect, use and disclose your health information.” The Office of the Australian Information Commissioner is responsible for privacy functions that are conferred by the Privacy Act and other laws. Healthcare Compliance is a role that The Office of the Australian Information Commissioner has the regulatory responsibilities and powers to enforce.
Your Practice vs the Dark Web
Therefore as a healthcare provider, you are holding patient data which is protected by the Privacy Act and enforced by the Office of the Australian Information Commissioner. It is important to note that patient data or “identifiable medical data” is the most valuable data on the dark web. Considerably more valuable than any other type of personal data. This makes your patient data an obvious target.
If you are audited then there are certain things that need to be in place to ensure you have been diligent in protecting the information you hold.
The 3 Questions
Work through the below questions to assess how your practice would fare if it was to be audited. All answers would need to have a yes answer against them for you to survive an audit. If you answer no to any of the questions, there is some guidance on what needs to be done;
1. Does your organisation have a clearly expressed and up to date privacy policy?
The first thing you will be asked is the question above. The Office of the Australian Information Commissioner states “Any organisation or agency the Privacy Act 1988 (Privacy Act) covers must have a privacy policy.”
An organisations privacy policy must provide the following:
- their name and contact details
- what kinds of personal information they collect and store
- how they collect personal information and where it is stored
- the reasons why they need to collect personal information
- how they’ll use and disclose personal information
- how you can access your personal information, or ask for a correction
- how to lodge a complaint if you think your information has mishandled, and how they’ll handle your complaint
- if they are likely to disclose your information outside Australia and, if practical, which countries they are likely to disclose the information to
2. Does your organisation have someone responsible for overall privacy management?
Knowing who in the practice has the expertise and responsibility for meeting privacy requirements helps all staff respond efficiently to any privacy issues and seek prompt guidance when they need it. Someone needs to take responsibility for this role. Typically, this responsibility is given to the practice manager.
If you have a privacy policy in place and have appointed responsibility to someone then you are 2/3 of the way there. One final question to answer.
3. Does your organisation have IT security processes and controls in place to protect personal information?
The Office of the Australian Information Commissioner’s Guide to securing personal information sets out a number of IT security steps that Healthcare Providers need to consider to protect the patient information they hold.
Relevant IT Security Policies to consider are;
-
-
- software security
- encryption
- network security
- whitelisting
- blacklisting
- testing
- backing up
- email security.
-
All of the above bullet points should be covered in IT Policies that you have set out and developed for your practice. We have developed IT policies for many Healthcare Providers over the years and can provide you with any assistance you may require. Once those policies are in place, your systems and applications need to adhere to them.
Answering the above three questions is a simplified method of determining the many requirements of being and staying compliant. Being able to answer yes to all of the above does show you have been diligent in your responsibility as a Healthcare organisation.
If you are unable to truthfully answer yes to all of the three questions, putting in place what is required is not difficult or expensive. All it takes is reaching out to us to assist.