Dignity and respect also includes making sure a consumer’s privacy is respected. This has broad implications including communication, behaviour and interactions of the workforce as well as data and information handling in organisations. This article will focus on data security, identify common gaps and offer some tips to support compliance with Quality Standards and The Privacy Act.
Organisations have access to a range of personal information about a consumer. This includes health information often regarded as one of the most sensitive types of personal information. It is essential that organisations respect a consumer’s right to privacy, in how they collect, use and communicate personal information. The most critical processes and procedures for health service providers are those that grant and maintain access to health information. This includes access to buildings, medical records, computers and other electronic devices, Care Management Systems and the largest, most sensitive database, Medicare’s Aged Care Online Claiming Website.
There are many factors to consider around health information and each one includes a potential liability, a duty for the organisation and a need for understanding. For example:-
- What information can or should be shared with family?
- Which family members?
- How can we restrict physical access to sensitive areas without impeding the delivery of care?
- Whose role and responsibility is it to implement audit trails for internal systems and remove access when it’s no longer required?
- How can we detect improper use or disclosure?
These questions, and many more, must be addressed through organisational policies and procedures, particularly on-boarding and employee exit procedures. Stringent processes around granting and removing access will help ensure a provider can meet the requirement which is to keep a record of each individual user’s access to health information. This includes A-numbers, the unique identifier granting access to Medicare Aged Care Online Claiming (ACOC).
Consumer privacy, security of personal information and data sovereignty are taken very seriously by the government and are enforced through Quality Standards and The Privacy Act. Maintaining audit logs and restricting user access is an important responsibility of healthcare providers. This includes ensuring that third-party contractors with access to sensitive information also adhere to personal information and data sovereignty laws. Even if all your organisation’s internal systems comply, if you subscribe to external services that allow your client data to be held off-shore, you are liable for the breech.
A frequently overlooked issue is removing access for former employees. For internal systems, auditing active users and disabling accounts is a relatively straight-forward process, but a definitive list of all individuals with access to ACOC must come directly from Medicare, which means it can get missed. Requesting a list is easy, just email the email@example.com with each of the facilities’ RACIDs in the organisation. If this is not a regular part of your organisation’s data security practices, you may be surprised to see who is on the list. Medicare will not proactively remove access based on your staff movements, even if the initial application defined an end date, you must inform them every time a change is made. Maintaining an accurate list of individual users and restricting access is essential to be compliant with Quality Standards and The Privacy Act.
Mirus Australia follows best practice policy and procedures and partners with best of breed suppliers who maintain the same rigorous approach to IT security and data privacy. Please reach out if you would like to learn more about the new Quality Standards and Australian Privacy Principles. There are many ways in which we can help increase your visibility of these issues and ensure your organisation is compliant. Consider downloading The Customer is Front + Centre resource.
Tyler (Ty) Fisher is a data nerd and proud of it. Actually, Ty is way more than a data nerd as he leads the Business Intelligence team at Mirus Australia providing expert business revenue and management process advice.