search
search

What is the Notifiable Data Breaches Scheme for Healthcare?

What is the Notifiable Data Breaches Scheme for Healthcare?

Understanding the Notifiable Data Breaches Scheme for Australian Healthcare Providers

The Notifiable Data Breaches (NDB) scheme has been in effect in Australia since February 2018, yet many healthcare providers remain uncertain about their obligations when a data breach occurs. Given that healthcare consistently tops the list of sectors reporting data breaches to the Office of the Australian Information Commissioner (OAIC), understanding this scheme is essential for every medical practice, radiology centre, and healthcare organisation.

This article explains what the NDB scheme requires of healthcare providers, how to determine if a breach is notifiable, and what steps to take when a breach occurs.

What is the Notifiable Data Breaches Scheme?

The NDB scheme is part of the Privacy Act 1988 and requires organisations covered by the Act to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. The scheme applies to most healthcare providers, including medical practices with an annual turnover above three million dollars, health service providers regardless of turnover, and organisations holding health information subject to the Privacy Act.

What Constitutes an Eligible Data Breach?

An eligible data breach occurs when personal information held by an organisation is accessed or disclosed without authorisation, or is lost in circumstances where unauthorised access or disclosure is likely. Critically, the breach must be likely to result in serious harm to the affected individuals. For healthcare providers, examples include unauthorised access to patient medical records, ransomware attacks encrypting patient data, lost or stolen devices containing unencrypted patient information, email misdirection sending patient information to the wrong recipient, and physical theft of paper records containing patient details.

What is Serious Harm?

Determining whether a breach is likely to cause serious harm requires consideration of the type of information involved (health information is considered particularly sensitive), the circumstances of the breach, who may have accessed the information, and whether the information is protected by security measures like encryption. Health information is generally considered likely to cause serious harm if breached due to its sensitive nature and potential for identity theft, discrimination, or emotional distress.

Notification Requirements

When an eligible data breach occurs, the organisation must notify the OAIC through their online notification form and take reasonable steps to notify affected individuals. Notifications must be made as soon as practicable after becoming aware of the breach, with the OAIC expecting notification within 30 days in most cases. The notification must include a description of the breach, the types of information involved, and recommendations for steps individuals can take to protect themselves.

Steps to Take When a Breach Occurs

Healthcare providers should follow a structured response process. First, contain the breach by stopping any ongoing unauthorised access and securing affected systems. Second, assess the breach to determine what information was involved, how many individuals are affected, and whether serious harm is likely. Third, notify if required by submitting notifications to the OAIC and affected individuals. Fourth, review and improve your security measures to prevent similar breaches in future.

Prevention is Better Than Cure

The best approach to the NDB scheme is to implement robust security measures that prevent breaches from occurring in the first place. This includes encryption of patient data at rest and in transit, strong access controls and authentication, regular security training for staff, incident response planning and testing, and ongoing security monitoring and vulnerability management.

Trucell helps healthcare providers implement comprehensive security measures that protect patient data and reduce breach risk. Our managed security services include 24/7 monitoring, endpoint protection, and incident response support.

Get Healthcare Security Support

Related Resources: Healthcare IT Compliance Guide | Managed Security Services | Healthcare IT

Make a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare