Oct 21, 2019
What is a privacy breach and what do I need to do when a breach has been identified?
A breach is a loss of, unauthorised access to, or disclosure of, personal information.
For example, the reception area is an open space setting, that tend to be the hub of activity in clinics. The area is typically a shared workspace that your nurses, doctors and administration personnel also need to access. The sharing of information between staff in this space exposes clinics to potential privacy.
Areas of concern at the reception include some of the following: -
Phone calls (incoming and outgoing)
· Processes need to be in place to minimise the risk of identifiable personal information being overheard by patients, visitors and contractors, in and around the reception and common areas.
· Staff need to be aware of the risk and have
the training and skills to mitigate a potential privacy breach.
Staff, visitors and patients
· Clinical team members need to hand over patient care in a private setting, ideally not at reception or common areas where other patients are sitting.
· Visitors and contractors should be following
your Health & Safety guidelines and be mindful of the nature of your
· Guidelines need to be in place around sending/receiving patient information, e.g. verifying recipient email addresses, purpose for request etc. Staff Awareness should be raised to the existence of 'phishing' attcks, where attackers create a fictitious email address designed to resemble a legitimate one. When sending an email, the recipients address needs to be verified as correct and current to ensire confidential information is not accidentaly released.
· Is your fax machine only accessible by members of your staff? If not, what is in place to manage incoming faxes? (consider afterhours cleaners, unattended work areas etc)
· What is your process for handling incoming
faxes to maintain patient privacy?
· Computers in consult/treatment rooms need be logged off by the provider when patients are left unattended. Screen savers should be set to come on if the PC is not being used for a set time period.
X-ray and laboratory reports
· Radiology and laboratory results coming into reception for review need to be kept in an area accessible by staff only and in one location for clinical staff to monitor and follow up as appropriate.
Privacy is challenging in a busy, front of house reception. Your reception staff are key to ensuring privacy.
If a breach occurs the following four steps are a guide to what action needs to be taken to identify and manage the person(s) personal information.
STEP 1 - Containment
Contain the breach
Appoint one person to oversee
Decide if a team is needed to investigate
If a Criminal activity is suspected, call the Police
Retain any relevant evidence
STEP 2 - Evaluation
Identify the information involved and the specific content details
Determine if the information needs to be secured or encrypted
Is the cause able to be identified
Systematic problem or an isolated incident
Evaluate the size of the breach
Would the breach result in harm? (e.g. identify theft, financial loss, loss of dignity)
Who potentially has this information
STEP 3 - Notification
Identify any risk or harm to the people affected
If law enforcement authorities are involved, check when to notify affected people
Directly notify individuals by phone, letter, email or in person
Consider any third-party contractors or parties that should be informed.
Any serious breach must be reported to the Privacy Commissioner
STEP 4 - Protection
Audit both physical and technical security
Review policies and procedures
Review staff training
Review any service partners caught up in the breach.
Contact: - Office of the Privacy Commissioner 09 3028680
In my role, I am available to assist in reviewing your reception procedures and making recommendations to ensure your key staff have the necessary skills to achieve optimum patient privacy.
Book online using the following link if you would like to discuss further, I welcome any queries and look forward to speaking with you.