COVID-19 | Hindsight is 20/20: Reviewing telehealth privacy controls post-implementation

In the current COVID-19 pandemic environment, telehealth services have shifted from a ‘nice to have’ to a ‘must have’ for health service providers and patients.  Within a few weeks, health services have seen the rapid implementation of telehealth platforms, including the move to cloud-based services to facilitate remote working arrangements.

Now that these platforms and systems are up and running, health service operators should take some time to review and consider whether the right privacy controls are in place to protect patients’ personal information.

We provide a few points for consideration below to assist:

• Do contracts with suppliers sufficiently address the privacy and security of patients’ personal information?
• What types of information security controls do the suppliers use and are these reasonable taking into account the sensitivity of the personal information involved?
• How is supplier’s performance monitored and are there sufficient contractual safeguards available to hold the supplier to account?
• Do the telehealth services involve a disclosure of personal information to overseas or interstate recipients?
• What safeguards are available to ensure that those overseas or interstate recipients handle the personal information in accordance with the Privacy Act 1988 (Cth)?
• Are there policies, procedures and risk management protocols in place for the management and security of patients’ personal information as they relate to telehealth services, including if a cyber security incident and/or data breach occurs?
• Are patients made reasonably aware of the health service operator’s privacy policy and the inherent risk of transmitting data over the Internet?
• Does the health service operator’s professional indemnity insurance cover telehealth services?
• Should the health service operator consider cyber risk insurance?

It may be helpful for health service operators to conduct a privacy impact assessment in relation to the new platforms and systems being used for telehealth services and remote working arrangements in order to holistically assess and evaluate risks to personal information.

The Office of the Australian Information Commissioner has published following guidance: Assessing privacy risks in changed working environments: Privacy Impact Assessments and 10 steps to undertaking a privacy impact assessment.

Suppliers’ privacy obligations in relation to telehealth platforms

As with health service operators, suppliers have been caught in a flurry of activity due to the accelerated uptake of telehealth platforms.  While having robust information security controls is a crucial factor to ensure the security of individuals’ personal information, suppliers are of course aware that security cannot be completely guaranteed in an online environment.

As health service operators adjust to the use of telehealth platforms as part of their usual business operations, suppliers may use this time to review their existing internal privacy policies and procedures to ensure that they are prepared if the worst does come to pass.

Suppliers may consider the following points:

• Is the contract clear about the parties’ roles in the event of a cyber security incident and/or data breach?
• What obligations, including obligations to notify and assist, does the supplier have to the health service operator in the event of a cyber security incident and/or data breach?
• Are there clear internal escalation procedures if a cyber security incident and/or data breach occurs?
• Who is responsible for managing a cyber security incident and/or data breach internally, and to whom can they delegate?
• Which external advisors should the supplier contact if a cyber security incident and/or data breach occurs?
• Does the supplier’s professional indemnity insurance cover cyber security incidents and data breaches?

If the supplier is now handling a higher volume of sensitive information, then it is a good time to review its information security controls and its data breach response plan to ensure that these are appropriate in the present circumstances.  If the supplier does not already have one in place, it should consider preparing and implementing a data breach response plan.

The Office of the Australian Information Commissioner has published the following guidance: Tips for good privacy practice and Data breach preparation and response.

Gadens is a supporter of Privacy Awareness Week 2020. 

For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.

Authored by:

Raisa Blanco, Associate