Medical Students
Free insurance protection for medical students
Healthcare Businesses
Insurance cover for healthcare businesses and group insurance for doctors
Interns
Free insurance protection for interns
Brokers
Professional indemnity cover for healthcare businesses, group arrangements and individual doctor cover
Doctors in Training
Insurance for Junior Medical Officers & Doctors in Training
Midwives
Protection for eligible privately practising midwives
Medical Practitioners
Insurance for GPs, GP Registrars, Specialists, Staff Specialists, Career Medical Officers, New Fellows & Overseas Trained Doctors
Medico-legal Services & Support
Legal support, claims management & 24 hour emergency support
Grants Programs
Medical Student Elective Grants & Doctor in Training Grants
Risk Education
Support & resources to help you reduce your risks in practise
Risk Management Program
Diverse and interesting activities that help reduce your day to day risk
Doctors' Health
Helping you prioritise and manage your own health
Resources
Find out what you need to do, before you do it
MIGA Qantas Rewards Program
Earn Qantas Points on your insurance with MIGA
MIGA Plus Business Insurance
Protection against the day-to-day risks of running your business, including business interruption, burglary and public liability
MIGA Plus Career Assistance
Coaching can help you to define your career goals and chart a course to achieving them
Our Ethos
‘Always’ captures our commitment to reliability, professionalism and being available to our clients
Governance
Managing MIGA’s operations and charting a course for the future
Our Team
Our talented and committed staff who deliver real value and support to our clients
Publications
Easy access to publications including Annual Reports, MIGA Bulletins and Policy Documents
Careers with MIGA
You too could join our team of passionate staff
MIGA is conscious of the new burdens these obligations will place on its members. It has had significant involvement in consultations around the scheme. In particular, it successfully opposed the suggestion of all health ‘data breaches’ being notifiable, emphasised the challenges this regime will pose for a diverse health profession and has been contributing to OAIC draft guidance for those affected by the scheme (see below). Our claims solicitors can assist our members and clients in navigating this new regime, particularly in working out whether there has been a notifiable data breach and to work through the process of notifying patients and the OAIC, if required.
Over the first 12 months of the scheme, the OAIC’s primary focus will be on educating those affected by the new scheme, working with them to ensure they understand what is required and that they are trying to ensure they follow it. After that, it is likely the OAIC will have a stronger focus on ensuring compliance with the scheme. Non-compliance with the obligations could have significant implications. The OAIC can determine there has been an interference with an individual’s privacy, leading to a complaint to the Privacy Commissioner. In serious or repeated cases, there may be Court proceedings seeking significant financial penalties.
Even though the scheme refers to ‘data’, the obligations are not just for situations involving electronic health records or other e-health information. They can apply to all situations in which health care providers hold and disclose health and other personal information for their patients, including hard copy health records and contact information. Possible examples of unauthorised access, disclosure or loss which could lead to an obligation to inform patients and the OAIC include:
The first thing is to take the necessary steps to contain or fix the breach. The next step is to assess the breach, what it involves and the risk it may pose to affected individuals. At this point, we encourage you to contact MIGA claims solicitors for assistance in working through what, if any, reporting requirements need to be considered... If you believe there has been a notifiable data breach, you must notify OAIC and affected individuals as soon as practicable. If you only suspect there may have been a notifiable data breach, you have up to 30 days to complete an assessment of whether there has been a notifiable data breach. There are no prescribed assessment process procedures. Depending on the circumstances, it may only involve liaising with those involved in your practice and reviewing information. In more complex cases, such as hacking of practice systems, you may need expert involvement. To assess whether individuals are at risk of serious harm, you apply the test of the ‘reasonable person’ in your position, taking into account information you have or can reasonably ascertain, considering:
According to the OAIC, the chance of serious harm increases with the number of individuals affected, and it would be prudent to assume breaches involving a very large number of individuals are likely to result in serious harm to at least one individual.[2]
Even if the breach occurred with the cloud service provider, the health care provider who uses that service for storage of health and other personal information may still need to inform individuals and the OAIC if the breach reaches the threshold of being notifiable. This reinforces the need to take care when considering choice of cloud service providers for information storage, particularly how robust their security and privacy protocols are.
Once you have established the need to notify the OAIC and affected individuals:
If you are able to determine which individuals are at risk of serious harm, you have the options of:
The key exceptions to these obligations are:
There are also exceptions on the obligation to notify if there is more than one person or entity who holds the information and have an obligations to notify. In those circumstances, only one is expected to make the notifications on behalf of all – usually the one with the most direct connection with the affected individuals. In the health care context, this would usually be the doctor, other health practitioner or practice.
There are already separate obligations on My Health Record registered health care provider organisations to notify the Australian Digital Health Agency (the ‘System Operator’) and the OAIC of:
Unlike the notifiable data breach scheme, there is no requirement of a risk of serious harm to affected individuals, and the ADHA is responsible for notifying affected individuals. This scheme only applies to breaches involving the My Health Record itself. It does not apply information which may have been taken from it and put with the patient’s records, which is then subsequently part of a data breach via other means.
It may be that certain data breaches are unpreventable notwithstanding the steps taken to prevent them occurring. However, there may be steps you could take to minimise the risk of a data breach occurring, which could include:
MIGA bulletin – Privacy Act amendments – what do they mean www.migabulletin.com.au/casestudy/privacy-act-amendments-what-do-they-mean/
OAIC notifiable data breach scheme guidance – www.oaic.gov.au/ndb
OAIC My Health Record mandatory data breach notification guidance www.oaic.gov.au/agencies-and-organisations/guides/guide-to-mandatory-data-breach-notification-in-the-my-health-record-system
Current at 15 November 2017
[1] OAIC notifiable data breach resources for businesses and agencies - www.oaic.gov.au/ndb [2] OAIC draft guidance – Identifying eligible data breaches – www.oaic.gov.au/ndb
Insurance policies are issued by Medical Insurance Australia Pty Ltd (AFSL 255906). MIGA has not taken into account your personal objectives or situation. Before you make any decisions about our policies, please review the relevant Product Disclosure Statement (which can be found here) and consider your own needs. Information on this site does not constitute legal or professional advice. If you have questions, or need advice please contact us for assistance.