An emerging issue lies within the new Quality Indicator surveys. Many organisations are turning to online survey tools, such as Survey Monkey, to make the process less burdensome. However, this approach prompts the question of data handling. Most of these survey tools are operated by US-based companies, which means that the data travels outside of Australia. So, we decided to examine whether this practice is acceptable.
Every quarter, the Department of Health and Aged Care requires residential aged care providers to conduct a Quality of Life and Quality of Care Experience survey with every resident. Paper forms for these surveys are provided, yet there is a conspicuous absence of a digital alternative. Hence, providers are tasked with the digitization of these surveys, which come in three versions: self-complete, proxy-complete, and interviewer-facilitated. This process, while considerable, can undoubtedly streamline the collection, collation, scoring, and reporting of data. Therefore, we find it crucial to delve into any legal prerequisites that may influence this transition.
Every quarter, the Department of Health and Aged Care requires residential aged care providers to conduct a Quality of Life and Quality of Care Experience survey with every resident. Paper forms for these surveys are provided, yet there is a conspicuous absence of a digital alternative. Hence, providers are tasked with the digitization of these surveys, which come in three versions: self-complete, proxy-complete, and interviewer-facilitated. This process, while considerable, can undoubtedly streamline the collection, collation, scoring, and reporting of data. Therefore, we find it crucial to delve into any legal prerequisites that may influence this transition.
The Australian Privacy Principles (APPs), part of the Privacy Act 1988 in Australia, govern standards, rights, and obligations regarding the collection, use, and disclosure of personal information. Out of the 13 total principles, the ones relevant to our discussion are:
APP 6 — Use or Disclosure of Personal Information:
This principle outlines the circumstances in which an organization may use or disclose personal information. Typically, an organization must obtain the individual's consent before disclosing their personal information to an overseas recipient unless an exception applies.
APP 8 — Cross-border Disclosure of Personal Information:
This principle explains the steps an organization is required to take when disclosing personal information to overseas recipients, which include taking reasonable steps to ensure compliance with the APPs.
APP 11 — Security of Personal Information:
An organization must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.
APP 12 — Access to Personal Information:
This principle details an organization's obligations when an individual requests access to their personal information.
A critical aspect of these principles is the definition of "reasonable" steps to ensure patient data is kept safe and secure. The interpretation of "reasonable" is somewhat subjective. However, without prejudice, we feel it's prudent to avoid sending any patient data outside of Australia if there are domestic services that can fulfil the same function.
It's important to recognize that third-party services can access health data submitted through surveys. They generally refrain from doing so, but they have the capability. The U.S. has somewhat similar laws regulating how health data is stored and transmitted, falling under the Health Insurance Portability and Accountability Act (HIPAA). Without delving into the specifics, companies are required to navigate through a series of regulatory hoops to comply. As a result, companies like Survey Monkey may charge a premium for HIPAA compliance. At the very least, if you choose to use such a service, ensure they sign a "Business Associates Agreement" (BAA) stating their compliance with these requirements.
The Australian Digital Health Agency "highly recommends" storing healthcare data in Australia to ensure legal protections are consistently applied and Australian authorities can provide assistance if necessary. View their report here (page 5).
Should you opt to use a service that stores or processes data outside of Australia, you will need to ensure the service complies with the Australian Privacy Principles. This includes protecting the information from misuse, interference, loss, unauthorized access, modification, or disclosure. The challenge lies particularly in guaranteeing against unauthorized access. See a discussion here from the Office of the Australian Information Commissioner.
We recommend conducting your own research and seeking advice before using an overseas service. While we are not lawyers and this is not legal advice, we aim to help you comprehend the issues at hand. On that note, Tell Touch offers a service hosted within Australia. If you'd like to learn more, please feel free to contact us.
APP 6 — Use or Disclosure of Personal Information:
This principle outlines the circumstances in which an organization may use or disclose personal information. Typically, an organization must obtain the individual's consent before disclosing their personal information to an overseas recipient unless an exception applies.
APP 8 — Cross-border Disclosure of Personal Information:
This principle explains the steps an organization is required to take when disclosing personal information to overseas recipients, which include taking reasonable steps to ensure compliance with the APPs.
APP 11 — Security of Personal Information:
An organization must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.
APP 12 — Access to Personal Information:
This principle details an organization's obligations when an individual requests access to their personal information.
A critical aspect of these principles is the definition of "reasonable" steps to ensure patient data is kept safe and secure. The interpretation of "reasonable" is somewhat subjective. However, without prejudice, we feel it's prudent to avoid sending any patient data outside of Australia if there are domestic services that can fulfil the same function.
It's important to recognize that third-party services can access health data submitted through surveys. They generally refrain from doing so, but they have the capability. The U.S. has somewhat similar laws regulating how health data is stored and transmitted, falling under the Health Insurance Portability and Accountability Act (HIPAA). Without delving into the specifics, companies are required to navigate through a series of regulatory hoops to comply. As a result, companies like Survey Monkey may charge a premium for HIPAA compliance. At the very least, if you choose to use such a service, ensure they sign a "Business Associates Agreement" (BAA) stating their compliance with these requirements.
The Australian Digital Health Agency "highly recommends" storing healthcare data in Australia to ensure legal protections are consistently applied and Australian authorities can provide assistance if necessary. View their report here (page 5).
Should you opt to use a service that stores or processes data outside of Australia, you will need to ensure the service complies with the Australian Privacy Principles. This includes protecting the information from misuse, interference, loss, unauthorized access, modification, or disclosure. The challenge lies particularly in guaranteeing against unauthorized access. See a discussion here from the Office of the Australian Information Commissioner.
We recommend conducting your own research and seeking advice before using an overseas service. While we are not lawyers and this is not legal advice, we aim to help you comprehend the issues at hand. On that note, Tell Touch offers a service hosted within Australia. If you'd like to learn more, please feel free to contact us.
Comments
Post a Comment