Health data safety


In the first part of this two-part series, APA Digital Technology Advisor Barry Nguyen highlights what your obligations are when it comes to keeping patient information secure.

Over the years, there has been an increase in requests from health providers, patients and third parties for health information to be sent electronically. To maintain the trust of the patient, it is crucial that the physiotherapist ensures that information transmissions are secure.

Protecting patient information

Historically, the focus of privacy and security has been on patient health records. More recently, with the introduction of messaging, clinical apps, wearables and home monitoring, a broader focus on privacy and security has emerged.

Protecting patient personal information is an ethical and professional obligation. It is part of building and maintaining trust between the health professional and the patient. With the increasing prevalence of cybercrime, physiotherapists need to be increasingly aware of the emerging solutions available to reduce the risk of data breaches. Data breaches can be catastrophic, and also significantly compromise the safety and quality of your patient’s health.

On 11 April 2018, the Office of the Australian Information Commissioner (OAIC) released its first quarterly report of Notifiable Data Breaches. During this quarter, eligible data breaches reported to the OAIC from health service providers represented 24 per cent of reports, and the Health data safety health sector ranked first in terms of the number of reports (Note: a health service provider includes any organisation that provides a health service and holds health information).

As physiotherapists and clinic managers, it is important to be aware of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which enforces mandatory data breach notifications to the OAIC. In addition, you will need to be aware of legislation associated with the Privacy Act and the Information Privacy Act, which outlines standards that must be met in regards to the collection, use, disclosure and store of personal information.

For more information visit

Legal considerations

According to the Privacy Act (1988), ‘health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protections around its handling. For example, an organisation generally needs an individual’s consent before they can collect their health information. In addition, all organisations that provide a health service and hold health information (other than in an employee record) are covered by the Privacy Act, whether or not they are a small business.’

The Privacy Act currently does not prescribe how a healthcare organisation should communicate health information to patients or third parties.

In addition, the OAIC’s guide to securing personal information describes that:

  • encryption as a minimum standard in all cases
  • practices need to ‘develop procedures to manage the transmission of personal information via email’, recognising that email is not a secure form of communication
  • the type of information due to be sent needs to be considered to see whether it is appropriate to send via unsecured email or whether it needs to be secured with say a password
  • breaching the privacy act can result in investigations by the information commissioner and result in legal recourse.

Meeting client expectations

It is a popular event in clinical practice where patient requests unencrypted emails and texts from their physiotherapist. For example, clinical and administrative questions, medical reports, specific health advice, home exercise programs, self-management videos and relevant web links.

Understandably, physiotherapists and patients are more likely to use email services that they are accustomed to daily rather than engage in more sophisticated secure communication solutions that they may not be aware of, or are costly and cumbersome to use.

Physiotherapists need to be aware that a safe and confidential online space requires technical security. Digital encryption is the cyber- equivalent of a private room with closed walls, foundational to cultivating a safe and confidential physical environment between the physiotherapist and patient.

Email with any commentsor queries regarding this article.


© Copyright 2018 by Australian Physiotherapy Association. All rights reserved.