The Review identified a range of views in relation to the effectiveness of penalties, from a lack of awareness of the existence of penalties to misperceptions about the circumstances in which a penalty would be applied. Where providers are aware of the penalties, for some people this has reduced the incentive to participate in e-Health, particularly when taken in conjunction with PCEHR system terms and conditions. There is real anxiety among clinicians (especially in small practices) on the burden of their obligations and risk of inadvertent disclosure. This anxiety largely arises from a lack of understanding of the circumstances in which a penalty would be applied.
DHS have stringent risk mitigation strategies in place in relation to change requests, information requests and support processes to ensure that no inappropriate disclosure occurs in breach of the HI Act. While this concern is understandable the strategies implemented to mitigate risk cause frustration for stakeholders and can extend the timeframes to get changes made to the Service that are critical for end users.
A number of providers commented that many penalties in relation to privacy breaches in the HI Act would be more appropriately applied in relation to the clinical data in the PCEHR system.