Demand for patient and practice management solutions are on the rise and cloud enabled technology is making it easier for applications to be developed. As a result, the market is seeing a number of new local and overseas practice management solutions enter the market. As a participant and supporter of health-tech innovation I can say this an exciting time, however there are some risks which health providers may not be aware of.
Considerations when choosing a practice management solution
When looking for a cloud patient and practice management solution (PMS) there are obvious considerations, such as:
- Where the company is based; and
- What country they cater for – as healthcare needs are different in every country…
But have you considered… Where is your data stored?
Data hosted in Australia vs United States
If your cloud PMS vendor hosts their data in the United States, your data falls under the jurisdiction of The Patriot Act 2001 (“The Patriot Act”). First passed in 2001 as a reaction to the terrorism threat, The Patriot Act expands the United States’ Government’s warrant-less surveillance power to:
- Look at records on an individual’s activity being held by third parties;
- Search private property without notice to the owner;
- Collect foreign intelligence information; and, among many other things,
- Collect information about the origin and destination of communication
Therefore, the risk of using a PMS hosted in the US is that your allowing the US Government full access to your patient information. What could potentially be worse, is that if the government deems your cloud PMS or any of its customers to be involved in terrorist related activities, it has the right to “search and seize” the data and/ or infrastructure.
The Safe Harbor Privacy Principles
You may see some cloud PMS’s who host their data in the United States stating that they or hosts participate with Safe Harbor Privacy Principles (“Safe Harbor”). As a bit of background, Safe Harbor was brought into existence as a reaction from the public to The Patriot Act. It’s a self certified opt-in set of principles designed to prevent accidental information disclosure or less. There is no external governance in place for those who self certify which means anyone can claim to be Safe Harbor compliant. Safe Harbor only covers personal information captured from EU/EEA and Switzerland so therefore does not protect data captured from within Australia.
Your data is safer in Australia
There are no explicit laws stating that cloud PMS vendors are required to host their data in Australia should Australian health practitioners be using their software. Its at the discretion of the cloud PMS vendor. The easiest way to ensure that your data and sensitive patient information is safe from warrant-less surveillance and potential seizure is to ensure your cloud PMS hosts their data within Australia.
If your cloud PMS hosts their data outside of Australia then questions may arise concerning the jurisdiction over the information and PMS provider’s obligations to meet the Australia Privacy Act 1988 (“Privacy Act”). For now, The Patriot Act doesn’t have any jurisdiction over data hosted in Australia.
The good news is coreplus host all their data and backups in Australia, and we make efforts to ensure that no sensitive information makes its way outside Australia. We comply with the Australian Privacy Act and have a myriad of accredited security accreditations.
When deciding what cloud PMS to choose, it would be wise to ask where their data and backups are located. If you are already using a cloud PMS which doesn’t host in Australia, it’s not too late to switch over to one who does.
Links to references: