All healthcare providers in Australia have professional and legal obligations to protect their patients' health information.
Establishing and maintaining information security practices is an essential professional and legal requirement when using digital health systems in the delivery of healthcare services.
The Privacy Act 1998 (the Privacy Act) outlines the privacy responsibilities that most healthcare providers have to comply with in managing health and personal information. The key requirements are contained in the Australian Privacy Principles (APPs).
The Privacy Act applies to all healthcare providers in the private sector throughout Australia. It does not apply to state and territory public sector healthcare providers.
In most parts of Australia, state and territory legislation applies to public healthcare providers. In some states and territories, this legislation also applies to healthcare providers in the private sector, in addition to the Privacy Act. Visit the other privacy jurisdictions page on the Office of the Australian Information Commissioner (OAIC) website, for more information.
Additional information about healthcare provider obligations is available on the health service provider page of the OAIC website.
Healthcare Identifier and My Health Record system security obligations
Use of Healthcare Identifiers, and access to the My Health Record system, are governed by the Healthcare Identifiers Act 2010 (HI Act) and the My Health Records Act 2012, the My Health Records Rule 2016, and the My Health Records Regulation 2012.
The HI Act requires that an organisation take reasonable steps to protect healthcare identifiers from misuse and loss, and unauthorised access, modification or disclosure.
The My Health Records Rule sets out the security requirements that participating organisations must comply with to be eligible to be registered and to remain registered under the My Health Record system. Non-compliance with the My Health Records Rule can result in cancellation of participation and other penalties.
Implementing security practices and policies
Your organisation must document and implement internal practices and procedures that it uses to protect personal information when using digital health systems to deliver healthcare. In addition, healthcare organisations that access digital health records need to meet the requirements under the My Health Records Rule.
This link is for a checklist that is based on the requirements outlined in the My Health Records Rule 2016. It can be used as a guide to implementing security practices and policies in your organisation.
You can also access a range of information security guidance materials from:
- Australian Digital Health Agency – Digital Health Cyber Security Centre resources
- Australian Signals Directorate – cyber security mitigation advice
- Office of the Australian Information Commissioner – guide to securing personal information
- Royal Australian College of General Practitioners – Information Security in General Practice guide
- Stay Smart Online – sign up to receive regular updates on information security and latest threats
- ScamWatch – subscribe to receive scam alert emails.