Start of content

Healthcare provider organisations are required to have a My Health Record Security and Access policy, to meet requirements outlined in the My Health Records Rule 2016 (Rule 42).

This checklist can be used as a guide to drafting or updating this policy for your healthcare organisation. 

Security and Access policy checklist

It is important that healthcare provider organisations have a My Health Record Security and Access policy in place, prior to registering to participate in the My Health Record system. The policy must be communicated to, accessible by, and enforced with, employees and other relevant parties. The policy must also be kept up to date by reviewing it, at least annually, or when any material new or changed risks are identified.

This checklist is a guide only and should be assessed against the needs and risks that may apply to your organisation. Healthcare provider organisations need to ensure the policy includes and addresses the topics outlined in the My Health Records Rule 2016, Rule 42. At a high-level the topics include:

  1. Policy establishment – a My Health Record Security and Access policy is in place prior to registration, maintained on an ongoing basis, and communicated to all staff.
  2. Manner of authorising users, and processes for suspending and deactivating user accounts in specific circumstances.
  3. Provision of training for authorised users before they are permitted to access the My Health Record system.
  4. A process for identifying who is accessing a My Health Record (on each occasion) and communicating this information to the Agency (My Health Record System Operator).
  5. Physical and information security measures, including user account management practices.
  6. Risk management – strategies for identifying, responding to, and reporting My Health Record system-related security risks.
  7. Assisted Registration processes (where applicable). If the healthcare provider organisation provides assisted registration, the policy needs to include the authorisation, training, consent, and identification processes that are followed when providing assisted registration.
  8. Policy implementation and maintenance – annual review of the policy (minimum), version numbers and dates of effect are outlined in the policy, and copies of each version of the policy are retained.

Requirement

Things to check are included in your policy

1. Healthcare provider organisation policies
  • A written My Health Record Security and Access policy is in place prior to the healthcare provider organisation registering to participate in the My Health Record system, and the policy is maintained on an ongoing basis.
  • The policy is communicated and remains accessible to all employees and any healthcare providers to whom the organisation supplies services under contract. For example, a healthcare provider organisation that supplies information technology services to individual healthcare providers, via which those providers access the My Health Record system, must communicate the policy to the providers.
  • The policy is enforced in relation to all employees and any healthcare providers to whom the organisation supplies services under contract.
2. Manner of authorising and process for suspending and deactivating user accounts
  • The policy details the manner of authorising persons accessing the My Health Record system via or on behalf of the healthcare provider organisation.
  • The policy outlines the ways a user account is suspended and/or deactivated in the following circumstances:
    • A user leaves the organisation
    • A user’s security is compromised
    • A user has changed duties and no longer requires access to the My Health Record system.
3. Training for authorised users, before they access the My Health Record system
  • The policy includes a requirement that, before a user is authorised to access the My Health Record system, they receive training covering:
    • Using the system accurately and responsibly
    • Legal obligations of the healthcare provider organisation
    • Legal obligations of individuals using the My Health Record system
    • Consequences of breaching those obligations.
  • The Agency has a recommended training checklist and declaration form that may support your organisation in meeting this legislative requirement.
  • It is recommended that organisations maintain a register of staff training.
4. Process for identifying the individual who accesses a person’s My Health Record (on each occasion)
  • The policy outlines the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the My Health Record System Operator (Australian Digital Health Agency).
  • Generally, this would occur via the My Health Record national provider portal, or clinical information systems, where:
    • the clinical software is used to assign and record unique internal staff member identification codes, including a Healthcare Provider Identifier-Individual (HPI-I); and
    • the unique identification code, or the provider’s HPI-I, is recorded by the clinical software and automatically provided to the System Operator for each instance of My Health Record system access.

Note: See the legislative obligations for communicating to the System Operator under Section 74 of the My Health Records Act 2012.
5. Physical and Information Security Measures, including user account management processes
  • The policy details the physical and information security measures that are in place to mitigate information security risks and prevent unauthorised access.
  • People accessing the My Health Record system via or on behalf of the healthcare provider organisation understand and adhere to the physical and information security measures.
  • The healthcare provider organisation employs reasonable user account management practices, including:
    • Restricting access to those persons who require access as part of their duties
    • Uniquely identifying individuals using the healthcare provider organisation’s information technology systems
    • Having that unique identity protected by a password or equivalent protection mechanism
    • Ensuring password and/or other access mechanisms are sufficiently secure and robust to mitigate the security and privacy risks associated with unauthorised access to the My Health Record system
    • Disabling the user accounts of persons no longer authorised to access the My Health Record system
    • Suspending a user account as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised.

Note: See the Agency’s cyber security resources for more information. Additional guidance is provided in the Guide to Securing Personal Information and the Guide to Health Privacy on the Office of the Australian Information Commissioner website.
6. Strategies for identifying, responding to, and reporting My Health Record system-related security risks
  • The policy describes the mitigation strategies used by the healthcare provider organisation to ensure My Health Record system-related security risks can be:
    • promptly identified
    • acted upon
    • reported to the healthcare provider organisation’s management.
  • This should include processes for identifying and reporting
    • unauthorised access to the My Health Record system; and
    • any matters that may compromise the security or integrity of the My Health Record system, for example, a security incident, such as ransomware, that has affected a healthcare provider organisation.
  • Organisations should ensure processes are in place to comply with data breach notification obligations outlined in section 75 of the My Health Records Act 2012. Learn more about how to manage a data breach.
  • To assist with monitoring use of the My Health Record system, audit logs should record the user identity, date and time of access, whose My Health Record was accessed and the type of information that was accessed.

7. Assisted Registration (if offered)
  • Where the healthcare provider offers assisted registration, this topic is required within the policy. If the organisation does not offer assisted registration, it is recommended that this is noted in the policy.
  • Assisted registration is where a healthcare provider assists healthcare recipients to register for a My Health Record.
  • The policy needs to outline the methods for:
    • Authorising employees of the organisation to provide assisted registration
    • Providing training before a person is authorised to provide assisted registration
    • Confirming a healthcare recipient’s consent.
    • Identifying a healthcare recipient for the purposes of assisted registration, including the process and criteria that must apply

Note: See the legislative requirements for confirming a healthcare recipient’s consent under rule 9 of the My Health Records (Assisted Registration) Rule 2015.
8. Policy implementation and maintenance
  • The My Health Record Security and Access policy must be reviewed annually (at a minimum) and when any material new or changed risks are identified (such as a change within the system, organisation, or regulation; or factors that might result in unauthorised access, use or disclosure of information in a My Health Record)
  • The policy must include a unique version number and date of effect
  • A copy of each version of the policy must be retained by the organisation.

Note: The Agency or the Office of the Australian Information Commissioner may request a current or previous version of your organisation’s Security and Access policy at any time. The legislation specifies that a healthcare provider organisation must comply with a request to provide a copy of the policy within 7 days of receiving the request.

More information

The Office of the Australian Information Commissioner provides Rule 42 guidance outlining points for healthcare provider organisations to consider when developing their My Health Record Security and Access policy. General guidance is also available to help you protect health information.

The Agency offers information on how to register your organisation to participate in My Health Record system and the steps to follow once you have a Security and Access policy. Links to other Security and Access policy resources are also provided on this page.