Healthcare provider organisations are required to have a My Health Record Security and Access policy, to meet requirements outlined in the My Health Records Rule 2016 (Rule 42).
This checklist can be used as a guide to drafting or updating this policy for your healthcare organisation.
Security and Access policy checklist
It is important that healthcare provider organisations have a My Health Record Security and Access policy in place, prior to registering to participate in the My Health Record system. The policy must be communicated to, accessible by, and enforced with, employees and other relevant parties. The policy must also be kept up to date by reviewing it, at least annually, or when any material new or changed risks are identified.
This checklist is a guide only and should be assessed against the needs and risks that may apply to your organisation. Healthcare provider organisations need to ensure the policy includes and addresses the topics outlined in the My Health Records Rule 2016, Rule 42. At a high-level the topics include:
- Policy establishment – a My Health Record Security and Access policy is in place prior to registration, maintained on an ongoing basis, and communicated to all staff.
- Manner of authorising users, and processes for suspending and deactivating user accounts in specific circumstances.
- Provision of training for authorised users before they are permitted to access the My Health Record system.
- A process for identifying who is accessing a My Health Record (on each occasion) and communicating this information to the Agency (My Health Record System Operator).
- Physical and information security measures, including user account management practices.
- Risk management – strategies for identifying, responding to, and reporting My Health Record system-related security risks.
- Assisted Registration processes (where applicable). If the healthcare provider organisation provides assisted registration, the policy needs to include the authorisation, training, consent, and identification processes that are followed when providing assisted registration.
- Policy implementation and maintenance – annual review of the policy (minimum), version numbers and dates of effect are outlined in the policy, and copies of each version of the policy are retained.
Requirement |
Things to check are included in your policy |
---|---|
|
|
2. Manner of authorising and process for suspending and deactivating user accounts |
|
3. Training for authorised users, before they access the My Health Record system |
|
4. Process for identifying the individual who accesses a person’s My Health Record (on each occasion) |
Note: See the legislative obligations for communicating to the System Operator under Section 74 of the My Health Records Act 2012. |
5. Physical and Information Security Measures, including user account management processes |
Note: See the Agency’s cyber security resources for more information. Additional guidance is provided in the Guide to Securing Personal Information and the Guide to Health Privacy on the Office of the Australian Information Commissioner website. |
6. Strategies for identifying, responding to, and reporting My Health Record system-related security risks |
|
Note: See the legislative requirements for confirming a healthcare recipient’s consent under rule 9 of the My Health Records (Assisted Registration) Rule 2015. |
|
8. Policy implementation and maintenance |
Note: The Agency or the Office of the Australian Information Commissioner may request a current or previous version of your organisation’s Security and Access policy at any time. The legislation specifies that a healthcare provider organisation must comply with a request to provide a copy of the policy within 7 days of receiving the request. |
More information
The Office of the Australian Information Commissioner provides Rule 42 guidance outlining points for healthcare provider organisations to consider when developing their My Health Record Security and Access policy. General guidance is also available to help you protect health information.
The Agency offers information on how to register your organisation to participate in My Health Record system and the steps to follow once you have a Security and Access policy. Links to other Security and Access policy resources are also provided on this page.