1 My Health Record System security policy | - The organisation has a My Health Record system security policy
- The policy is communicated to all staff and is readily accessible to all staff and any healthcare providers to whom the organisation supplies services under contract
- The policy is enforced in relation to all staff
- The policy is regularly reviewed, at least annually, to ensure relevance and accuracy, particularly, where any new material or changed risks are identified and where changes in legislation or the structure of the organisation occur
- Each version of the policy contains a unique version number and includes the date that it came into effect
- A copy of the policy can be provided to the Australian Digital Health Agency (System Operator), within seven days of a request
- The policy sets out:
- The organisation's user account management measures and process for authorising staff to access the My Health Record system (see topic 2. Managing User Accounts)
- The training that is provided to users who access the My Health Record system (see topic 4. Staff Training)
- The process for identifying staff who request access to the My Health Record system (see topic 3. Identification of Staff)
- The process for destroying My Health Record system document and record codes in a secure manner
- The mitigation strategies which ensure My Health Record system related security risks can be identified, acted upon and reported (see topic 5. Handling of Privacy Breaches and Complaints and topic 6. Risk Assessments)
|
2 Managing User Accounts | - An up to date register is maintained, including the names and positions of staff who are authorised to access the My Health Record system
- Healthcare provider software controls ensure access to the My Health Record system is limited to those staff whose duties require them to access the system
- Each staff member is provided with a unique user account with individual login details
- Staff passwords are regularly reviewed, changed and sufficiently complex i.e. a combination of more than 13 letters, numbers and symbols
- Users are required to deactivate screensavers by entering their user name and password, or an access process such as swiping a barcode or access card
- A user account is immediately suspended or deactivated when a user leaves the organisation, has the security of their account compromised or whose duties no longer require them to access the My Health Record system
- A user account is inactivated/deleted after the departure of the staff member as part of the organisation's off-boarding process
- Where My Health Record system Provider Portal access is required, the organisation maintains a list of up-to-date authorised providers and communicates this with the Australian Digital Health Agency (the System Operator)
|
3 Identification of Staff | - Clinical software is used to assign and record unique internal staff member identification codes, including a Healthcare Provider Identifier-Individual (HPI-I), when applicable
- The unique identification code, or the provider's HPI-I, is recorded by the clinical software for each instance of My Health Record system access
|
4 Staff Training | - All staff requiring My Health Record system access undergo training before accessing the system
- Training is provided and outlines how to use the My Health Record system accurately and responsibly, the legal obligations for organisation and individuals using the system, and the consequences of breaching these obligations
- Training is provided to staff on a regular and ongoing basis
- A register of staff who have attended training is maintained
|
5 Handling of Privacy Breaches and Complaints | - The organisation has a reporting procedure to allow staff to inform management regarding any suspected security or privacy issues or breaches of the My Health Record system
- An incident register/log is kept of any suspected breaches, including details of the date and time of the breach, the user account that was involved and which patient's information was accessed, if known (see more data breach information)
- A process is in place for the Responsible Officer (RO) or Organisation Maintenance Officer (OMO) to report a breach to the System Operator (the Australian Digital Health Agency)
- If a patient raises an issue in relation to unauthorised access to their My Health Record, the organisation has a complaints management process to take steps to investigate the issue
|
6 Risk Assessments | - The organisation undertakes periodic privacy and security risk assessments of staff use of the My Health Record system and the organisation's ICT systems generally, and implements improvements as required
- All risk assessments are documented appropriately
|
