My Health Record participation obligations
Healthcare organisations participating in My Health Record must operate in accordance with relevant legislation and comply with a number of obligations.
These obligations fall into two broad categories:
Establishing a security and access policy – organisations must establish, review, update, maintain, enforce and promote policies that ensure My Health Record is used safely and responsibly.
Complying with ongoing participation obligations – once registered with My Health Record, your organisation is required to comply with a range of ongoing participation obligations.
Establish a My Health Record security and access policy
Prior to registering to participate in the system, your organisation will need to develop a security and access policy. You will be required to attest, at the time of registering with My Health Record, that the policy is in place.
What is a security and access policy?
The term 'security and access policy' refers to the written policy that healthcare provider organisations must have, communicate and enforce in order to register, and maintain registration, with the My Health Record system. The policy sets out security measures and access requirements for ensuring appropriate use of My Health Record in your organisation.
This policy is required under Rule 42 of the My Health Records Rule 2016.
What is the purpose of the security and access policy?
A security and access policy helps your organisation comply with the requirements of the My Health Records Rule 2016 and My Health Records Act 2012.
An effective and tailored security and access policy will help your healthcare organisation safeguard sensitive patient information by ensuring the appropriate use of My Health Record.
How will having a security and access policy help my organisation?
The policy helps your organisation to use My Health Record appropriately. It will also assist you to act on any security risks related to My Health Record and respond to enquiries, when required.
For example:
- A healthcare recipient may submit an enquiry to the Agency regarding potentially unauthorised access to My Health Record by an employee from your organisation.
- The Agency may contact your organisation in relation to the enquiry.
- In line with Sub-Rule 42(4)c of the My Health Records Rule 2016, your security and access policy should outline the process for identifying who has accessed My Health Record on behalf of your organisation. This might involve checking the user ID or individual healthcare identifier (IHI) of the person who accessed My Health Record and checking which employee the User ID or IHI belongs to.
- Using this information, you will be able to conduct an investigation to determine whether the access was authorised under the relevant provisions of the legislation.
Your policy should also include guidance on how your organisation will communicate the user’s identity to the System Operator, if required.
You will also need to assign a responsible officer and an organisation maintenance officer as key contacts for your organisation in relation to participation in the system. The responsible officer and organisation maintenance officer(s) are accountable for the organisation's compliance with ongoing participation obligations.
Policy requirements checklist
There are specific topics that must be covered in your organisation's security and access policy. The topics are set out in Rule 42 of the My Health Records Rule. To learn more about this requirement, please see the topics outlined below.
Do I need to cover all of the required topics in my security and access policy, even if they don’t apply to my organisation?
If, in your reasonable opinion, a topic required for inclusion in the policy does not apply to your organisation due to its limited size, you do not need to address that topic. See Rule 42(5) of the My Health Records Rule 2016. However, as a matter of best practice, it is recommended that you include a sentence in your policy outlining why the topic has not been covered.
The checklist in the box below is a guide only. It should be assessed against the needs and risks that may apply to your organisation. A downloadable copy is also available.
1. Healthcare provider organisation policies
- A written security and access policy is in place prior to the healthcare provider organisation registering to participate in the system, and the policy is maintained on an ongoing basis.
- The policy is communicated and remains accessible to all employees.
- The policy is communicated with any healthcare providers to whom the organisation supplies services under contract, and remains accessible to these providers. For example, a healthcare provider organisation that supplies information technology services to individual healthcare providers to enable them to access the system, must communicate the policy to these providers.
- The policy is enforced in relation to all employees and any healthcare providers to whom the organisation supplies services under contract.
Do I need a policy if staff in my organisation don’t use My Health Record or use it infrequently?
Yes, all organisations must have a security and access policy prior to registering with My Health Record. Once registered, they must implement, communicate and maintain an up-to-date security and access policy for the organisation.
It does not matter how often My Health Record is used or how many people use it. This requirement applies regardless of whether or not your organisation is actively using My Health Record.
You must also inform any new staff about your policy and provide authorised users with relevant training (see below for more information).
I employ few or no staff other than myself – do I need a security and access policy?
Yes, all healthcare provider organisations registered with My Health Record must have a security and access policy in place, regardless of the size of the business.
If you are a small business, you may like to read our guidance to assist sole traders in developing a security and access policy.
2. Manner of authorising and process for suspending and deactivating user accounts
- The policy details the manner of authorising persons accessing the system via or on behalf of the healthcare provider organisation.
- The policy outlines the ways a user account is suspended and/or deactivated in the following circumstances:
- A user leaves the organisation
- A user's security is compromised
- A user has changed duties and no longer requires access to the system
I don't know how my organisation will access My Health Record yet – do I need to specify this in my security and access policy?
Most healthcare provider organisations will be able to access My Health Record using conformant clinical software (such as a clinical information system, practice management system or dispensing system). Check the register of conformant software to see whether your clinical software provides access to My Health Record.
Healthcare providers who do not have conformant clinical software, can access an individual’s record through the National Provider Portal (NPP). The NPP is a web-based, read-only site that allows healthcare providers to view the information in a patient's record.
It is recommended that you specify in your security and access policy how staff in your organisation will access My Health Record by including the name of your clinical software, the NPP, or a combination of software products/applications.
Understanding how your organisation will access My Health Record is relevant when addressing some sections of your security and access policy. For example, the type of software you use will affect the way that you:
- undertake user account management processes
- suspend or deactivate user accounts
- identify users who access My Health Record.
3. Training for authorised users, before they access the system
- The policy includes a requirement that, before a user is authorised to access the system, they receive training covering:
- How to use the system accurately and responsibly
- Legal obligations of the healthcare provider organisation and people who access the system on behalf of the organisation
- Consequences of breaching those obligations
- A recommended training list (PDF, 189.58 KB) is available to support your organisation in meeting this legislative requirement.
- It is recommended that organisations maintain a register of staff training.
4. Process for identifying the individual who accesses a person's record (on each occasion)
- The policy outlines the process for identifying a person who requests access to a healthcare recipient’s record and communicating the person’s identity to the System Operator.
- Generally, this would occur via the National Provider Portal (NPP), or clinical information systems, where:
- the clinical software is used to assign and record unique internal staff member identification codes, including a Healthcare Provider Identifier-Individual (HPI-I); and
- the unique identification code, or the provider's HPI-I, is recorded by the clinical software and automatically provided to the System Operator for each instance of system access.
Note: See the legislative obligations for communicating to the System Operator under Section 74 of the My Health Records Act 2012.
The policy should mention the process for communicating a user’s identity to the System Operator – what does this mean?
Each time your organisation interacts with My Health Record, this activity is logged. Your conformant software and the NPP (if used) automatically communicate this information the System Operator. This includes the user identifier (user ID) of the person that undertakes the activity. Your organisation will need to be able to confirm which person the user ID belongs to.
In some cases, we may request that you provide specific information in relation to the identity of the user who accessed the system. Your organisation must have a process in place for ensuring that this information is communicated to the System Operator. This process should be detailed in your policy.
For example, your organisation could
- check the user ID of the person who accessed My Health Record at a particular time (by checking the transaction log, or referring to details included in the request from the Agency)
- confirm who the relevant user ID is assigned to
- have a process where the organisation's Responsible Officer (RO) or Organisation Maintenance Officer (OMO) provides the user’s identity to the System Operator when requested to do so.
All relevant processes (whether automated or manual) should be outlined in your policy.
5. Physical and information security measures, including user account management processes
- The policy details the physical and information security measures that are in place to mitigate information security risks and prevent unauthorised access.
- People accessing the system via or on behalf of the healthcare provider organisation understand and adhere to the physical and information security measures.
- The healthcare provider organisation employs reasonable user account management practices, including:
- Restricting access to those persons who require access as part of their duties
- Uniquely identifying individuals using the healthcare provider organisation's information technology systems
- Having that unique identity protected by a password or equivalent protection mechanism
- Ensuring password and/or other access mechanisms are sufficiently secure and robust (PDF, 467.51 KB) to mitigate the security and privacy risks associated with unauthorised access to the system
- Disabling the user accounts of persons no longer authorised to access the system
- Suspending a user account as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised.
What is a physical security measure?
A measure that is designed to safeguard physical access to My Health Record. The physical security measures implemented by your organisation should be appropriately tailored to the organisation's circumstances. Some examples could include:
- installing computer privacy screens
- creating physical barriers to stop people seeing information displayed on computer screens
- ensuring devices used to access My Health Record are located in secure areas under appropriate surveillance.
What is an information security measure?
A measure designed to safeguard the integrity, confidentiality, and availability of information within My Health Record. These measures involve implementation of user account and password management (as outlined above), and other security controls relevant to your organisation’s size and structure.
For additional information, refer to:
- Cyber security resources, including the information security guide for small healthcare businesses (PDF, 880.43 KB).
- The guide to securing personal information and the guide to health privacy, provided by the Office of the Australian Information Commissioner (OAIC).
- Online security advice produced by the Australian Cyber Security Centre.
6. Strategies for identifying, responding to, and reporting system-related security risks
- The policy describes the mitigation strategies used by the healthcare provider organisation to ensure the system-related security risks can be:
- promptly identified
- acted upon
- reported to the healthcare provider organisation's management.
- This should include processes for identifying and reporting:
- unauthorised access to the system
- any matters that may compromise the security or integrity of the system, for example, a security incident, such as ransomware, that has affected a healthcare provider organisation.
- Organisations should ensure processes are in place to comply with data breach notification obligations outlined in Section 75 of the My Health Records Act.
- To assist with monitoring use of the system, audit logs should record the user identity, date and time of access, whose record was accessed and the type of information that was accessed.
7. Assisted Registration
- Where the healthcare provider offers assisted registration, this topic is required within the policy.
- Assisted registration is where a healthcare provider assists healthcare recipients to register for a record.
- The policy needs to outline the methods for:
- Authorising employees of the organisation to provide assisted registration
- Providing training before a person is authorised to provide assisted registration
- Confirming a healthcare recipient's consent to be registered
- Identifying a healthcare recipient for the purposes of assisted registration, including the process and criteria that must apply
Note: See the legislative requirements for confirming a healthcare recipient’s consent under Rule 9 of the My Health Records (Assisted Registration) Rule 2015.
I don’t provide Assisted Registration – do I need to mention this in my policy?
As a matter of best practice, where Assisted Registration is not provided by your organisation, this should be clearly stated in your organisation's policy.
8. Policy implementation and maintenance
- The My Health Record security and access policy must be reviewed annually (at a minimum) and when any material new or changed risks are identified (such as a change within the system, organisation, or regulation; or factors that might result in unauthorised access, use or disclosure of information in a record).
- The policy must include a unique version number and date of effect.
- A copy of each version of the policy must be retained by the organisation.
Note: The Agency or the Office of the Australian Information Commissioner (OAIC) may request a current or previous version of your organisation's security and access policy at any time. Where a healthcare provider organisation receives a request from the Agency, the legislation specifies that a copy of the policy must be provided within 7 days.
Does the policy need to be in a single, stand-alone document?
Not necessarily, however, it is strongly recommended that your security and access policy is contained in a single document, rather than distributed across multiple documents. This ensures your policy contains all the processes and obligations in one place and is easily accessible to all relevant employees.
If the requirements of Rule 42 of the My Health Records Rule 2016 have been addressed across several policy documents, it is recommended that references are included in those policies to demonstrate that the information forms part of the organisation's My Health Record security and access policy.
You must also ensure that you review, update, maintain, enforce and promote all relevant policy documents to staff within your organisation.
Does the policy need to be called a 'My Health Record security and access' policy?
It is not mandatory for your organisation's policy to be called a security and access policy. However, this title is recommended, as use of this title ensures that it can be easily recognised as the policy developed to satisfy the requirements of Rule 42 of the My Health Records Rule 2016. This title is recommended by the Agency and the privacy regulator for My Health Record.
Regardless of the name of your policy, it is important that it addresses each of the topics required by Rule 42 in a manner that is appropriately tailored to your organisation's circumstances.
Do I need to keep a copy of all previous versions of my security and access policy?
Yes, a copy of each version of your organisation's security and access policy must be retained in accordance with Rule 42(6)(d) of the My Health Records Rule 2016.
Does my security and access policy need to be signed?
It is not a legislative requirement for your policy document to be signed. However, it is noted that some accreditation bodies that conduct policy reviews may impose additional requirements. For example, we are aware that some accreditation bodies do require policies to be signed by an authorised individual within your organisation.
As this may not apply to every organisation, it is recommended that you consult with your accreditation provider and confirm their requirements. By doing so, you can ensure that your policy aligns with requirements of Rule 42 of the My Health Records Rule 2016 and also addresses the accreditation standards relevant to your organisation.
More information
The Office of the Australian Information Commissioner (OAIC) provides Rule 42 guidance outlining points for healthcare provider organisations to consider when developing their security and access policy. A policy template has also been developed by the OAIC, in collaboration with the Agency, to assist you in developing a policy for your organisation. General guidance is also available to help you protect health information.
You may wish to complete the e-Learning module Developing a security and access policy for your organisation for an overview of the practical steps that should be followed when developing a security and access policy.
You can also download the security and access policy requirements checklist and view guidance for sole traders.
Do I need to use the Office of the Australian Information Commissioner’s (OAIC) policy template to develop my security and access policy?
It is not mandatory to use the OAIC's policy template when developing a security and access policy for your organisation. However, the OAIC template has been developed as a useful guide and its use is highly recommended.
Regardless of whether the OAIC template, another template, or no template is used, healthcare provider organisations are responsible for ensuring that their policy covers all of the matters required by Rule 42 of the My Health Records Rule 2016, and for ensuring that the policy has been appropriately tailored to their individual circumstances. Please refer to the security and access policy requirements checklist (PDF, 458.19 KB).
I understand that my organisation must communicate the policy to staff – does this need to be done in a particular way?
There is no set requirement with regard to how your security and access policy should be communicated to staff. The policy may be communicated in a range of ways, some examples could include:
- induction or refresher training
- providing a copy of the policy to employees who will be authorised to access My Health Record, for them to read and acknowledge
- making the policy digitally available on the organisation's intranet or IT network
- other communication methods relevant to your organisation.
What do I do with my security and access policy once it has been developed?
Once finalised, you must ensure that your organisation's security and access policy is enforced, and that it is communicated to all employees (including contractors) and any healthcare providers to whom you provide services under contract. You must also ensure that the policy is reviewed annually, at a minimum, as well as when any new or changed risks are identified.
Do I need to submit a copy of my security and access policy to the Agency (System Operator) once it has been developed?
No, you don't need to provide a copy of your policy at the time it is developed. However, we may request a copy of your security and access policy at any time, and you must provide a copy within 7 days of the request, as outlined in Rule 43 of the My Health Records Rule 2016.
Failure to maintain a security and access policy
Registered organisations that do not comply with requirements of Rule 42 of the My Health Records Rule are not eligible to participate in My Health Record and may have their registration revoked.
It is noted that the OAIC is the privacy regulator for My Health Record and the OAIC may consider regulatory action if it finds that an organisation does not have a compliant My Health Record security and access policy. The Commissioner's approach to enforcement of My Health Record requirements is outlined in the My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016.
Are checks of organisations' security and access policies undertaken?
We may request to review your organisation’s policy. Where such a request is received, you must respond within 7 days upon receipt of the request, in accordance with Rule 43 of the My Health Records Rule 2016.
In addition, the Office of the Australian Information Commissioner (OAIC) regularly carries out privacy assessments in relation to My Health Record. These assessments may involve a review of organisations' security and access policies.
I have received a request to provide a copy of my organisation's security and access policy – do I have to respond?
Yes, where you are asked to submit a copy of your organisation’s security and access policy to the System Operator, you must provide a copy of your policy within 7 days of receiving the request, in accordance with Rule 43 of the My Health Records Rule 2016.
If you receive a request from the System Operator to provide a copy of your organisation's security and access policy, this is because information available to us indicates that your organisation is registered with My Health Record.
I am not registered for My Health Record – why have I received a request to provide a copy of my security and access policy?
Our records indicate that your organisation is registered with My Health Record. Your business or organisation may have registered with My Health Record at the time of registering with the Healthcare Identifiers Service or when registering for electronic prescribing. You can check your registration details by logging in to your Provider Digital Access (PRODA) account or calling the Healthcare Identifiers Service helpline on 1300 361 457.
If you cease to be eligible for registration with My Health Record, you must ensure that the System Operator is notified within 14 days (for example, because you are closing your business or have ceased trading, no longer have a HPI-O for your organisation or no longer employ a healthcare provider individual who has a healthcare provider identifier (HPI-I)).
Ongoing participation obligations
Once you have established a security and access policy for your organisation and registered with the My Health Record system, you are required to comply with a range of ongoing participation obligations.
At a high level, you are required to:
- Provide healthcare services, regardless of whether an individual has a My Health Record or has limited access to information contained in their My Health Record by using access controls. See the section on access controls to understand how they may be applied and the rare circumstance they may be overridden using Emergency Access - see the "Emergency access" section in the "Privacy and access" section.
- Take reasonable steps to ensure any information uploaded to the My Health Record system is easily understood, accurate and up-to-date, at the time it is uploaded. It is also important to ensure information is not defamatory or subject to copyright. See the OAIC guidance for additional information on the relevance of the Australian Privacy Principles when using the My Health Record system.
- Ensure that the details for the organisation's Responsible Officer and Organisation Maintenance Officer(s) are kept up to date in PRODA.
- Have a process in place to prevent a clinical document being uploaded to the My Health Record system where an individual has asked that the information is not uploaded.
- Ensure information being uploaded to the My Health Record system is prepared by individuals that are registered healthcare providers who have a healthcare provider identifier–individual (HPI-I). It is important to conduct regular checks to ensure individual's using the system on behalf of the organisation have a registration that is not conditional, suspended, cancelled, or lapsed.
- Train users of the system regarding appropriate collection, use and disclosure My Health Record information. This includes awareness of organisational and individual legislative obligations specific to the My Health Record system, along with the Privacy Act 1988 and any relevant state or territory laws.
- Ensure that data quality is maintained when information is uploaded to the My Health Record system, and that it complies with the relevant legislative obligations. This includes establishing and maintaining a list of individuals authorised to access the My Health Record system on behalf of your organisation and ensuring they are registered healthcare providers.
- Notify the Agency as the System Operator and, where relevant, the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of a potential or actual data breach relating to the My Health Record system. See guidance on managing a data breach which describes the steps for notifying the relevant parties of a data breach.
- Ensure that the Agency, as System Operator, is notified within two business days of becoming aware of a non-clinical My Health Record system-related error in a record, or of a material change to your organisation.
- Ensure that the Agency, as System Operator, is notified within 14 days if you cease to be eligible for registration with the My Health Record system (for example, because you are closing your business or have ceased trading, no longer have a HPI-O for your organisation or no longer employ a healthcare provider individual who has a healthcare provider identifier (HPI-I)).
- Assist with any inquiry, audit, review, assessment, investigation, or complaint regarding the My Health Record system.
- Ensure that a My Health Record security and access policy is in place and that the policy is reviewed, at least annually, and copies of each version are retained. See the security and access policy checklist.