Security and access policy guidance for sole traders
Under Rule 42 of the My Health Records Rule 2016, organisations that wish to register with the My Health Record system must establish, implement and enforce a written policy covering a number of mandatory topics. This policy is commonly referred to as a security and access policy. The topics that must be covered by the policy include:
- the manner of authorising people to access the My Health Record system, and deactivating or suspending access
- training that will be provided to employees before they access the My Health Record system
- the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator[1]
- physical and information security measures that will be established and adhered to by the healthcare provider organisation and people accessing the My Health Record system
- mechanisms for the prompt identification and mitigation of My Health Record system-related security risks
- where the healthcare provider organisation provides assisted registration, information about the authorisation of employees, training, confirmation of consent and process and criteria for identifying a healthcare recipient for that purpose.
Requirements in relation to security and access policies apply to all healthcare provider organisations that wish to register with the My Health Record system, regardless of their size. This means that they also apply to healthcare provider organisations operating as sole traders. Guidance in relation to adapting each of the above matters for sole traders is set out below. We recommend that sole traders use this guidance, in conjunction with the Office of the Australian Information Commissioner (OAIC) Rule 42 policy template, to develop a security and access policy for their organisation.
Please note: this guidance is designed for sole traders who do not have any employees.
Authorising, suspending and deactivating access
An example of how this section might be adapted to sole traders is by stating that, as a sole trader, they are the only person authorised to access the My Health Record system on behalf of the organisation.
Regarding suspending and deactivating access, the sole trader may want to consider stating that in the event that they cease trading or no longer require access to the My Health Record system, they will deactivate their account and deregister the organisation from the system. They might also want to consider including a sentence to state that in the event that their user account is compromised, they will immediately deactivate their account until such time as an investigation has been conducted and the security of the account is restored.
An example of how this section might be adapted to sole traders is by stating that, as a sole trader, they will undertake specific training (for example, the Agency’s Security, Privacy and Access eLearning module) prior to accessing the My Health Record system for the first time. The sole trader might also want to consider stating that they will undertake refresher training at defined frequencies (and state which resources will be used to do this).
An example of how this section might be adapted to sole traders is by stating that, as the only person accessing the My Health Record system on behalf of the organisation, it is currently possible to identify which user accessed the My Health Record system at a particular time.
With regard to the process in place for communicating a user’s identity to the System Operator, the policy might be adapted to state that this information will be communicated by the organisation’s Responsible Officer (being the only employee at the organisation) where required.
Physical and information security measures
Physical and information security measure requirements apply to sole traders in the same manner that they apply to larger healthcare provider organisations that use the My Health Record system. In the case of sole traders, these measures should be adapted to the type of work being carried out, as well as the location(s) where such work will be carried out. Measures that may be listed in the security and access policy for sole traders include, for example:
- changing user passwords frequently
- user is locked out of their account after a number of failed login attempts
- use of privacy screens
- screens turned away from view by the general public or privacy screens are used, to obscure information from view by other people (such as clients).
As with physical and information security measures, mitigation measure requirements apply to sole traders in the same manner that they apply to larger healthcare provider organisations that use the My Health Record system. Again, these should be adapted to the type and location of work being carried out. The following are examples of mitigation strategies to ensure that My Health Record system-related security risks are promptly identified and acted upon in a sole trader context:
- double-checking that the correct individual’s My Health Record is being accessed, prior to opening the record
- installing a virus scanner
- undertaking training in relation to phishing, cybersecurity etc. (for example, the Digital health security awareness course available at https://training.digitalhealth.gov.au)
- taking steps to contain any identified breach (e.g. deactivating user account, immediately exiting any My Health Record that is accessed as a result of user error/accident)
- where required, reporting any suspected or identified breaches to relevant authorities.
If a sole trader provides assisted registration to consumers, it is recommended that the security and access policy include information in relation to the authorisation of the user, training, confirmation of consent and process and criteria for identifying a healthcare recipient for that purpose. In the event that the sole trader does not provide assisted registration to consumers, it is recommended that they include a sentence to this effect in their policy, in order to justify the absence of information on this topic.
Other considerations:
Under Rule 42(5) of the My Health Records Rule 2016, if in the sole trader’s reasonable opinion one of the above matters does not apply due to the limited size of the organisation, their policy doesn’t need to address that requirement. However, it is recommended that the sole trader include a statement justifying the absence of the particular requirement on that basis.
Additional resources:
There are a number of resources that exist to assist healthcare provider organisations, including sole traders, in developing their My Health Record security and access policy. These resources include:
- Office of the Australian Information Commissioner (OAIC) Rule 42 guidance and policy template
- Australian Digital Health Agency My Health Record security and access policy checklist
- Australian Digital Health Agency ‘Developing a My Health Record security and access policy for your organisation’ eLearning module
- Australian Digital Health Agency ‘Implementing a My Health Record security and access policy’ webinar.
It should be noted that the above guidance is intended as general in nature only and should not be considered legal advice. Ultimately, healthcare provider organisations (including sole traders) are responsible for ensuring that their policy covers all of the matters required by Rule 42 of the My Health Records Rule 2016, and has been appropriately tailored to their individual circumstances.
[1] This will enable the healthcare provider organisation to meet their obligations under section 74 of the My Health Records Act 2012.