Security and Access policies – Rule 42 guidance

12 August 2022

Tags: my health record

Healthcare provider organisations have certain obligations under the My Health Records Act 2012 (Cth) and My Health Records Rule 2016.

Rule 42 of the My Health Records Rule requires healthcare provider organisations to have, communicate and enforce a written Security and Access policy in order to register, and remain registered, to use the My Health Record system.[1]

Organisations registered with the My Health Record system must have a Security and Access policy regardless of the organisation’s size or how often they access the My Health Record system.

Security and Access policies are critical in supporting healthcare provider organisations to protect the sensitive information of their patients. They also build staff awareness of obligations under My Health Record legislation.

At a minimum, your Security and Access policy must reasonably address the following matters:

  1. how people are authorised to access the My Health Record system, and how access is deactivated or suspended when certain circumstances arise[2]
  2. the training that is provided to employees before they access the My Health Record system, including how to use the system accurately and responsibly, the legal obligations on healthcare provider organisations and individuals and the consequences of breaching those obligations[3]
  3. the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator[4][5]
  4. the physical and information security measures[6] taken by the healthcare provider organisation and people accessing the My Health Record system[7]
  5. mitigation strategies to promptly identify, act upon and report security risks[8]
  6. assisted registration information (if applicable)[9]

Merely having a Security and Access policy is not sufficient to ensure the security and integrity of the My Health Record system and the information it contains. Healthcare provider organisations must actively communicate and enforce their Security and Access policy in relation to all employees and any healthcare providers to whom the organisation supplies services under contract.[10]

Tips

Although your Security and Access policy must address the matters listed above, the following tips will help you to develop, implement, and maintain an effective policy to support effective security and access governance in your organisation.  If your organisation chooses to implement any of these measures, you could reinforce these practices by mentioning them in your Security and Access policy.

One policy document

Your Security and Access policy should be contained in a single document, rather than distributed across multiple documents. This allows readers to easily access organisational processes and obligations in one place.[11]

Mitigation strategy: Audit log reviews

Proactively reviewing audit logs is an effective means of detecting and investigating unauthorised access to the My Health Record system.[12] Audit logs record when the My Health Record system is accessed, including the user’s identity, date, and time of access, whose My Health Record was accessed and the information that was accessed. Audit logs can often be accessed via your clinical software.

Passwords and passphrases

To ensure that passwords and passphrases are sufficiently complex and robust,[13] you should:
  • use long passwords or passphrases (for example, 14 or more characters) with a combination of letters, numbers, and symbols
  • change passwords every 30-90 days.

Training

Training ensures staff are aware of their My Health Record and privacy obligations and handle personal information accordingly. As well as training all staff (employees and contractors) before they can access the My Health Record system,[14] you should provide:

  • annual refresher training to staff regarding their My Health Record access obligations
  • ad hoc training when there are changes to legislation or My Health Record system functionalities.

Training is important regardless of how large your organisation is, or how often you use the My Health Record system.

Remote access security

The My Health Record system can be accessed remotely. If your organisation has this functionality, you should ensure that it is secured using unique login details and other access processes such as multifactor authentication.[15]

Templates

Templates can be a useful tool when developing a Security and Access policy. However, using a template does not guarantee compliance under Rule 42. When using a template to prepare a Security and Access policy, you should:

  • refer to Rule 42 of the My Health Record Rule to ensure that the template addresses all legislative requirements
  • review, update and tailor your Security and Access policy to reflect your individual practices and circumstances to ensure it can be effectively enforced.

The OAIC’s template broadly addresses the requirements under Rule 42, however you should adjust it by adding details that reflect your organisation’s practices and circumstances. Persons using this template should seek appropriate legal or other professional advice as required.

Enforcing your policy in contract

To ensure that the My Health Record system is used responsibly and securely, you must communicate and enforce your Security and Access policy against the organisations and individuals that use your systems to access the My Health Records system, including staff, contractors, and healthcare providers you supply services to.[16]

Example: Supplying services to other healthcare providers
If a GP rents out rooms to other independent doctors or healthcare provider organisations and provides shared IT that facilitates access to the My Health Record system, the GP must enforce its Security and Access policy with these independent parties.

All relevant contracts facilitating access to the My Health Record system, such as employment contracts or contracts to share IT services with independent healthcare providers, should include provisions that allow you to monitor users’ access to the My Health Record system and explicitly require them to:

  • comply with your Security and Access policy
  • implement physical and information security measures to mitigate the risk of unauthorised access to the My Health Record system
  • implement processes to ensure that security and privacy risks can be identified and acted upon
  • report suspected or actual breaches to you.

Organisational changes

In addition to the minimum requirements to review your Security and Access policy at least annually and when any material new or changed risks are identified,[17] you should review your Security and Access policy when the structure of your organisation changes, as this may impact the application of your Security and Access policy in practice.

Access the eLearning course for Developing a My Health Record Security and Access Policy for your Organisation created by the Australian Digital Health Agency.

Download the My Health Record system security and access policy template.

How to use the template:

  • The template is a completely customisable Word document.
  • Choose options from the drop down menus or replace with your own text.
  • Delete material that is not relevant to your organisation’s obligations.

Footnotes

[1] See also Rule 41 of the My Health Records Rule 2016.

[2] My Health Records Rule 2016, r 42(4)(a).

[3] My Health Records Rule 2016, r 42(4)(b).

[4] My Health Records Rule 2016, r 42(4)(c).

[5] Under section 74 of the My Health Records Act, registered healthcare provider organisations must ensure certain information is given to System Operator.

[6] See also Rule 44 of the My Health Records Rule 2016.

[7] My Health Records Rule 2016, r 42(4)(d).

[8] My Health Records Rule 2016, r 42(4)(e).

[9] My Health Records Rule 2016, r 42(4)(f).

[10] My Health Records Rule 2016, r 42(2)-(3).

[11] Rule 42(2) of the My Health Records Rule 2016 requires healthcare provider organisations to communicate their Security and Access Policy and ensure that it remains readily accessible to employees and healthcare providers to whom the organisation provides services under contract.

[12] As required under Rules 42(4)(e) and 44(c) of the My Health Records Rule.

[13] Under Rule 42(4)(d) of the My Health Records Rule 2016, healthcare provider organisations must establish and adhere to physical and information security measures to control access to the My Health Record system.

[14] Under Rule 42(4)(b) of the My Health Records Rule 2016, healthcare provider organisations must provide training to individuals before they are authorised to access the My Health Record system. The training must cover:

  • how to use the My Health Record system accurately and responsibly
  • legal obligations on organisations and individuals using the My Health Record system
  • consequences of breaching those legal obligations.

[15] Under Rules 42(4)(d) and 44 of the My Health Records Rule 2016, healthcare provider organisations must establish and adhere to physical and information security measures to control access to the My Health Record system.

[16] My Health Records Rule 2016, rr 42(2)-(3).

[17] My Health Records Rule 2016, r 42(6)(c).