Rule 42 guidance

Tags: my health record

Legally binding rules made under the My Health Records Act set out a healthcare provider organisation’s responsibilities in certain situations. This includes the My Health Records Rule 2016.

It is important that healthcare provider organisations are aware of their responsibilities under these rules: this helps to make sure they have procedures and policies in place to protect patient privacy and that personal information is properly handled.

Rule 42 requires healthcare provider organisations to have, communicate and enforce a written policy that addresses a range of matters, including:

  • the manner of authorising people to access the My Health Record system, and deactivating or suspending their access when certain circumstances arise
  • training that will be provided to employees before they access the My Health Record system
  • the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator so that the healthcare provider organisation is able to meet its obligations under s 74 of the Act[1]
  • physical and information security measures that will be established and adhered to by the healthcare provider organisation and people accessing the My Health Record system and
  • mechanisms for the prompt identification and mitigation of security risks.

Healthcare provider organisations must have a written Rule 42 policy to be eligible to be registered, or remain registered, under the My Health Record system. The policy underpins the security governance for end-users of the My Health Record system and is therefore critical to ensure protections are put in place for sensitive information. It also helps build staff awareness of obligations under My Health Record legislation.

The OAIC considers:

  • It is best practice for the Rule 42 policy to be contained in a single document, rather than distributed across multiple documents. This is to provide employees and any healthcare providers to whom the organisation supplies services under contract with clear, unambiguous and easy to access information about the way the healthcare provider organisation will meet its My Health Record access obligations.
  • Under Rule 42(4)(c) healthcare provider organisations must have a process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator
  • Under Rule 42(4)(e), healthcare provider organisations must have strategies to ensure My Health Record system-related security risks can be promptly identified, mitigated and reported to management. Audit logs are an important tool that can be used to monitor staff access to the My Health Record system. Maintaining a chronological record of system activities is key to detecting unauthorised access to the My Health Record system.  Audit logs should record the user identity, date and time of access, whose My Health Record was accessed and the type of information that was accessed
  • Healthcare provider organisations should apply the ADHA’s recommended standard of 13 or more characters (using a combination letters, numbers and symbols) to all passwords used for access to the My Health Record system. This will ensure that passwords used to access the My Health Record system are sufficiently complex and secure to comply with Rule 44(c).
  • Rule 44(e) requires healthcare providers to employ reasonable user account management practices including suspending a user account that enables access to the MHR system as soon as practicable after becoming aware that the account, its password or access mechanism has been compromised. These steps will assist healthcare providers to reduce the risk of unauthorised access to the MHR system
  • Training ensures staff are aware of their My Health Record and privacy obligations and handle personal information in a consumer’s My Health Record accordingly. This can reduce the likelihood of a breach of My Health Record privacy and access security obligations. Healthcare provider organisations should provide training to all staff (employees and contractors) in relation to their My Health Record access obligations at least annually, in addition to ad hoc training when there are changes to legislation or My Health Record system functionalities
 

[1] Under section 74 registered healthcare provider organisations must ensure certain information is given to System Operator.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au