My Health Record access security policy assessment program

12 August 2021

The OAIC is undertaking an assessment program examining My Health Record access security policies.

The program is assessing general practice (GP) clinics’ compliance with Rule 42(1) of the My Health Records Rule 2016. This requires healthcare provider organisations, including GP clinics, to have a written access security policy that reasonably addresses certain matters governing access to the My Health Record system.

The OAIC considers that access security policies are a reasonable step for healthcare provider organisations to take in complying with Australian Privacy Principles 1.2 (open and transparent management of personal information) and 11 (security of personal information) when handling personal information in the My Health Record system.

The program involves 2 assessments:

  1. An initial survey of a large sample of GP clinics across Australia to assess compliance with the legislative requirement to have a written access security policy under Rule 42(1) of the MHR Rule.
  2.  A subsequent qualitative assessment of a smaller sample of GP clinics across Australia, against the substantive requirements of Rule 42 of the MHR Rule, and APPs 1.2 and 11.

In late July 2021, we notified participating GP clinics about the assessment by email and letter.

The OAIC will publish findings from these assessments in de-identified reports on compliance trends.