My Health Records Security and Access Policy Assessment 1: General Practice Clinic Survey

Privacy Assessment by the Office of the Australian Information Commissioner

Part 1: Key points

  • The Office of the Australian Information Commissioner (OAIC) conducted a privacy assessment to assess compliance with Rule 42 of the My Health Records Rule 2016. This rule requires healthcare provider organisations to have, communicate and enforce a written policy[1] governing the use, security, and access of the My Health Record system. The written policy is referred to as a ‘Security and Access policy’ in this report.[2] Having a Security and Access policy ensures that healthcare provider organisations have procedures and policies in place to protect patient privacy and that personal information is properly handled.
  • This assessment involved conducting a survey of 300 General Practice (GP) clinics. A copy of the survey can be found in Appendix A at the end of this report.
  • The OAIC has issued guidance relating to Security and Access policies on our website. After fieldwork for this assessment was completed, the OAIC also published a Security and Access policy template to assist healthcare provider organisations to comply with Rule 42 of the My Health Records Rule 2016. This and other resources that are currently available on the OAIC and Australian Digital Health Agency (ADHA) websites are listed in Appendix B.
  • Areas of good privacy practice
    • Over two-thirds of participants that responded to the survey had a Security and Access policy.
    • The majority of GP clinics that said they supply services to other healthcare providers,[3] reported that they consistently provide a copy of their Security and Access policy to those healthcare providers.
  • Areas for improvement
    • Over 30% of participants did not provide a Security and Access policy when requested. Almost half of these GP clinics provided a document, but it was not a Security and Access policy. This may indicate that many GP clinics are unaware of the requirements of Rule 42 and may confuse Security and Access policies with other policy documents used in their practice.
    • During the assessment, the OAIC observed varying degrees of understanding amongst participants of when a GP clinic is taken to supply services under contract to other healthcare providers.[4] Obligations of parties in such scenarios are outlined in the My Health Records Rule 2016, but GP clinics may not be compliant in this regard if they do not sufficiently understand when these obligations apply.
    • 42 of the 300 GP clinics did not commence the survey. Although contact details for participating GP clinics’ Responsible Officers were provided to the OAIC by the ADHA, some GP clinics may not have informed the ADHA when these details changed. Therefore, some GP clinics may not have received the survey.[5]
  • After the survey had closed, the OAIC contacted GP clinics that did not provide a copy of a Security and Access policy in their survey response. At the conclusion of this process, 79% of the 300 GPs had provided a Security and Access policy to the OAIC – up from 59% at the time of the survey. The OAIC is considering further regulatory action in relation to GPs which did not provide a Security and Access policy by the conclusion of this assessment.
  • This assessment should not be taken to be representative of the general population of GP clinics. The OAIC notes that the assessment and survey may have prompted some participants, who may not have previously been aware of Rule 42, to develop or review their Security and Access policy for the first time. Therefore, there may be a lower rate of Rule 42 awareness and compliance in the general population of GP clinics compared to the assessment sample.
  • This assessment (Assessment 1) was the first in a program of 2 My Health Records privacy assessments. Assessment 2, a substantive review of 20 Rule 42 policies collected in Assessment 1, was commenced at the time of writing.

Part 2: Introduction

The My Health Record system is the Australian Government’s digital health record system. Healthcare provider organisations, including GP clinics, can view and add information to a patient’s My Health Record, which is an online summary of their key health information including medical conditions, treatments, allergies, tests and scans.

Rule 42 of the My Health Records Rule 2016 requires healthcare provider organisations registered for the My Health Record system to have, communicate, and enforce a written Security and Access policy that reasonably addresses matters such as:[6]

  • the manner of authorising, deactivating and suspending access to the My Health Record system
  • the training provided to employees before they access the My Health Record system
  • the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating their identity to the System Operator when required
  • physical and information security measures that will be established and adhered to by the healthcare provider organisation and people accessing the My Health Record system
  • mechanisms for the prompt identification and mitigation of security risks.

Security and Access policies help ensure that healthcare provider organisations have procedures and policies in place to protect patient privacy and that personal information is properly handled.

A healthcare provider organisation must have a Security and Access policy to be registered to use the My Health Record system.[7] This has been a requirement of the My Health Record system and its predecessor the Personally Controlled Electronic Health Record (PCEHR)[8] since the system became available in 2012.

The OAIC has issued guidance to assist healthcare provider organisations to comply with Rule 42 of the My Health Records Rule 2016. This and other Rule 42 resources that are currently available on the OAIC and ADHA websites are listed in Appendix B.

After fieldwork for this assessment was completed, the OAIC also developed a template, in consultation with the ADHA, to assist healthcare provider organisations to prepare their Security and Access policies.

Part 3: Description of the Assessment

Objective and scope of the assessment

This assessment was the first of 2 privacy assessments[9] in the My Health Record access security policy assessment program. The primary purpose of this assessment was to determine whether participants had a written Security and Access policy in accordance with Rule 42(1) of the My Health Records Rule 2016.

The assessment was conducted under section 33C(1)(a) of the Privacy Act 1988 (Cth) which allows the OAIC to assess whether personal information, including information contained in the My Health Record system, is being maintained and handled by an agency or organisation (APP entity) in accordance with the APPs.

The OAIC considers having a Security and Access policy is a reasonable step for healthcare provider organisations to take in complying with Australian Privacy Principles (APPs) 1.2 (open and transparent management of personal information) and 11 (security of personal information) when handling personal information in the My Health Record system, and the OAIC assessed the compliance of GP clinics to this extent.

Participants in the Assessment

Three hundred GP clinics were selected to participate in this assessment. They were selected by the ADHA based on the following criteria provided by the OAIC:

  • Selected organisations must:
    • be registered in the My Health Record system as a ‘General Practice’
    • be ‘Seed Organisations’[10]
    • not have Network Organisations[11] in their organisation hierarchy
    • not have been targeted for prior quality assurance activities by the ADHA
    • have the highest volume of Shared Health Summary uploads in the My Health Record system in the 2020 calendar year.
  • The sample must include representation of all Australian jurisdictions.

Table 1: Geographic composition of assessment sample

Location

Metropolitan[12]

Regional[13]

Total

Australian Capital Territory

1

0

1

New South Wales

39

33

72

Northern Territory

2

5

7

Queensland

47

36

83

South Australia

16

5

21

Tasmania

2

1

3

Victoria

38

18

56

Western Australia

42

15

57

Total (Australia)

187

113

300

The volume of uploads in the My Health Record system for the participating GP clinics ranged from 856 to 45,413 uploads for the 2020 calendar year. The average number of uploads per GP clinic was 3,524 in the same period.

Each organisation registered to access the My Health Record system must have a Responsible Officer.[14] However, the same person may be the Responsible Officer for multiple GP clinics.

In the 300 GP clinic sample, 21 Responsible Officers accounted for 69 GP clinics (23%). The survey results should be reviewed with this fact in mind as participants that share a single Responsible Officer are likely to have similar practices and provide similar survey responses.

Conduct of the assessment

The OAIC engaged Australian Survey Research under section 24 of the Australian Information Commissioner Act 2010 (Cth). Australian Survey Research worked jointly with OAIC staff to assist in conducting elements of the fieldwork for this assessment.

Participants in this assessment were asked to complete an online survey containing a maximum of 16 questions about their GP clinic, their use of the My Health Records system, and their Security and Access policy. A copy of the survey can be found in Appendix A.

The rate of responses to the survey is shown in Figure 1.

Figure 1: Survey response rate

Fig 1

As part of the survey, participants were asked to upload a copy of their Security and Access policy. These documents were reviewed as part of the assessment to confirm whether they were Security and Access policies within the meaning of Rule 42 of the My Health Records Rule 2016.

A sample of 20 policies provided in the survey were also selected to be assessed under Assessment 2 – a qualitative assessment of the policies against the requirements of Rule 42 of the My Health Records Rule 2016, and APPs 1.2 and 11.[15]

In this assessment, 84% of participants completed a response to the survey. A further 2% of participants commenced the survey but did not complete and submit their response. If a survey response was completed in part only, the responses that were provided have been included in the survey analysis.

Part 4: Summary of findings

Survey Responses

Demographics of the participants

As assessment participants were selected based on their higher volume of Shared Health Summary uploads in the My Health Record system, the sample is significantly composed of practices with more than 2,000 patients:

  • 46% of survey respondents reported having between 2,001 and 8,000 patients.
  • 47.6% of survey respondents reported having over 8,000 patients.

Figure 2: Practice sizes in the assessment sample

figure 2

On average, the OAIC found that GP clinics that responded in the survey had at least 14 staff members (including contractors) and at least 9 devices that accessed the My Health Record system.

Based on their survey responses, in the week prior to the survey, each GP clinic had an average of:

  • 8 staff with access to the My Health Record system
  • 1 staff member who accessed the My Health Record system remotely

Over half of the participating GP clinics stated that no staff accessed the My Health Record system in the week prior to the survey.

All but one GP clinic indicated in the survey that they use third-party clinical software.

Rule 42 Policies

This survey was used by the OAIC to gauge the compliance of participating GP clinics with Rule 42 of the My Health Record Rule 2016.

Rule 42 requires healthcare provider organisations, such as GP clinics, to have, communicate and enforce a written Security and Access policy governing access to the My Health Record system. The OAIC considers Security and Access policies to be a reasonable step for healthcare provider organisations to take in complying with APPs 1.2 and 11 when handling personal information in the My Health Record system.

Compliance with Rule 42 ensures that GP clinics have policies and procedures in place to protect the privacy and sensitive information of their patients. Having a Security and Access policy also raises staff awareness of their legal obligations, and those of the organisation, under the My Health Record Rule 2016 and the My Health Record Act 2012 (Cth).

Almost all (96.5%) of the participants that submitted a survey response indicated having a Security and Access policy. This represents 83% of the total sample of 300 GP clinics. [16]

In the survey, GP clinics were also asked to upload a copy of their Security and Access policy.

  • 68.6% of survey responses included a Security and Access policy.
  • 12.4% of survey responses did not upload a copy of their Security and Access policy, despite indicating that their GP clinic had one.
  • 15.5% respondents did not appear to understand what a Security and Access policy is, providing documents that were not Security and Access policies including:
    • business risk plans
    • user agreements
    • policy and procedure manuals
    • privacy policies written under APP 1.

Over 30% of respondents did not provide a copy of a Security and Access policy when one was requested in the survey. This indicates a pressing need for the sector to improve its compliance.

The 3.5% of survey respondents that reported not having a Security and Access policy provided the following reasons:

  • they were not aware of the requirement to have a Security and Access policy under Rule 42 of the My Health Records Rule 2016 (7 GP clinics)
  • their Security and Access policy had been misplaced (1 GP clinic)
  • their Security and Access policy was in the process of being updated (1 GP clinic).

The OAIC notes that most GP clinics were apparently aware of the requirement to have a Security and Access policy.

However, while Security and Access policies have been a long-standing requirement,[17] over 30% of respondents did not appear to sufficiently understand the information required to be included in a Security and Access policy under Rule 42, and/or were unable to produce a Security and Access policy when requested. This suggests there is a pressing need for the sector to improve its compliance.

Figure 3: Rule 42 policy survey responses by metropolitan/regional area

figure 3

The majority (64%) of participating GP clinics indicated that their Security and Access policy was prepared by their Practice Manager and, in most cases, the Practice Manager prepared the Security and Access policy alone.

Many GP clinics (31%) indicated that clinic Doctors also contributed to preparing their Security and Access policy – often in conjunction with other GP clinic staff or third parties.

Supplying services to other healthcare providers

Where an organisation (such as a GP clinic) supplies services to another healthcare provider under contract,[18] Rule 42 of the My Health Records Rule 2016 requires that the organisation’s Security and Access policy be communicated and enforced in relation to that other healthcare provider. This requirement ensures that all users of the My Health Record system, even where they are not directly employed by a healthcare provider organisation, will be subject to a Security and Access policy.

Questions 11 and 16 of the survey related to the communication of the Security and Access policy in such scenarios.

The majority of GP clinics that reported supplying services to other healthcare providers appeared to understand and undertake their obligations to communicate their policy to those healthcare providers.

Despite the small sample size, most survey responses indicated compliant behaviours. Of the 39 GP clinics that responded in the survey that their practice supplies services to other healthcare providers under contract:

  • 24 respondents provide a copy of their Security and Access policy in that contract
  • 3 respondents sometimes provide a copy of their Security and Access policy in that contract.

During the assessment, the OAIC observed varying degrees of understanding amongst participants of when a GP clinic is taken to supply services under contract to other healthcare providers. This was evident in the survey as well – more than 10% of survey responses to questions relating to this topic were internally inconsistent. For example, some GP clinics that indicated that they do supply services to other healthcare providers, answered a later question with, ‘… don’t supply services to other health providers’.[19]

The My Health Records Rule 2016 outlines certain obligations where an organisation supplies services to other healthcare providers under contract. GP clinics may not be compliant in this regard if they do not sufficiently understand when these obligations apply.

Following the survey

After the survey had closed and the OAIC had reviewed the information provided by GP clinics in response to the survey, the OAIC took additional steps:

  • Where a GP clinic stated in their survey response that they did not have a Security and Access policy in place, the OAIC requested them to develop a policy and provide a copy of it to the OAIC.
  • If a GP clinic indicated in their survey response that they had a policy but did not provide a copy of their Security and Access policy, or supplied a document that was not a Security and Access policy, a further request was made to provide a copy of their Security and Access policy to the OAIC.

Where the OAIC asked GP clinics to provide their Security and Access policies after the survey had closed, the OAIC provided links to resources to assist GP clinics to develop a policy even if they indicated that they had a policy in their survey response. A list of the resources that were provided to the GP clinics has been included in Appendix B. This process was undertaken to assist GP clinics to meet the requirements of Rule 42 of the My Health Records Rule 2016.

At the conclusion of this assessment, 79% of the 300 participating GP clinics had provided a Security and Access policy – up from 59% at the time of the survey.

Figure 4:

GP clinics' Security and Access policy provided in survey responses

Figure 5:

GP clinics' Security & Access policy provided after OAIC follow-up requests

Fig 4  Fig 5
Engagement with the Australian Digital Health Agency

The OAIC is engaging with the ADHA regarding GP clinics that failed to provide a Security and Access policy in this assessment.

The OAIC relied on details of the Responsible Officers of each GP clinic to contact the assessment participants. These details were provided by the ADHA and are maintained by Services Australia which manages the Healthcare Identifiers Service.

Throughout the assessment, it came to the attention of the OAIC that the Responsible Officer information provided for numerous participants, including their identity and contact information, was not up-to-date. This may be a factor as to why some assessment participants failed to commence the survey. Where the OAIC was able to contact the relevant GP clinic, it was advised that the information was no longer current because:

  • the person listed as the Responsible Officer is no longer with the business
  • the person listed as the Responsible Officer no longer holds that title
  • ownership of GP clinic has changed and is no longer affiliated with the listed Responsible Officer.

This illustrates that more could be done by GP clinics to ensure that the details of their Responsible Officer are kept up to date with Services Australia.

Industry bodies, the ADHA and Services Australia, could also work to encourage healthcare provider organisations to keep details of their My Health Record and Healthcare Identifier Service registrations current by providing prompts and reminders on an ongoing basis, and during significant milestones. In particular, the ADHA and Services Australia are obliged to take reasonable steps to ensure that the personal information that they use or disclose is accurate, up-to-date, complete, and relevant in the circumstances under APP 10.2.

The OAIC is engaging with the ADHA to take steps to ensure that their records for all healthcare provider organisations, including the information of Responsible Officers, is current.

Since fieldwork for this assessment was completed, the ADHA and Services Australia have updated the registration screens in Health Professional Online Services (HPOS). Applicants seeking to be registered in the My Health Record system must now directly attest that they have a Security and Access policy under Rule 42 and acknowledge related obligations under Rule 42 and the My Health Records Act 2012 (Cth).

The OAIC published a template after conclusion of fieldwork in this assessment, to assist healthcare provider organisations to prepare their Security and Access policies. This template can be downloaded from the OAIC website on our Security and Access policy guidance page. This template was developed in consultation with several peak bodies and the ADHA. The ADHA have also developed a complementary online learning course to assist healthcare provider organisations to comply with the requirements of Rule 42. This can be accessed on the ADHA Online Learning Portal. Other Rule 42 resources that are currently available on the OAIC and ADHA websites are listed in Appendix B.

Appendix A: Survey Questions

About your practice

You are answering about [organisation name].

  1. What is the street address of [organisation name]?
    • Address 1: 
      Address 2: 
      Suburb:
      State:
      Postcode:
  2. How many staff, including all employees and contractors,[20] currently work at the practice?
    • Less than 3
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
  3. How many of these staff are health practitioners (General Practitioner, Allied Health, Specialist, Nurse etc)?
    • Less than 3
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
  4. How many of the staff at the practice are administrative or support staff?
    • Less than 3
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
  5. Please briefly describe the functions of any contractors who currently work at your practice?[21]
  6. How many patients does the practice currently have?
    • Less than 100
    • 100 to 250
    • 251 to 500
    • 501 to 1000
    • 1001 to 2000
    • 2001 to 4001
    • 4001 to 8000
    • More than 8000

The practice’s use of My Health Record

You are answering about [organisation name].

  1. Last week, how many staff (employees and contractors) in the practice had access to the My Health Record system?[22]
    • None
    • 1 or 2
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
    • Don’t know
  2. Last week, how many staff (employees and contractors) in the practice had access to the My Health Record system remotely?
    • None
    • 1 or 2
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
    • Don’t know
  3. How many devices does the practice have which are currently used to access My Health Record?[23]
    • Less than 3
    • 3 to 6
    • 7 to 10
    • 11 to 15
    • 16 to 20
    • More than 20
    • Don’t know
  4. What type of third party clinical software, if any, does the practice use?
    • None
    • Best Practice
    • Medical Director
    • Other
  5. Does the practice supply services to other healthcare providers under contract?
    • Yes
    • No

Access Security Policy

You are answering about [organisation name].

  1. Does the practice currently have a written policy governing access to the My Health Record system (access security policy), as required by Rule 42(1) of the My Health Records Rule 2016 (Cth)?*[24]
    • Yes (skip to Policy Details)
    • No (continue to Question 13)

Reason for no policy

  1. Please select the reason/s that best explain why the practice does not have an access security policy. Select all that apply*
    • The practice does not use the My Health Record system anymore.
    • The practice did not know an access security policy is required
    • The practice does not have the time or resources to develop a policy
    • The practice does not have the expertise to develop a policy
    • The practice has lost its access security policy of it has become unavailable
    • Other reason

Policy Details

You are answering about [organisation name].

  1. Please upload a copy of the practice's current access security policy.*
  2. Who, in terms of job title or position, was responsible for writing the practice's access security policy? Select all that apply
    • Doctor
    • Nurse
    • Practice manager
    • Administrative staff
    • Contractor / Consultant
    • Other
  1. If the practice supplies services to other health providers under contract, does your practice supply a copy of its access security policy as part of the contract?
    • Not applicable - don't supply services to other health providers
    • Yes, a copy of the practice's access security policy is supplied to the other party/ies in the contract
    • No, a copy of the practice's access security policy is NOT supplied
    • Sometimes a copy of the policy is supplied, sometimes not
    • Don't know

Appendix B: Resources for preparing a Security and Access policy

When preparing or reviewing a Security and Access policy, healthcare provider organisations should refer to Rule 42 of the My Health Records Rule 2016 to ensure that they understand and meet all of the prescribed requirements.

The OAIC and ADHA have published useful resources on their websites for healthcare provider organisations that wish to learn more about Rule 42 and how to prepare a Security and Access policy. These include:

Some organisations, including the OAIC, provide templates to use when preparing a Security and Access policy. However, these templates must be adapted to the particular circumstances of each organisation.

Healthcare provider organisations that decide to use a template to prepare their Security and Access policy should:

  • update the template to accurately reflect the procedures and unique circumstances of their own organisation
  • still refer to the resources above, including Rule 42 itself, to ensure that their Security and Access policy satisfies the requirements of the My Health Records Rule 2016.

General resources

In addition to our Security and Access Policy Guidance, the OAIC website contains resources to assist health service providers to understand and comply with their various privacy and information handling obligations. These resources can be found on the page Privacy for health service providers.

Footnotes

[1] This policy may be a dedicated document, or part of a broader policy document.

[2] At the time of the assessment, these were referred to as ‘access security policies’.

[3] Rule 42 places certain obligations on healthcare provider organisations that supply services to other healthcare providers under contract. An example of this is where a healthcare provider organisation supplies information technology services to individual GPs who use those services to access the My Health Record system.

[4] The OAIC noted that, if a survey participant did not sufficiently understand when this scenario is taken to occur, their responses to survey questions relating to this topic may also be invalid.

[5] In conducting this assessment, the OAIC relied on contact information of Responsible Officers provided by the Australian Digital Health Agency (ADHA). The OAIC is working with the ADHA in relation to addressing the issue of Responsible Officers information not being current and up to date.

[6] My Health Records Rule 2016 (Cth) r 42(4)

[7] My Health Records Rule 2016 (Cth) r 41

[8] A Security and Access policy was previously required under Rule 25 of the PCEHR Rules 2012.

[9] At the time of writing, Assessment 2 was underway and its report had not yet been published.

[10] According to the ADHA, a Seed Organisation is a legal entity that provides or controls the delivery of healthcare services. For more information, please visit https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/roles-and-responsibilities.

[11] According to the ADHA, a Network Organisation is part of a ‘network hierarchy’ and operates under a Seed Organisation. For example, a department in a hospital may be a Network Organisation. For more information, please visit https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/roles-and-responsibilities.

[12] Whether a practice has been classified as metropolitan or regional is based on the post code of the relevant GP clinic’s premises which was cross-referenced with the Australian Bureau of Statistics’ statistical area 4 classifications. As postcodes were designed for the sending of mail, the classification is approximate as there is no direct equivalence.

[13] See footnote above

[14] According to the ADHA, a Responsible Officer (RO) is registered with the Healthcare Identifier Service and has authority to act on behalf of the healthcare provider organisation in its dealings with the System Operator of the My Health Record system. For more information, please visit https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/roles-and-responsibilities.

[15] At the time of writing, Assessment 2 was underway and its report had not yet been published.

[16] The OAIC notes that the assessment and survey questions may have prompted some participants to prepare a Security and Access policy for the first time. Therefore, these survey results may not be an accurate representation of the general population or the status of the sample of participants at commencement of the assessment.

[17] Before introduction of the My Health Records Rule 2016, a Security and Access policy was required under Rule 25 of the PCEHR Rules 2012.

[18] An example provided in Rule 42(2) of the My Health Records Rule 2016 is where a healthcare provider organisation might supply information technology services to other healthcare providers via which those providers access the My Health Record systems.

[19] The OAIC noted that, if a survey participant did not sufficiently understand the meaning of this phrase in the My Health Records Rule 2016, their survey responses relating to this subject may be invalid.

[20] Contractors could include additional General Practitioners, allied health practitioners, specialists, nurses, pathology services, practice managers, administrators or other individuals who may be under a written contract to the practice but who are not employees.

[21] If there are none, please just answer ‘none’.

[22] Access to the system could be onsite, remotely or a combination of both.

[23] Devices include computers, laptops, tablets, mobile phones, etc.

[24] Asterisks (*) denote compulsory questions.