More pages in this section
My Health Record Policy
Cairns 24 Hour Medical Centre
Townsville GP Superclinic
The Doctors Mulgrave Road Medical Centre
Nicholl Holdings Pty Ltd
My Health Record
Access Security Policy
Current as of: 6 September
Version no: 0101060921
- Introduction. 1
- Compliance with the Act 2
- Responsible Officer (RO) and Organisation Maintenance Officer (OMO) 2
- How My Health Record is accessed in our service. 3
- Registration for an Individual’s access to My Health Record. 3
- My Health Record User Training. 7
- Assisted Registration. 8
- Requests to Access a Patient’s My Health Record. 9
- Physical and Information Security Measures. 9
- Living Document 10
This policy provides guidance for staff and independent health care providers about access to and use of My Health Record within the service. It also provides guidance on the use of information technology in our service as it relates to My Health Record.
This service’s My Health Record policy is:
- drafted so that our service can be audited against the policy to determine whether our service is compliant with the policy and the My Health Record Act (2012) and its subsequent amendments;
- kept up to date and reviewed at least annually and as soon as significant alterations to policy, outcomes or risks are identified;
- version-controlled so that each iteration contains a unique version number and the date the policy came into effect;
- inclusive of definitions of the roles of the responsible officer and organisation maintenance officer.
This policy is designed to ensure that our organisation remains compliant with the My Health Record Act (2012) (the Act) and its subsequent amendments.
This organisation subscribes to updates of My Health Record (2012) and other relevant acts.
This policy will be updated . . .
- As soon as legislative requirements that require this policy to be updated come into effect;
- As soon as it known that this policy is non-compliant with the Act
This policy does not supersede the requirements or effect of the Act. If it is the case that this policy is non-compliant, then the requirements or effect of the Act and its subsequent amendments supersede the policy and are binding on all.
The following individuals, in their nominated roles, are responsible for the implementation of, and compliance monitoring of, the My Health Record policy in our service:
- Our Responsible Officer (RO), Wendy Milgate, Relationship Manager and Senior Compliance Officer, Nicholl Holdings Pty Ltd, oversees our service’s legal compliance and sets up procedures to facilitate compliance with the My Health Record legislation;
- Our OMO, Cheree Wadsworth, Practice Manager and CFO, is responsible for implementation and compliance monitoring of the My Health Record policy, and for maintenance of the policy within our service.
- Individuals within our service can access our Best Practice medical software using their individualised username and password.
- An individual’s access to our Best Practice medical software and My Health Record will be suspended or deactivated if they leave the organisation, when their security has been compromised, their conduct is under review or when their duties no longer require them to access My Health Record.
- Our service accesses My Health Record via our Best Practice medical software system. We maintain an accurate and up-to-date list of healthcare providers who are authorised to access the My Health Record system via our Best Practice medical software in accordance with the regulations.
Registration for an individual’s access to the My Health Record is;
- Governed by the My Health Record Act (2012) and its subsequent amendments, our My Health Record RO and OHO, HR, Compliance Officers, AGPAL and ISO9001:2015 Accreditation Standards, RACGP guidelines and other relevant state, federal and My Health Record requirements of the time;
- May involve individual agreements;
- The registration process may be;
- Upon entry to the organisation;
- Conducted at a practice or administrative level;
- Reviewed or suspended where security is compromised, individual service providers have left the organisation, or to meet My Health Record participation obligations, as may be varied from time to time.
- Involve entering critically important healthcare identifiers into our Best Practice medical software, which can subsequently be used to identify individuals who have accessed the My Health Record system at any given point in time;
- Involves differing permissions, or layers of security. Only nominated individuals, including the RO, OMO, and individuals nominated by the RO or OMO, can enter or modify the manner our Best Practice medical software is configured to access My Health Record, underlying certificates, how our service accesses the My Health Record system or specific healthcare identifiers.
- Are specific to the role of the health care service provider within the organisation e.g. registered nurse, medical practitioner, registered allied healthcare service provider.
- Will be fully documented at an administrative and/or practice level, which includes entering specific healthcare service provider details into our Best Practice medical software.
- Specific training is provided so that our registered healthcare service providers are aware of how to appropriately access, and the responsibilities attached to accessing, My Health Record securely. Training covers the underlying principles and specifics of the occasions when it may be appropriate, or is not appropriate, to access My Health Record.
- Healthcare service providers are made aware of the fact that the only reason to access My Health Record is to;
- Assist in the management of the patient if, and only if;
- There could be a logical benefit attached to the management of the patient involved,and;
- The patient and/or their carer(s) have given us their informed consent to access or contribute to their electronic health record (unless there is a dire or life-threatening emergency at the time).
- My Health Record should not be used to access private information without the informed consent of the patient or their carer(s) unless there is a serious risk of a deleterious outcome to the patient at the time.
To be specific, My Health Record should not be accessed to obtain background information on the patients we care for without the informed consent of the patient or their carer(s).
The Responsible Officer (RO), Wendy Milgate, maintains the currency or our Health Provider Identifier – Organisation (HPI-O) and information on the Health Provider Directory (HPD) according to the requirements of the Health Identifiers Act 2010.
In our service, we collect and record the Healthcare Provider Identifiers (HPI-Is) of our individual healthcare providers upon entry or becoming part of the organisation by completing, checking, recording and collating the necessary documentation. All of the underlying documentation is stored on our secured Data Management Systems, which are subject to our secure data management policies.
In particular, the Responsible Officer will ensure that the organisation maintains an accurate and up-to-date list of authorised staff or healthcare providers – individuals who are authorised to access the My Health Record via or on behalf of the organisation using the provider portal.
The Responsible Officer will maintain a list of healthcare providers who have been authorised to access My Health Record in the past.
Our Best Practice medical software maintains an accurate and up-to-date log of authorised health care providers who have accessed My Health Record. A copy of the log can be obtained from our Best Practice medical record-keeping system at a medical practice level, or securely from a distance, without the assistance of external IT service providers.
The Responsible Officer will also maintain a list of authorised non-healthcare service providers who are authorised to access My Health Record on behalf of the organisation. This list will be reviewed at the beginning of each quarter and formally updated yearly, to remove formally-authorised users who no longer require access to My Health Record.
Information on how to access My Health Record will be a part of our induction procedures when it is required (for registered health care service providers). Information regarding My Health Record in general will be part of our induction procedures for administrative staff. Removing individuals who could formally access My Health Record from within, or on behalf of, our organisation will be included in our organisation’s termination policies.
Our Best Practice medical software is stored on individual servers that do not share user names and logons. Accordingly, although our organisation maintains many of our My Health Record policies at an organisational level, many of our My Health Record policies and records will be implemented or maintained at a medical practice level as well.
The access to My Health Record is audited by the Responsible Officer, Organisation Maintenance Officer, authorised delegates and practice managers. The Responsible Officer will maintain a list of individuals that may access and audit our organisation’s My Health Record activities. This list will be accurate and up-to-date and can be complimented by individuals who have been able to access and audit our organisation’s My Health Record activities in the past.
The Responsible Officer will monitor log files, maintain copies of our organisation’s past My Health Records activities and produce a contemporary log of our organisation’s My Health Record activities upon valid request.
Our practice allows registered healthcare service providers to access My Health Record via the organisation’s own National Authentication Service for Health (NASH) certificates under the practice’s registration for access of the My Health Record. Therefore, our registered health care professionals;
- Must enter into an agreement to abide by the terms of the My Health Record Act (2012), its subsequent amendments and our My Health Record policy prior to commencing their engagement with us.
- Must have their Individual Health Identifiers correctly entered our Best Practice medical software prior to commencing their engagement with us.
- Must abide by the terms of the My Health Record Act (2012), its subsequent amendments and our My Health Record policy for the duration of their engagement with us.
- Will have their access to My Health Recorded amended or suspend if their security has been compromised, their conduct is under review, they have accessed My Health Record inappropriately, they no longer require, or they are no longer entitled to access My Health Record via our Best Practice medical software system.
- Will have known breaches of any individual’s access, or the manner they access, My Health Record notified to My Health Record Systems Operator.
- Will have their capability to access My Health Record deactivated (removed) upon leaving the organisation by deactivating their ability to access our Best Practice medical software system.
When an individual who is authorised to access the My Health Record in our practice leaves our service, we deactivate their local account by;
- Removing the individual’s capability to log onto our Best Practice medical software system as an authorised user and/or;
- Removing the individual’s capacity to log onto My Health Record as an authorised representative of the service by removing the link between the individual and our organisation’s entry in the healthcare provider directory via the Healthcare Identifier (HI) service on the Health Professional Online Service;
- We will review our register of authorised users, to reflect active logins at least quarterly, formally update it at least yearly and as required.
If the security of one of our individuals authorised to use the My Health Record has been compromised, their account will be de-activated by;
- Amending or removing the individual’s capability to log onto our Best Practice medical software system as an authorised user as soon as the security breach is known;
- Amending or removing the individual’s capacity to log onto My Health Record as an authorised representative of the service as soon as the security breach is known;
- Revising our register of authorised users, to reflect active logins;
- De-activating local accounts as soon as the organisation becomes aware of the security breach;
- Keeping a record of the details surrounding the event;
- Determining who the account belongs to and why the security breach occurred;
- Notifying the My Health Record System Operator of the breach.
In our practice, we ensure that authorised individuals who access My Health Record comprehensive training on the subject that is current and provided by a credible source. This training includes how to use the system accurately and responsibly, the legal obligations of healthcare provider organisations and individuals using the system, and the consequences of breaching those obligations.
Our organisation’s My Health Record training will be;
- Coordinated, documented and audited by our Responsible Officer and Organisation Maintenance Officer and/or their nominated delegates;
- Completed in person, or by accessing trusted online resources, or the resources of the NQPHN;
- Documented by the organisation and the individual who has completed the training;
- Regularly audited and reviewed to keep up with best-practice care and the mandated requirements of the time.
- Ensure that all of the individuals working for or with the organisation have ready access to all the information they need to responsibly access My Health Record, which will include access to the Responsible Officer (RO), Organisation Maintenance Officer (OMO), and other nominated office bearers, including practice managers, who are expected to have a detailed working knowledge of My Health Record and how we responsibly access the system.
Our practice does not register patients for My Health Record.
- Our practice shares the view that patients are entitled to medical information that is important to them.
- Similarly, the practice shares the view that it our role to contribute to the greater good by making medical information known to patients and other health care professionals, as determined by patients, and the My Health Record requirements of the time.
- Offers options to our patients so that they may request, and consent to us, uploading consultation notes, results, referrals and other documents.
- Patients or their carers who would like information uploaded to My Health Record are welcome to discuss their requirements with us at any given point in time.
Our practice also offers to;
- Explain the My Health Record system to our patients in general;
- Outline specific choices available to the patients;
- Offer options to our patients who may want consultation records, results, referrals or other documents uploaded to their digital health record;
- Outline our practice’s policy on My Health Record or provide a copy of this policy as required.
Our practice has established processes for identifying a person who requests access to a patient’s My Health Record.
The Responsible Officer will maintain a log of authorised users.
Authorised users will be bound by the terms of this policy.
Details of those accessing My Health Record via our Best Practice medical practice software or the Health Identifier service on the Health Professional Online Service will be maintained on our Secure Data Management Systems.
Information regarding the manner our organisation accesses My Health Record will be securely stored, regularly audited and available to the Systems Operator upon valid request.
Our organisation operates secure data management systems that are;
- Intended to protect the privacy or our patients, staff, health care service providers and organisation alike.
- Australian Data Management Services compliant;
- Use innovative and established communication and network security protocols
Information that outlines our policies on, who may access, staff training for, individual, and our organisations, access to My Health Record will be stored and regularly audited on our Secure Data Management Systems, which are covered by our Secure Data Management Policies.
- Restrict access so that only persons who require access to My Health Record can access the system as part of their duties;
- Include a unique Health Identifier for each individual using the healthcare provider organisation’s information technology systems, which is protected by username and password;
- Have password and/or other authentication systems to ensure security and privacy risks associated with unauthorised access to the My Health Record system are sufficiently secure and robust;
- Require passwords to be regularly reviewed and sufficiently complex so as to protect the legitimacy, security and privacy of the data we access and store;
- Implement screensaver settings on computers so that users are required to enter their details prior to accessing a computer that has been inactive for 5 – 15 minutes or more;
- Ensure that individuals no longer authorised to access the My Health Record via, or on behalf of the healthcare provider organisation, are not able to do so via their user accounts;
- Suspend a user account that enables access to the My Health Record as soon as the organisation has become aware that the account has been compromised.
Our My Health Record Policy is a living document and will be updated regularly, and as required.
Upon updating, our new My Health Record policy will be given a unique identifying number, appropriately distributed, and given an effective start date.
The Responsible Office will keep a record of individuals who have been supplied with a copy of our My Health Record Access Security Policy, and the date upon which the policy was supplied.
Suggestions for how our My Health Record Access Security Policy can be improved can be emailed to our Responsible Officer, Wendy Milgate, at firstname.lastname@example.org
The Responsible Officer for our My Health Record policy is Wendy Milgate who can be contacted via email@example.com