Policy guidance for Pathology and Diagnostic Imaging providers

Authorising access

The policy must outline how staff will be authorised to access My Health Record, or use information in the My Health Record system, on behalf of the organisation, including how user accounts will be created or modified. The information included in this section may vary depending on whether staff members will be both viewing and uploading information to My Health Record, or uploading only:

1. Uploading Only:

• If staff members will only be uploading information to My Health Record and will not be viewing My Health Record information, this should be clearly stated in the policy. The policy should also outline how users will be authorised to upload documents to My Health Record.
• Where documents are uploaded to My Health Record as part of a bulk upload process, this should be specified in the policy. If all bulk uploads are to take place through a single authorised user, this should be outlined in the policy, in addition to the process for authorising this user.

2. Viewing and Uploading:

• If the conformant software enables both viewing and uploading of information in My Health Record, the policy must outline how the organisation will authorise staff to view and upload information, as well as the individual(s) responsible for granting and managing this (such as the Responsible Officer (RO) or Organisation Maintenance Officer (OMO)).

Suspending or deactivating access

The policy must specify how access to My Health Record will be suspended or deactivated in specific situations. This includes identifying the person responsible for these actions (e.g. RO or OMO) and setting out the process for immediate action where:

• A user leaves the organisation
• A user’s security has been compromised
• A user has changed duties and no longer requires access to the system
• A user is an individual healthcare provider that ceases to be linked to the organisation

An organisation’s policy must state that all users of My Health Record will undergo training before accessing the system for the first time, annually, and when there are significant changes to the My Health Record system or its governing legislation. At a minimum, the policy must state that training will cover how to use the system accurately and responsibly, the legal obligations on individuals and organisations that access My Health Record, and the consequences of breaching those legal obligations.

The Agency provides general and specific training resources to support compliance with My Health Record training requirements, including:

• My Health Record Security, Privacy and Access eLearning module
• Introduction to My Health Record for healthcare providers eLearning module
• My Health Record FAQs for Pathology sector
• Using My Health Record in Diagnostic Imaging eLearning module

The policy must outline how users are identified each time they access or upload to My Health Record. The policy should state that each user will have a unique account and login credentials, which will be captured by the conformant clinical software whenever a record is accessed or a document is uploaded. For bulk uploads, the policy should state that the software will capture the user ID of the authorised person performing the upload.

The policy should also specify that the identity of authorised users is automatically communicated to the System Operator by the organisation’s conformant clinical software each time a record is accessed or a document uploaded. Further, the policy should identify the RO or OMO as the individual responsible for providing this information, or any additional details, when requested by the System Operator.

The policy must outline the process for complying with section 75 of the My Health Records Act 2012, including identifying whether an actual or potential My Health Record data breach has occurred and how it will be managed within the organisation.

Under the My Health Records Act 2012, a data breach involves: 

• unauthorised collection, use or disclosure of health information in an individual’s My Health Record has or may have occurred; or
• an event has or may have occurred, or circumstance have or may have arisen, that compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.

The policy must also outline how the organisation will meet its obligations under section 75 of the My Health Records Act 2012 to notify the Australian Digital Health Agency (the System Operator) and, where relevant, the Office of the Australian Information Commissioner (OAIC) of the breach, contain the breach and mitigate future breaches. Refer to data breach notification obligations for more information.

All pathology and diagnostic imaging organisations must include physical security, information security, cybersecurity, and technical and organisational measures in their policies, even if only uploading to My Health Record. The measures apply to all organisations, regardless of their size, scale, or technical capability, to ensure compliance with baseline security requirements.

It is recommended that pathology and diagnostic imaging providers refer to the guidance provided on the My Health Record participation obligations webpage.

The policy must describe strategies for ensuring My Health Record security risks are promptly identified, acted upon, and reported to the organisation’s management. This applies to organisations that are only uploading to the My Health Record system as well as organisations whose staff are authorised to view information in My Health Record. These strategies should be adapted based on the number of staff who can access and view My Health Record, the locations from which reports are being viewed and/or uploaded and proportionate to the organisation’s size and risks. 

It is recommended that pathology and diagnostic imaging providers refer to the guidance provided on the My Health Record participation obligations webpage.