Policy guidance for Pathology and Diagnostic Imaging providers

The policy must outline how staff will be authorised to access My Health Record on behalf of the organisation. The information included in this section may vary depending on whether staff members will be both viewing and uploading information to My Health Record, or uploading only:

1. Uploading Only:

• If staff members will only be uploading information to My Health Record and will not be viewing My Health Record information, this should be clearly stated in the policy. The policy should also outline how users will be authorised to upload documents to My Health Record.
• Where documents are uploaded to My Health Record as part of a bulk upload process, this should be specified in the policy. If all bulk uploads are to take place through a single authorised user, this should be outlined in the policy, in addition to the process for authorising this user.

2. Viewing and Uploading:

• If the conformant software enables both viewing and uploading of information in My Health Record, the policy must outline how the organisation will authorise staff to view and upload information, as well as the individual(s) responsible for granting and managing this (such as the Responsible Officer (RO) or Organisation Maintenance Officer (OMO)).

Suspending or Deactivating Access

The policy must specify how access to My Health Record will be suspended or deactivated in specific situations. This includes identifying the person responsible for these actions (e.g., RO or OMO) and setting out the process for immediate action where:

• A user leaves the organisation
• A user changes roles and no longer requires access
• A user’s account has been compromised.

An organisation’s policy must state that all users of My Health Record will undergo training before accessing the system for the first time. At a minimum, the policy must state that training will cover how to use the system accurately and responsibly, the legal obligations on individuals and organisations that access My Health Record, and the consequences of breaching those obligations.

As a matter of best practice, the policy should also list the specific training that will be undertaken by users, as well as training frequency (including frequency of refresher training). The Agency has eLearning modules available to assist in providing My Health Record training to staff (see below).

The Agency provides general and specific training resources to support compliance with My Health Record training requirements, including:

• My Health Record Security, Privacy and Access eLearning module
• Introduction to My Health Record for healthcare providers eLearning module
• My Health Record FAQs for Pathology sector eLearning module
• Using My Health Record in Diagnostic Imaging eLearning module

The policy must outline how users are identified each time they access or upload to My Health Record. The policy should state that each user will have a unique account and login credentials, which will be captured by the conformant clinical software whenever a record is accessed or a document is uploaded. For bulk uploads, the policy should state that the software will capture the user ID of the authorised person performing the upload.

The policy should also specify that the identity of authorised users is automatically communicated to the System Operator by the organisation’s conformant clinical software each time a record is accessed or a document uploaded. Further, the policy should identify the RO or OMO as the individual responsible for providing this information, or any additional details, when requested by the System Operator.

All pathology and diagnostic imaging organisations must include physical and IT security measures in their policies, even if only uploading to My Health Record. The measures should be tailored to the organisation’s size, location, and type of work. A non-exhaustive list of the types of security measures that might be implemented at your organisation, and which should be listed in your policy where appropriate, is set out in the OAIC's security and access policy template.

The policy must describe mitigation measures for ensuring My Health Record security risks are promptly identified, acted upon, and reported to the organisation’s management. Again, this applies to organisations that are only uploading to the My Health Record system as well as organisations whose staff are authorised to view information in My Health Record. These mitigation measures should be adapted based on the number of staff who can access and view My Health Record, as well as the locations from which reports are being viewed and/or uploaded. The OAIC’s My Health Record System Security and Access Policy template provides some useful examples of mitigation strategies that may apply to your organisation, and which could be listed in your policy where appropriate.

If a pathology and diagnostic imaging organisation provides Assisted Registration to healthcare recipients, their security and access policy must include information in relation to the manner for authorising users who will be carrying out assisted registration, training provided to those users, the process for confirming healthcare recipient consent, and the process and criteria for identifying a healthcare recipient for the purpose of assisted registration.

If the pathology and diagnostic imaging organisation does not provide Assisted Registration, it is recommended that they include a sentence to this effect in their policy.