Policy guidance for Pathology and Diagnostic Imaging providers
Under Rule 42 of the My Health Records Rule 2016, organisations (including pathology and diagnostic imaging organisations) that are registered with My Health Record must develop, communicate and enforce a written security and access policy covering several mandatory topics. The topics that must be covered by the policy include:
- the manner of authorising the organisation’s users of My Health Record and deactivating or suspending user access in prescribed circumstances
- training that will be provided to users before they access My Health Record
- the process for identifying a user who requests access to a healthcare recipient’s My Health Record and communicating the user’s identity to the System Operator
- physical and information security measures that will be established and adhered to by the healthcare provider organisation and people accessing the My Health Record system on behalf of the organisation
- mechanisms for the prompt identification, action, and reporting of My Health Record system-related security risks
- where the healthcare provider organisation provides assisted registration, information about the authorisation of employees, training, confirmation of consent, and the process and criteria for identifying a healthcare recipient for that purpose.
It is recommended that pathology and diagnostic imaging providers refer to the guidance below, in conjunction with the Office of the Australian Information Commissioner (OAIC) My Health Record security and access policy template, when developing a security and access policy for their organisation.
Please note: Organisations must establish a My Health Record security and access policy prior to registering with My Health Record, noting that they will be required to attest at the time of registration that they have a policy in place. ‘
Access’ refers to both viewing and uploading information to My Health Record. This means organisations that register with My Health Record for the purpose of uploading documents only (but do not intend to view any information in My Health Record) are also required to have a security and access policy in place prior to registering for My Health Record.
Authorising, suspending and deactivating access
The policy must outline how staff will be authorised to access My Health Record on behalf of the organisation. The information included in this section may vary depending on whether staff members will be both viewing and uploading information to My Health Record, or uploading only:
- Uploading Only:
- If staff members will only be uploading information to My Health Record and will not be viewing My Health Record information, this should be clearly stated in the policy. The policy should also outline how users will be authorised to upload documents to My Health Record.
- Where documents are uploaded to My Health Record as part of a bulk upload process, this should be specified in the policy. If all bulk uploads are to take place through a single authorised user, this should be outlined in the policy, in addition to the process for authorising this user.
- Viewing and Uploading:
- If the conformant software enables both viewing and uploading of information in My Health Record, the policy must outline how the organisation will authorise staff to view and upload information, as well as the individual(s) responsible for granting and managing this (such as the Responsible Officer (RO) or Organisation Maintenance Officer (OMO)).
Suspending or Deactivating Access
The policy must specify how access to My Health Record will be suspended or deactivated in specific situations. This includes identifying the person responsible for these actions (e.g., RO or OMO) and setting out the process for immediate action where:
- A user leaves the organisation
- A user changes roles and no longer requires access
- A user’s account has been compromised.
Training
An organisation’s policy must state that all users of My Health Record will undergo training before accessing the system for the first time. At a minimum, the policy must state that training will cover how to use the system accurately and responsibly, the legal obligations on individuals and organisations that access My Health Record, and the consequences of breaching those obligations.
As a matter of best practice, the policy should also list the specific training that will be undertaken by users, as well as training frequency (including frequency of refresher training). The Agency has eLearning modules available to assist in providing My Health Record training to staff (see below).
The Agency provides general and specific training resources to support compliance with My Health Record training requirements, including:
- My Health Record Security, Privacy and Access eLearning module
- Introduction to My Health Record for healthcare providers eLearning module
- My Health Record FAQs for Pathology sector eLearning module
- Using My Health Record in Diagnostic Imaging eLearning module
- My Health Record for Healthcare Providers Conformant software summary sheets
Identification of users
The policy must outline how users are identified each time they access or upload to My Health Record. The policy should state that each user will have a unique account and login credentials, which will be captured by the conformant clinical software whenever a record is accessed or a document is uploaded. For bulk uploads, the policy should state that the software will capture the user ID of the authorised person performing the upload.
The policy should also specify that the identity of authorised users is automatically communicated to the System Operator by the organisation’s conformant clinical software each time a record is accessed or a document uploaded. Further, the policy should identify the RO or OMO as the individual responsible for providing this information, or any additional details, when requested by the System Operator.
Physical and information security measures
All pathology and diagnostic imaging organisations must include physical and IT security measures in their policies, even if only uploading to My Health Record. The measures should be tailored to the organisation’s size, location, and type of work. A non-exhaustive list of the types of security measures that might be implemented at your organisation, and which should be listed in your policy where appropriate, is set out in the OAIC's security and access policy template.
Mitigation strategies
The policy must describe mitigation measures for ensuring My Health Record security risks are promptly identified, acted upon, and reported to the organisation’s management. Again, this applies to organisations that are only uploading to the My Health Record system as well as organisations whose staff are authorised to view information in My Health Record. These mitigation measures should be adapted based on the number of staff who can access and view My Health Record, as well as the locations from which reports are being viewed and/or uploaded. The OAIC’s My Health Record System Security and Access Policy template provides some useful examples of mitigation strategies that may apply to your organisation, and which could be listed in your policy where appropriate.
Assisted registration
If a pathology and diagnostic imaging organisation provides Assisted Registration to healthcare recipients, their security and access policy must include information in relation to the manner for authorising users who will be carrying out assisted registration, training provided to those users, the process for confirming healthcare recipient consent, and the process and criteria for identifying a healthcare recipient for the purpose of assisted registration.
If the pathology and diagnostic imaging organisation does not provide Assisted Registration, it is recommended that they include a sentence to this effect in their policy.
Other considerations
If, in the pathology and diagnostic imaging organisation’s reasonable opinion, one of the above topics does not apply due to the limited size of the organisation, the organisation’s security and access policy does not need to address that requirement. However, the policy should include information as to why the element was not covered in the organisation’s policy.
Finally, each iteration of the organisation’s security and access policy should have a unique version number and should detail where each reviewed version is stored, ensuring it is accessible to employees. The policy must also be reviewed at least annually, as well as when any new or changed risks are identified.
Additional resources
Further resources supporting pathology and diagnostic imaging organisations in developing their My Health Record security and access policy include:
- Office of the Australian Information Commissioner (OAIC) Rule 42 guidance and policy template
- Australian Digital Health Agency My Health Record security and access policy checklist (PDF, 458.19 KB)
- Australian Digital Health Agency ‘Developing a My Health Record security and access policy for your organisation’ eLearning module
- Australian Digital Health Agency ‘Implementing a My Health Record policy in your organisation’ webinar.
The above guidance is intended as general in nature only and should not be considered legal advice. Pathology and Diagnostic Imaging organisations are responsible for ensuring that their security and access policy covers all of the matters required by Rule 42 of the My Health Records Rule 2016 and has been appropriately tailored to their individual circumstances.