What is a My Health Record security and access policy and why do I need one?

Automated introduction

Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Hello and welcome to this podcast on the topic of what is a My Health Record security and access policy and why do I need one? Hosted by the Australian Digital Health Agency. My name is Kathy Rainbird and I'm one of the managers in the education team here at the Australian Digital Health Agency. Before we begin, I would like to acknowledge the traditional owners of the lands we are broadcasting from and in which you are listening, I wish to acknowledge their continuing connection to land, sea and community and I pay my respects to them and to elders past, present and emerging and extend that respect to any Aboriginal and Torres Strait Islander peoples joining us today. Today, I am really pleased to advise that we are joined by Professor Charlotte Hespe AM, Digital Health Advisor for the Australian Digital Health Agency and Head of General Practice and Primary Care Research for the Sydney School of Medicine. She's an active GP clinician and practice owner of a medium sized practice in inner city Sydney. Professor Hespe also very recently was made a member of the Order of Australia in the general division for her significant service to general medicine as a practitioner, academic and mentor. Welcome Charlotte. We also have joining us today Jenny Snegovaya she is an Acting Assistant Director with the Compliance Outreach section at the Australian Digital Health Agency. And also joining us is Emily McPhee, Assistant Director of the Health and Government team in the Office of the Australian Information Commissioner. Welcome all of you. We all know that health care providers in Australia have professional and legal obligations to protect their patient’s sensitive information.

So, to kick off this discussion. Emily, how can having policies and procedures help healthcare organisations to do this? And what are some of the key policies or procedures that healthcare organisations should have in place?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

As you have pointed out Kathy all healthcare providers in Australia have professional and legal obligations to protect their patients’ health information, establishing and maintaining information security practices, including implementing key policies and procedures is an essential professional and legal requirement in the delivery of health care services. Aside from the security and access policy, which we will discuss in detail today, there are other relevant policies and documents that can be referenced in your security and access policy. These policies and documents include a privacy policy, privacy management plan, data breach response plan and training register. Chapter one of the [Office of the Australian Information Commissioner] OAIC’s Guide to Health Privacy outlines eight key steps to embedding privacy into your health practice and is a useful resource for all health providers. This can be found on the OAIC website.

Kathy Rainbird - Manager Education, Australian Digital Health Agency

Thanks Emily, so Charlotte if I can turn to you as a practice owner, how important are these policies for your practice and how do they help you?

Professor Charlotte Hespe AM - Digital Health Advisor, Australian Digital Health Agency and Head of General Practice and Primary Care Research, Sydney School of Medicine

Great question. Can I start by saying one of the really important things working as a GP these days is that we do work as a team and so when you're working as a team, it's really important that everybody on the team knows what the rules are, knows what the boundaries are and is able to then, you know, go to those documents in order to be able to know how to do things within each practices structure. So, the importance of this, particularly in the digital health space, is around the ability as a practice, so for my practice manager to know that we will all be actually compliant with industry standards, regulations, etc. So that actually means that we're protected legally. We can then make sure that we provide consistency both for all the practitioners in the practice, but most importantly for our patients so that we are providing a consistent and absolutely correct way of actually interacting. Obviously, this then means that we can manage any risk that might sort of be potentially there for sensitive patient information. For me, it's about making sure cyber security and patient's sensitive information is absolutely protected from any data breach. Again, as an employer making sure that our employees understand what that means. I mean, GPs are so busy with actually looking after their patients, it's really important that behind the scenes we then provide them with that guidance for the things that keep coming at them to be able to make sure that they're in line with what needs to do. And that in of itself then promotes a really positive work environment because everybody feels safe, they know that they've got documents there to refer to, they know that they've got an education with the practice around how to actually implement it, and they're able to be rest assured that they're compliant with all the legal obligations, and finally, so I did say it's actually about patients. So, this is about making sure as a practice we are protecting our patients at all time in terms of anything to do with our care and confidentiality and safety.

Kathy Rainbird - Manager Education, Australian Digital Health Agency

Thanks Charlotte, and that's a really good point I think around not only protecting patients and their safety, but also protecting the team and making it safe for all of the team members, which is a really good point. Jenny, given that health care organisations or practices should already have those broader set of privacy and confidentiality policies in place, why do they also need a My Health Record security and access policy?

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

You're right, Kathy. There's likely to be a number of other policies in place for an organisation, but this policy specifically relates to how an organisation uses My Health Record, and it will help ensure that they can meet their legislative obligations because in order to register and to maintain registration with My Health Record, health organisations must have this in place. To answer your question Kathy, as to why do organisations need one, really, I think, I agree it's a tool that can help organisations to start thinking about some things. For example, determining what security measures they can implement, plans and processes for potentially escalating risks or managing incidents and clarifying roles and responsibilities for staff in an organisation. So, all of those things can ultimately protect and safeguard My Health Record and consumers health information. And I'll add at the end as well here that it doesn't just apply to practice owners or those who are involved in actually developing these policies. All staff, whether it be clinicians or administrative staff in a workplace, should be familiar with this policy and how it applies to the specific organisation that they work in and they should keep in mind that some of these processes may differ between organisations. So, we do encourage that the policy should be tailored to the specific needs of an organisation, and staff need to be familiar with this policy in each organisation that they work in.

Kathy Rainbird - Manager Education, Australian Digital Health Agency

Thanks, Jenny and I guess the thing is, it's not just only to protect the information held within My Health Record, but, as Charlotte mentioned, to protect the team, and the staff as well as the patient. So just picking up on one of the points you made, Jenny, about My Health Record policy being part of a legislative requirement. Emily could you briefly expand on that for our listeners today?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Sure Kathy, registered organisations must comply with the security and access policy requirements under Rule 42 of the My Health Records Rule 2016 to be eligible for registration with the My Health Record system. This means that organisations need to have a My Health Record policy in place prior to registering to use the system. This requirement applies regardless of the size of the organisation or how often the organisation uses the My Health Record system. The policy is not only a requirement under My Health Records legislation, but a reasonable step under the Australian Privacy principles, especially APP 11, which relates to security. As Jenny mentioned, security and access policies are effective tools in practice. Organisations that don't have sufficient policies or don't implement them effectively may be at greater risk of experiencing a data breach and compromising the sensitive information they hold. Our notifiable data breaches reports show that the health service providers consistently report more data breaches than any other sector. It is especially important that security and access policies are implemented to mitigate and address this risk. The OAIC is the privacy regulator for the My Health Record system and may consider regulatory action if it finds that an organisation does not have a compliant My Health Record Security and Access Policy.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Emily, so I guess it might sound a bit daunting for some practice owners or practice managers who need to put together a policy, Emily generally can you just outline some of the resources that are available to help health care organisations to develop their security and access policy for My Health Record. Emily I'll turn to you first.

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Sure, the OAIC has a security and access policy guidance and a template on our website. The template covers the legislative background of Rule 42, a link to the agency's glossary, a how to page and helpful footnotes, examples and reminders to inform and guide users in creating their own policy. Our template broadly addresses the requirements under Rule 42. However, you should add details that reflect your organisation's practices and circumstances. Providers using the template should also seek appropriate legal or other professional advice as required.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

And Jenny

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

I would really recommend having a look at our Agency’s website so that's digitalhealth.gov.au there's a range of really useful easy to follow resources. We have a checklist of policy requirements. We have an e-learning module that can help you develop policy, especially if you're doing it for the first time. There is an on-demand webinar which is really practical, and it walks you through the OAIC template, so you know how to follow and what information you need to update and tailor within the template. We also have a range of frequently asked questions that's published on the website.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Fantastic. Thanks, Jenny. And I should mention that the links to all of these resources will be provided on the page where you found this podcast. So now let's consider some of the key components that should be covered in a My Health Record security and access policy and to feature these I'm going to ask our panel to highlight why this is so important. The risks of not implementing a policy in this space, and for Charlotte to provide some insight or examples from her practice. So, kicking off with one of the key components of the policy is considering how people are authorised to access My Health Record, how access is deactivated or suspended, and when those circumstances might happen. So, Jenny, can you explain what this means?

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

So, what this component relates to is that organisations need to consider who will have access to My Health Record on behalf of their organisation and who makes this decision. So, for some organisations, you might have a blanket rule that everyone is authorised to access My Health Record, and that might be appropriate, but it may not work for other organisations. So, it is up to that specific organisation to determine who will have access and who is responsible for granting access, and that should be outlined in the policy as well as the process for making that decision. I'll flag a couple of examples, I guess, of roles that people should think about when they are determining who should have access to My Health Record. Obviously, in a lot of cases, a lot of clinical staff access My Health Record, but you may have other staff in your organisation that you can think about for example, you might have practice managers or administrative staff. You can think about whether they should have access to My Health Record. You may have staff working in your organisation on a temporary basis, so locums or interns or students completing placement.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Jenny, so Emily if I can ask you why is it important to have this process in place and what might be a risk if a health care organisation didn't consider this and include it in their policy and in their practice?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

When it comes to authorising staff following a documented process prompts organisations to consider whether staff need to have access to the My Health Record system in the first place and to ensure that appropriate controls are applied. This requirement also talks about circumstances where the organisation should suspend or deactivate accounts. For example, there is a risk that users who have left an organisation may continue to have access to the system if their account has not been deactivated, or a bad actor could use a compromised account to access sensitive health information, this unauthorised access would compromise the My Health Record system, contravene the act, and become an interference with privacy.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

and Charlotte, if I can put you on the spot and throw a question to you about this, how in your practice do you determine who has access and who doesn't to My Health Record?

Professor Charlotte Hespe AM - Digital Health Advisor, Australian Digital Health Agency and Head of General Practice and Primary Care Research, Sydney School of Medicine

Great question. We've had lots of conversations around that and again, it's sort of around levels of authority, which I think we sort of talked about. It's been talked about that the role-based access controls. So, you know, what is a role that would be okay to be able to have access versus not. So for us, it's only our practice manager who has access outside of all of the doctors and practice nurses we then make sure that the, you know, we have in place those protocols to make sure when somebody leaves that access for that practice changes and then the same obviously for the practice manager and or the need to have a backup person if the practice manager was away or for a prolonged period and who then takes on those same roles and accessibility. So, it's a sort of a nuance thing about what is deemed to be appropriate.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

That's great and I guess the other thing to point out around all of this is that My Health Record is there to support better healthcare it's there to be used to and not wanting to discourage people from using it, as long as it's the right people who are using it. So as you said Charlotte having your clinicians, including your nursing staff, being able to access really important and then thinking about those other people within the practice who maybe need to be able to support that  care process, such as your practice manager who can then be authorised to have that access as well. So, another key component of the policy is about the training that's provided to your staff or employees before they can access My Health Record. Jenny, can you please outline what this training needs to cover?

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

Absolutely, training is so important with My Health Record. It needs to cover the following elements. So firstly, how to use My Health Record accurately and responsibly. It needs to cover legal obligations on both the organisation and the individuals who are using My Health Record, as well as the consequences of breaching those legal obligations. So, training really needs to take place before a user first accesses My Health Record, but also needs to happen on a regular basis as well.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Jenny, Charlotte if I might turn to you again, what advice would you have for our listeners as they looking at the training for their staff and perhaps developing a My Health Record training plan?

Professor Charlotte Hespe AM - Digital Health Advisor, Australian Digital Health Agency and Head of General Practice and Primary Care Research, Sydney School of Medicine

I think the really important thing is actually making sure that you and all of your team understand why you're doing this project. You know, what is the purpose and what are the benefits of actually having a training program around it? Because if you have a clear purpose and benefit then you can actually make sure that the training that you provide is also meeting the needs. So, for us at our practice, we do try and make sure that there's different training according to what different people's needs are. So right down to the person who's new to the team, making sure they understand how we use it, what medical records we're using so how do they actually use it and what role does it play in the way in which we do our patient care. So, our reception staff need to really understand it. They need to understand when patients ask them about it, what it is that we're doing and what actually it looks like, where they can find it for themselves and how the practice uses it , through to what the practice nurses are doing, what our practice manager does, and then how we use it as GPs. So, there's sort of a bit of complexity in how we organise a training program. We quite like having an all in. Everybody gets the same big picture look and then we go into the fine detail within each of those groups, and so it is pretty much a hands on training session regularly that we do then regularly update because it is a changing space and it's exciting when you can sort of go, okay, this is what we can do now.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Yeah, that's a great point. And just to point out as well that the Agency has some really great training resources available if you don't have a developed training program for yourselves, you and your team can access training through our e-learning modules, which are all free, and they'll also be linked on the page with this podcast. Emily if I can turn to you now, what could be some of the risks if an organisation hasn't gone through that process of training their staff.

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

If training is not provided prior to staff accessing the system, they may not understand how to use certain functions appropriately. Misuse of the My Health Record system, even accidentally, could be considered a breach of legal obligations as well as preventing accidental misuse training is an important reminder of the seriousness of these obligations and can deter people from wilfully misusing the My Health Record system. Training is important regardless of how large your organisation is or how often you use the My Health Record system. Some people might think well I don't use the system that much, so I don't need to do regular training but in these cases refresher training can be even more important, as these users haven't had the opportunity to embed their previous training in practice.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Emily, the other thing I should point out is that the agency on our website digitalhealth.gov.au we also have a recommended training checklist that you can utilise in your practice, which has a whole lot of links to use for resources and will also be linked at the bottom of this podcast. So, moving into the next sort of key component of the policy, and that's the process for actually identifying a person who's requests access to a person's, a health care recipients, My Health Record and communicating that person's identity to the system operator if requested. What does this actually mean Jenny? And can you explain how this works? In particular, if someone's using clinical software, which I guess in most general practices that would be the way that they're accessing the system.

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

Yes so, every time an organisation interacts with My Health Record, this activities logged, whether an organisation uses their conformance clinical software or if they are viewing it via the national provider portal, that you don't need to have any software to access. Both of those platforms can automatically communicate information to the agency about the activity that took place and in some cases the Agency may request that an organisation provides specific information about the identity of the user that accessed My Health Record on a particular occasion.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Emily why is this necessary?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Being able to identify a person who requests access to a My Health Record allows you to effectively investigate incidents or complaints. The user may be able to provide information about what occurred, including explanations for why the access was authorised. If inappropriate use is identified, then knowing who the user is will allow your organisation to effectively address the issue.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

So, moving on to the next sort of key part of the policy that needs to be covered and that specifically relates to the physical and information security measures taken by the organisation to protect their information and protect the people who are accessing My Health Record. Charlotte, can you outline some of the physical and information security measures that you have in place in your practice?

Professor Charlotte Hespe AM - Digital Health Advisor, Australian Digital Health Agency and Head of General Practice and Primary Care Research, Sydney School of Medicine

Look that covers sort of a number of things so if I think about the physical things we actually have to, you know, have thought about the rooms that who accesses a room with a computer and that those rooms are locked. Actually, we have a funny system where they’re locked for anybody coming in, but when you're in the room, you can get out. So, they're nice and safe, but it does mean that no one else can come into that room without having access to the room. Then we also have sort of rules on each computer, so it locks, you know, you have to have double authenticated password access to access, any of the practice machines. But then what also then happens is they're put in place behind the scene is that we've got, the screens shut down if there is no use of the screen for a certain period of time. We often talk about, you know, in general practice, you're a very small business and so often sometimes you don't think about too much about people coming phishing with emails and being able to make sure that that there's some security in place behind the scenes. So, whereas bigger organisations, it's much easier to put those things in place. So again, it's about actually making sure you've got a system with an IT consultant that is appropriate for your system, that you have somebody who's overseeing it. We employ an IT consultant who is on call whenever we need them to come and check to educate us and to make sure that that's all there and then making sure we're using the encryption services in terms of how we input data and output data in terms of patient, particularly patient information. We then obviously make sure that we're always up to date with software updates and the anti-virus software, regular backup and recovery. Our practice at the moment does actually have our own server and so we're having quite a lot of conversations about what would that look like having an offsite server and for me, part of the concern about that is making sure I absolutely know and understand how the security measures go with that when things go wrong and who is in charge of the data when it's in a different place.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

All very good points and certainly lots of things to consider for anyone who's in general practice or any other health care organisation in terms of that physical security and information security. Emily are there any other measures that an organisation might need to consider, in particular around the side of My Health Record access?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Yes, great to hear about all of those measures that Charlotte just mentioned just to echo some of those points, maintaining your register of authorised uses is really important, ensuring that users only have accounts if they require them for their roles. Requiring employees to change their passphrase periodically. Best practice is to set a passphrase instead of a password. A passphrase is a string of unrelated words, usually four words like crystalonionclayPretzel passphrases are easier to remember, but harder to guess than traditional passwords. Locking accounts after a certain number of failed login attempts, requiring staff to lock computers before they leave them unattended and locating devices used to access the system in secure areas under appropriate surveillance with privacy screens where appropriate would be some other things that I could think of.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Yeah, fantastic all really good points. So, one of the other components that the policy needs to cover is the mitigation strategies to promptly identify, act upon and report any security risks or breaches. Emily, can you outline what might be an example of a mitigation strategy?

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Sure, many organisations focus on preventing data breaches and unauthorised access. This is often addressed through training and other physical and information security measures that we have just discussed. However, when implementing mitigation strategies, it's also important to have strategies to allow your organisation to identify and address incidents when they occur. Proactively reviewing audit logs is one example of a mitigation strategy that will assist in detecting and investigating unauthorised access to the My Health Record system. Most clinical software automatically captures logs of when users access the My Health Record system and their activity. It is important that organisations periodically review these records and see if they identify any potentially inappropriate use of the My Health Record system. For example, a manager might find that a user has been accessing the My Health Record of a person that isn't a patient of the organisation. With this information, the organisation can investigate and address these incidents, including preventing future inappropriate access from occurring. If an organisation does not review audit logs, incidents like this may go undetected.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Emily, so that's been a great discussion of a lot of the different components that make up My Health Record policy. There's one more aspect to quickly cover off and that relates to the provision of assisted registration. Jenny, can you explain this one, what is assisted registration about?

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

Assisted registration is where a health care provider assists their patient to register for My Health Record, if they aren't already. And this is a really great example of when an organisation may need to tailor their policy if that happens to be a service that they don't provide. So as a matter of best practice if you do think that a component doesn't apply to your particular organisation this should be clearly stated in your policy to explain why this particular element isn't being included.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks Jenny, it’s been a great discussion thanks to all our panel members for their contributions. There is a lot more detail and further information relevant to each of these components that we've discussed, which of course can be found on the Office of the Australian Information Commissioner's guidance and the agency web page. I encourage our listeners to access and utilise these sites. But back to our panellists. Just to wrap up, are there any key messages that you would like to convey? Jenny, you first.

Jenny Snegovaya – Acting Assistant Director, Compliance Outreach, Australian Digital Health Agency

Hopefully we've given our listeners some things to have a think about, but I'll keep it just to three points. Firstly, we've said throughout today's podcast that all organisations must have this policy in place that will allow them to be eligible to register for My Health Record and remain eligible and maintain their registration. Secondly, the policy needs to cover specific components, so they are the ones that we've touched on today and went through and lastly, there are so many resources available on the Agency website and the OAIC website to assist organisations in developing their My Health Record Security and access policy or to guide you through the process if you're reviewing or updating your policy.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Thanks, Jenny over to you, Emily, final word.

Emily McPhee - Assistant Director, Health and Government team, Office of the Australian Information Commissioner

Thanks Kathy. I think it's important to remember that merely having a security and access policy is not sufficient to ensure the security and integrity of the My Health Record system and the information it contains. Health care provider organisations must actively communicate and enforce their security and access policy. The policy applies to all employees and also any health care providers to whom the organisation supplies services under contract. For example, if a GP rents out a room to other independent doctors or health care provider organisations and provides IT facilities to access to My Health Record system, the GP must enforce its security and access policy with these independent parties. They can do this in the form of a written agreement with the independent health care provider, such as a service agreement or contract.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Okay great thanks Emily, Charlotte finally over to you would you like to share any lessons learned or final key messages?

Professor Charlotte Hespe AM - Digital Health Advisor, Australian Digital Health Agency and Head of General Practice and Primary Care Research, Sydney School of Medicine

Thanks, look, I would just like to reiterate the importance of having policies in place they can sound boring, but actually they are that absolute key essential foundation for all general practices to ensure that we are delivering compliant and legal care. It's consistent that we're managing the risks associated with any of this sort of data stuff and confidentiality creating a really positive work environment because everybody is very clear and confident about what it is they're doing and why. And finally, by making sure the patient's care is protected and safe, we are actually enabled to really deliver high quality excellent health care at every stage of what we're doing. Remembering that My Health Record is a really useful tool, really can improve the care that we can deliver and so just sort of thinking, oh no, I've got to put a policy in place is not a reason to not use it, in fact, that's actually the reason to do it, because it means that everything else that's around My Health Record is also going to be more compliant, safe and better quality for your patient care.

Kathy Rainbird – Manager Education, Australian Digital Health Agency

Fantastic, thank you, I think on that note we will wrap up. Thank you so much to all of our speakers for this fantastic discussion. Thanks for tuning in to the podcast today we hope to speak to you again soon.