Privacy and security for digital health
All healthcare providers in Australia have professional and legal obligations to protect their patients' health information. Establishing and maintaining information security practices is an essential professional and legal requirement for using digital health in the delivery of healthcare.
All private healthcare providers are covered by the Australian Privacy Principles (APPs) under the federal Privacy Act 1988. Two important APPs that an organisation must consider with their management of health information, including via the My Health Record system, are:
- APP 1: You must take reasonable steps to implement practices, procedures and systems to ensure that you comply with the APPs and that you can deal with privacy inquiries or complaints.
- APP 11: You must take reasonable steps to protect your records of personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Public sector healthcare providers are covered under State and Territory legislation, and these can require ensuring that health information is kept secure.
Importantly, the My Health Record system and other specifications built by the Agency for General Practice and pharmacy software vendors have been designed to promote compliance with privacy laws.
Healthcare Identifier and My Health Record system security obligations
Use of Healthcare Identifiers, and access to the My Health Record system, are governed by the Healthcare Identifiers Act (HI Act) and the My Health Records Act, the My Health Records Rules and Regulation.
The HI Act requires that an organisation take reasonable steps to protect healthcare identifiers from misuse and loss, and unauthorised access, modification or disclosure.
The My Health Records Rules set out the security requirements that participating organisations must comply with to be eligible to be registered and to remain registered under the My Health Record system. Non-compliance with the My Health Records Rules can result in cancellation of participation and other penalties.
RACGP Computer and Information Security Standards (CISS)
The CISS is a practical guide for General Practices to develop systems and policy to meet their professional and legal obligations in computer and information security. While the CISS is tailored to General Practice, it is a helpful tool for all healthcare organisations to understand and implement good security practices.
Implementing security practices and policies
An organisation should document and implement internal practices and procedures that it uses to protect personal information when using electronic health to deliver healthcare.
The following worksheet can be used as a guide to implementing security practices and policies in your organisation for when staff use electronic health and/or access the My Health Record system. It covers the requirements that must be incorporated in a My Health Record system security policy, and those that are best privacy and security practice, including standards set out in the RACGP CISS. The worksheet is a guide only and should be individualised to meet the needs of your organisation.
- The RACGP Computer and Information Security Standards (CISS) (includes policy templates)
- CISS Addendum: Compliance Indicators for the Australian Privacy Principles
- OAIC Fact Sheet 17: Australian Privacy Principles
- Comlaw: My Health Records Act, My Health Records Rule, My Health Records Regulation
- OAIC Fact Sheet 18: the OAIC and the eHealth Record system
- OAIC Business resources: Individual Healthcare Identifiers—Compliance obligations of private healthcare providers
- National eHealth Security and Access Framework