Security and Access policies – Rule 42 guidance

Guidance for healthcare provider organisations on meeting the requirements set out in Rule 42 of the My Health Records Rule 2016.

Access the eLearning course for Developing a My Health Record Security and Access Policy for your Organisation created by the Australian Digital Health Agency.

Healthcare provider organisations have certain obligations under the My Health Records Act 2012 (Cth) and My Health Records Rule 2016.

Rule 42 of the My Health Records Rule requires healthcare provider organisations to have, communicate and enforce a written Security and Access policy in order to register, and remain registered, to use the My Health Record system.[1]

Organisations registered with the My Health Record system must have a Security and Access policy regardless of the organisation’s size or how often they access the My Health Record system.

Security and Access policies are critical in supporting healthcare provider organisations to protect the sensitive information of their patients. They also build staff awareness of obligations under My Health Record legislation.

At a minimum, your Security and Access policy must reasonably address the following matters:

1. how people are authorised to access the My Health Record system, and how access is deactivated or suspended when certain circumstances arise[2]
2. the training that is provided to employees before they access the My Health Record system, including how to use the system accurately and responsibly, the legal obligations on healthcare provider organisations and individuals and the consequences of breaching those obligations[3]
3. the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator[4][5]
4. the physical and information security measures[6] taken by the healthcare provider organisation and people accessing the My Health Record system[7]
5. mitigation strategies to promptly identify, act upon and report security risks[8]
6. assisted registration information (if applicable)[9]

Merely having a Security and Access policy is not sufficient to ensure the security and integrity of the My Health Record system and the information it contains. Healthcare provider organisations must actively communicate and enforce their Security and Access policy in relation to all employees and any healthcare providers to whom the organisation supplies services under contract.[10]

Tips

Although your Security and Access policy must address the matters listed above, the following tips will help you to develop, implement, and maintain an effective policy to support effective security and access governance in your organisation. If your organisation chooses to implement any of these measures, you could reinforce these practices by mentioning them in your Security and Access policy.

One policy document

Your Security and Access policy should be contained in a single document, rather than distributed across multiple documents. This allows readers to easily access organisational processes and obligations in one place.[11]

Mitigation strategy: audit log reviews

Proactively reviewing audit logs is an effective means of detecting and investigating unauthorised access to the My Health Record system.[12] Audit logs record when the My Health Record system is accessed, including the user’s identity, date, and time of access, whose My Health Record was accessed and the information that was accessed. Audit logs can often be accessed via your clinical software.

Passwords and passphrases

Passwords and passphrases should never be shared, and users of the My Health Record system should each have separate accounts.

To ensure that passwords and passphrases are sufficiently secure and robust,[13] you should do the following:

• Use a passphrase instead of a password wherever possible. Passphrases are a string of at least 4 unrelated words (for example, ‘crystal onion clay pretzel’). They are easier to remember, but harder to guess than traditional passwords.
• Ensure that passwords and passphrases are at least 14 characters long in total. This may include a combination of upper and lower-case letters, numbers, and symbols.
• Change your passwords and passphrases regularly.
• Create unpredictable and unique passwords and passphrases. You should not:
  • use quotations, lyrics, or sentences
  • reuse passwords or passphrases for the same or different accounts
  • use similar passwords or passphrases when updating your credentials (for example, changing ‘password1’ to ‘password2’).

  Whether a password or passphrase is sufficiently secure and robust to safeguard access to the My Health Record system is based on various factors taken as a whole. For example, a passphrase with over 20 characters may not need to include numbers and symbols, or be changed as often as shorter passphrases and passwords.

  Training

  Training ensures staff are aware of their My Health Record and privacy obligations and handle personal information accordingly. As well as training all staff (employees and contractors) before they can access the My Health Record system,[14] you should provide:

  • annual refresher training to staff regarding their My Health Record access obligations
  • ad hoc training when there are changes to legislation or My Health Record system functionalities.

  Training is important regardless of how large your organisation is, or how often you use the My Health Record system.

  Remote access security

  The My Health Record system can be accessed remotely. If your organisation has this functionality, you should ensure that it is secured using unique login details and other access processes such as multifactor authentication.[15]

  Templates

  Templates can be a useful tool when developing a Security and Access policy. However, using a template does not guarantee compliance under Rule 42. When using a template to prepare a Security and Access policy, you should:

  • refer to Rule 42 of the My Health Record Rule to ensure that the template addresses all legislative requirements
  • review, update and tailor your Security and Access policy to reflect your individual practices and circumstances to ensure it can be effectively enforced.

  The OAIC’s template broadly addresses the requirements under Rule 42, however you should adjust it by adding details that reflect your organisation’s practices and circumstances. Persons using this template should seek appropriate legal or other professional advice as required.

  Enforcing your policy in contract

  To ensure that the My Health Record system is used responsibly and securely, you must communicate and enforce your Security and Access policy against the organisations and individuals that use your systems to access the My Health Records system, including staff, contractors, and healthcare providers you supply services to.[16]

  Example: Supplying services to other healthcare providers

  If a GP rents out rooms to other independent doctors or healthcare provider organisations and provides shared IT that facilitates access to the My Health Record system, the GP must enforce its Security and Access policy with these independent parties.

  All relevant contracts facilitating access to the My Health Record system, such as employment contracts or contracts to share IT services with independent healthcare providers, should include provisions that allow you to monitor users’ access to the My Health Record system and explicitly require them to:

  • comply with your Security and Access policy
  • implement physical and information security measures to mitigate the risk of unauthorised access to the My Health Record system
  • implement processes to ensure that security and privacy risks can be identified and acted upon
  • report suspected or actual breaches to you.

  Organisational changes

  In addition to the minimum requirements to review your Security and Access policy at least annually and when any material new or changed risks are identified,[17] you should review your Security and Access policy when the structure of your organisation changes, as this may impact the application of your Security and Access policy in practice.

  How to use the template:

  • The template is a completely customisable Word document.
  • Choose options from the drop down menus or replace with your own text.
  • Delete material that is not relevant to your organisation’s obligations.

  Visit the Australian Digital Health Agency to access its e-learning course for Developing a My Health Record Security and Access Policy for your organisation.

  If you’re a sole trader, for help with this template visit the Australian Digital Health Agency.

  Footnotes

  [1] See also Rule 41 of the My Health Records Rule 2016.

  [2] My Health Records Rule 2016, r 42(4)(a).

  [3] My Health Records Rule 2016, r 42(4)(b).

  [4] My Health Records Rule 2016, r 42(4)(c).

  [5] Under section 74 of the My Health Records Act, registered healthcare provider organisations must ensure certain information is given to System Operator.

  [6] See also Rule 44 of the My Health Records Rule 2016.

  [7] My Health Records Rule 2016, r 42(4)(d).

  [8] My Health Records Rule 2016, r 42(4)(e).

  [9] My Health Records Rule 2016, r 42(4)(f).

  [10] My Health Records Rule 2016, r 42(2)-(3).

  [11] Rule 42(2) of the My Health Records Rule 2016 requires healthcare provider organisations to communicate their Security and Access Policy and ensure that it remains readily accessible to employees and healthcare providers to whom the organisation provides services under contract.

  [12] As required under Rules 42(4)(e) and 44(c) of the My Health Records Rule.

  [13] Under Rule 42(4)(d) of the My Health Records Rule 2016, healthcare provider organisations must establish and adhere to physical and information security measures to control access to the My Health Record system.

  [14] Under Rule 42(4)(b) of the My Health Records Rule 2016, healthcare provider organisations must provide training to individuals before they are authorised to access the My Health Record system. The training must cover:

  • how to use the My Health Record system accurately and responsibly
  • legal obligations on organisations and individuals using the My Health Record system
  • consequences of breaching those legal obligations.

  [15] Under Rules 42(4)(d) and 44 of the My Health Records Rule 2016, healthcare provider organisations must establish and adhere to physical and information security measures to control access to the My Health Record system.

  [16] My Health Records Rule 2016, rr 42(2)-(3).

  [17] My Health Records Rule 2016, r 42(6)(c).