Practice owners and managers need to understand their obligations under the Privacy Act 1988 and should be striving to embed good privacy in their practice. 

In addition, healthcare organisations are required, by legislation, to have a written My Health Record security and access policy to register, and remain registered, with My Health Record regardless of the organisation’s size or how often they access the My Health Record system.

At a minimum, an organisation’s My Health Record security and access policy must address the following: 

• how people are authorised to access the My Health Record system, and how access is deactivated or suspended when certain circumstances arise
• the training that is provided to employees before they access the My Health Record system, including how to use the system accurately and responsibly, the legal obligations on healthcare provider organisations and individuals and the consequences of breaching those obligations
• the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator
• the physical and information security measures taken by the healthcare provider organisation and people accessing the My Health Record system
• mitigation strategies to promptly identify, act upon and report security risks
• assisted registration information (if applicable)

Having a My Health Record security and access policy helps to ensure that the information held within My Health Record is used appropriately, kept secure and protected. 

Listen to the Australian Digital Health Agency’s new podcast to learn more about the key components of a My Health Record security and access policy.

You can also reach out to SEMPHN's Digital Health Team for support by emailing digitalhealth@semphn.org.au.