Make sure you are compliant with My Health Record participation obligations
An annual check of your My Health Record registration details ensures your organisation complies with relevant legislative obligations and can be contacted by the System Operator when required.
What should a registered healthcare provider organisation review annually?
An organisation’s My Health Record security and access (Rule 42) policy must be reviewed at least annually and when any material, new, or changed risks are identified.
What ongoing obligations does my organisation have regarding security and access to My Health Record?
A healthcare provider organisation participating in My Health Record must maintain a policy that addresses requirements outlined in Rule 42 of the My Health Records Rule 2016 (commonly referred to as a Security and Access Policy). This policy is required regardless of how often you access My Health Record, or how big your organisation is.
More information about other ongoing participation obligations can be found on the Australian Digital Health Agency website along with Security and Access Policy frequently asked questions.
Are checks of organisations’ security and access policies undertaken?
The Australian Digital Health Agency may request to review your organisation’s policy. Where such a request is received, you must respond within 7 days upon receipt of the request, in accordance with Rule 43 of the My Health Records Rule 2016.
In addition, the Office of the Australian Information Commissioner (OAIC) regularly carries out privacy assessments in relation to My Health Record. These assessments may involve a review of organisations’ security and access policies.
What other checks should be conducted?
- Check the My Health Record registration and contact details of the Responsible Officer (RO) and Organisation Maintenance Officers (OMOs) at your organisation, especially if there have been staffing changes or changes of ownership. Instructions are available on the Services Australia website.
- Check that individuals who can access My Health Record on behalf of your organisation remain eligible to do so. You may need to deactivate/suspend user accounts of individuals who have left your organisation or whose duties no longer require them to access My Health Record.
- Ensure all staff are appropriately trained to use My Health Record and conduct refresher training. Remember that staff must receive training before they are authorised to access My Health Record for the first time. A recommended training list is available.
How do I update my registration and contact details?
The best way to update your organisation’s details is via Health Professional Online Services (HPOS), which is accessed via your Provider Digital Access (PRODA) account. See Update your organisation’s details in the HI Service (Services Australia) or call 1800 700 199.
Where can I find more information and support?
- More information about ongoing participation obligations can be found on the Australian Digital Health Agency website, including frequently asked questions, a policy requirements checklist and training resources.
- A template and guidance for developing a My Health Record security and access policy can be accessed on the Office of the Australian Information Commissioner (OAIC) website.
- A number of resources, including an eLearning module on developing a My Health Record security and access policy for your organisation, can be accessed via the Australian Digital Health Agency Online Learning Portal (create a free account to access the training portal).
- Australian Digital Health Agency ‘What is a My Health Record security and access policy and why do I need one?’ podcast
- Tailored guidance is available to assist sole traders in developing a security and access policy.
