A healthcare organisation that is participating in the My Health Record system is required to comply with a range of obligations.
Healthcare organisations must comply with the following legislation:
- My Health Records Act
- My Health Records Rule
- My Health Records Regulation;
and where the organisation is undertaking Assisted Registration;
- My Health Records (Assisted Registration) Rule.
Changes to your organisation
It is important to understand what changes your organisation may need to make before registering to participate in the My Health Record system, and to ensure ongoing compliance with the above legislation. Potential changes include:
You will need to review, update, maintain, enforce and promote to staff policies that ensure the My Health Record system is used safely and responsibly. These policies need to address matters such as how authorised persons access the system, the training delivered to staff before accessing the My Health Record system, and the physical and information security measures used by the organisation.
User account management
You will need to confirm the IT system(s) staff use to access the My Health Record system employ reasonable user account management practices, including: restricting use, uniquely identifying users and secure access mechanisms (such as passwords).
Your existing obligations to maintain your own detailed and accurate clinical records remains, and you are also responsible for ensuring that information uploaded to the My Health Record system complies with your participation obligations. This includes ensuring your employees are registered healthcare providers (i.e. they have a healthcare provider identifier; HPI-I) before they author any record that will be uploaded to the My Health Record system.
Ongoing participation obligations
Set out below are a number of ongoing obligations on a participating healthcare organisation. Please note, this is not an exhaustive list of obligations. If in doubt of your organisation’s obligations, you should contact the System Operator.
To participate in the My Health Record system, your healthcare organisation must:
- Not discriminate against an individual because they do not have a digital health record or because of their My Health Record's access control settings;
- Take reasonable steps to ensure that their employees exercise due care and skill so that any record uploaded to the My Health Record system is at the time it is uploaded, accurate, up-to-date, not misleading and not defamatory;
- Not upload a clinical document to the My Health Record system where an individual has withdrawn consent to the uploading of that clinical document;
- Only upload a clinical document to the My Health Record system that has been prepared by a person who is a registered healthcare provider (i.e. has an HPI-I) and whose registration is not conditional, suspended, cancelled or lapsed;
- Tell the System Operator as soon as practicable after becoming aware of a potential or actual data breach, that is:
- There has been an unauthorised collection, use or disclosure of health information included in an individual's My Health Record; or
- An event has, or may have, occurred that compromises, or may compromise, the security or integrity of the My Health Record system;
- Tell the System Operator, within two business days of becoming aware, of a non-clinical My Health Record system-related error in a record, or your organisation undergoes a material change;
- Tell the System Operator within 14 days if your organisation has ceased to be eligible to be registered (for example, the organisation has cancelled its HPI-O);
- Give the System Operator necessary assistance in relation to any inquiry, audit, review, assessment, investigation or complaint regarding the My Health Record system;
- Develop, maintain, enforce and communicate to staff written policies relevant to the My Health Record system to ensure that interaction with the My Health Record system is secure, responsible and accountable, and to provide a copy of your policy to the System Operator on request.
There is an overview of policies required to participate in My Health Record and templates for writing your My Health Record Security and Access Policy and Use of a NASH PKI certificate policy.
General practices participating in the Practice Incentives Program (PIP) eHealth Incentive are required to establish and put into writing a Secure Message Delivery policy and a Clinical Coding and Terminology policy. There are a Secure Messaging Delivery policy template and Clinical Coding and Terminology policy template to help you.
In addition, a number of organisations have developed sample policies to assist you: