Frequently Asked Questions for Healthcare Providers
There are the three steps to register a healthcare organisation for participation in the My Health Record system:
- Register with the Healthcare Identifiers (HI) Service to obtain a Healthcare Provider Identifier for Organisations (HPI-O).
- Register to participate in the My Health Record system.
- Apply for a National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) Certificate for your organisation.
For more information about registering to participate in the My Health Record system and options for submitting your application, visit the Healthcare Organisation Registration page on the My Health Record system website.
No. From 1 March 2016 Healthcare Provider Organisations no longer need to enter into a participation agreement with the My Health Record System Operator to register. The obligations previously imposed through this agreement are now set out in the My Health Records Rule 2016.
Organisations that registered before 1 March 2016 are still bound by their participation agreement. The My Health Record System Operator will be contacting these organisations from March 2016 to make arrangement to terminate these agreements. In the meantime, although these organisations will be subject to obligations both in the participation agreement and in the Rules, the obligations are the same.
To participate in the My Health Record System, a Healthcare Provider Organisation must:
- Have a Healthcare Identifier (a Healthcare Provider Identifier-Organisation, known as an HPI-O). An HPI-O is allocated by the Healthcare Identifiers Service (operated by the Department of Human Services -DHS) upon application by an organisation.
- Have a compliant digital certificate which can be obtained from DHS.
- Be registered with the System Operator. An organisation must apply to the System Operator (The Australian Digital Health Agency) and provide specified information, and the System Operator will determine if the organisation meets the criteria.
- Comply with the My Health Record Rules that apply to healthcare provider organisations which require an organisation to:
- Develop, maintain, enforce and communicate to staff written policy relevant to the My Health Record system to ensure that interaction with the My Health Record system is secure, responsible and accountable. These policies need to deal with matters such as authorising persons within the organisation to access the system, training, physical protection of IT system and so forth (as described in section 42 of the My Health Records Rule 2016).
- Review the policy mentioned above at least annually.
- Provide the organisation’s policy for a particular date to the System Operator upon request.
- Take reasonable steps to ensure the records the organisation uploads are, at the time of uploading, accurate, up-to-date, not misleading and not defamatory.
- Ensure you organisation uses reasonable IT user account management practices.
- Give the System Operator reasonable assistance in relation to any inquiry, audit, review, assessment, investigation or complaint regarding the My Health Record System.
- Not record or store a patient’s Record Access Code or Limited Access Code.
- Maintain interoperability with the My Health Record system.
- Tell the System Operator within 2 days if the organisation knows or suspects that there is an error in a record the organisation has downloaded or accessed.
- Tell the System Operator within 2 days if there is a material change to the organisation as a legal entity. A material change includes the incorporation, merger or liquidation of the organisation.
- Ensure the organisation’s Responsible Officer or Organisation Maintenance Officer is authorised to act on behalf of the organisation in relation to the My Health Record system.
- If the organisation provides assisted registration, takes reasonable care in identifying the individual being registered, confirms that the individual consents to registration and the uploading of information to their My Health Record, and inform the individual they can be registered through other channels if they choose.
- Only collect, use or disclose My Health Record information as authorised (see Division 2 of part 4 of the My Health Records Act 2012).
- Upload information about a registered patient to the National Repositories Service or other registered repository in the My Health Record system.
- Only upload a shared health summary if it has been authored by the patient’s nominated healthcare provider.
- Only upload a document if it was been prepared by a healthcare provider with an HPI-O whose professional registration or membership is not cancelled, suspended, conditional or lapsed.
- Not upload any information if it would infringe on the copyright or moral rights of the owner.
- Not upload any information if the patient has asked the organisation not to.
- Tell the System Operator if the organisation has been involved in any actual or potential data breach (i.e. an unauthorised collection, use of disclosure, or circumstances that may have contravened the system’s security or integrity).
- Provide sufficient information to the System Operator, when an individual accesses the system on the organisation’s behalf, to identify the individual.
- Not discriminate against an individual because they do not have a My Health Record or because of their My Health Record’s access control settings.
- Tell the System Operator within 14 days if the organisation has ceased to be eligible to be registered (i.e. the organisation has cancelled its HPI-O or it does not comply with the Rules or a condition imposed on its registration).
- Ensure the IT systems which the organisation uses to access the My Health Record System use conformant software when connecting to, and interacting with, the My Health Record System.
To register to participate in the My Health Record system, a Healthcare Provider Organisation will first need to register with the Healthcare Identifiers (HI) Service for a Healthcare Provider Identifier – Organisation (HPI-O). The organisation will also need to apply to the HI Service to obtain a NASH PKI certificate for a Healthcare Provider Organisation.
Once an organisation has registered with the HI Service, they can register for the My Health Record system through Health Professional Online Services (HPOS) using their Individual PKI Certificate enabled for the HI Service. If they do not have access to HPOS, they will need to complete and submit the Application to register as a Healthcare Provider Organisation form for healthcare provider organisation.
To access HPOS, go to the Department of Human Services website. To request the form, call 1800 723 471 (call charges apply from mobile phones), Monday to Friday between 8:30 am and 5:00 pm, local time.
If you are a private or Commonwealth health service and hold health information you are an Australian Privacy Principle (APP) entity and are covered by the Privacy Act. APP 1 aims ‘to ensure that APP entities manage personal information in an open and transparent way’ and imposes three separate obligations upon an APP entity to:
- take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints (APP 1.2)
The Minister responsible for the My Health Record system (i.e. Federal Minister for Health) makes legislative instruments known as My Health Records Rules which are necessary to support the My Health Record system.
A healthcare provider organisation must comply with the My Health Records Rules (that apply to healthcare provider organisations) in order to be and remain eligible to be a registered Healthcare Provider Organisation.
The My Health Records Rules in place at this time, that apply to Healthcare Provider Organisations, together with a summary of their requirements, are listed below:
- My Health Records Rule 2016 – this sets out requirements for entities registered in the system, including for the setting of an organisation’s access flags within its network hierarchy, the removal of documents from the My Health Record system, the authorisation of responsible officers and organisation maintenance officers, the sequence for organisation types to be registered, the organisation’s policy, the user account management practices, the obligations regarding information organisation’s upload, and the retention of access codes.
- My Health Records (Assisted Registration) Rule 2015 – this applies only to registered healthcare provider organisations that choose to provide assisted registration to individuals, setting out requirements for organisations identifying an individual, the collecting of individual consent, and the notification of alternative registration methods.
No. A formal agreement is not required by the System Operator but it may constitute good corporate governance to establish clear arrangements with the healthcare providers that work within your organisation.
The My Health Record System does not change the current obligations of healthcare providers to maintain their own detailed and accurate clinical records for individuals. Healthcare Provider Organisations are responsible for the information that is uploaded from their clinical systems to the My Health Record system.
Registered Healthcare Provider Organisations are required by the My Health Records Rule 2016 to implement and maintain a written policy that reasonably addresses (at a minimum):
- How they will authorise employees (including contractors) to access the My Health Record system, and provide assisted registration (if provided by the organisation), and how this list will be kept up to date.
- The training that will be provided before employees are authorised to access the My Health Record system or provide assisted registration (if provided by the organisation).
- How the organisation will communicate to the System Operator the identity of each person accessing the My Health Record System using the healthcare provider organisation’s IT system.
- The physical and information security measures that are to be established and adhered to by the healthcare provider organisation and people accessing the My Health Record System via or on behalf of the healthcare provider organisation, including systems that employ reasonable user account management practices.
- Mitigation strategies to ensure My Health Record System-related security risks can be promptly identified, acted upon and reported to the healthcare provider organisation’s management.
- If they provide assisted registration, how they will confirm whether an individual has given consent.
- If they provide assisted registration, the process and criteria they will use in identifying an individual for assisted registration.
Registered Healthcare Provider Organisations must review their policy at least annually, and must provide their policy (in place at a specified time) to the System Operator, upon request by the System Operator.
Organisations should consider developing material to guide employees in their use of the My Health Record System.
An example of how Healthcare Provider Organisations may address this matter is provided in the Australian Medical Association’s Guide to Using the My Health Record which provides guidance to healthcare provider organisations about the use of the My Health Record System as a clinical tool.
Any disagreements that arise between a Healthcare Provider Organisation and an Individual Healthcare Provider regarding obligations that are set out in the My Health Record Rule 2016 should be managed between the Healthcare Provider Organisation and the Individual Healthcare Provider