Townsville GP Superclinic
The Doctors Mulgrave Road Medical Centre
Nicholl Holdings Pty Ltd
My Health Record
Access Security Policy
Current as of: 6 September
Version no: 0101060921
Contents
3. Responsible Officer (RO) and Organisation Maintenance Officer (OMO) 2
4. How My Health Record is accessed in our service. 3
5. Registration for an Individual’s access to My Health Record. 3
6. My Health Record User Training. 7
8. Requests to Access a Patient’s My Health Record. 9
9. Physical and Information Security Measures. 9
1. Introduction
This policy provides guidance for staff and independent health care providers about access to and use of My Health Record within the service. It also provides guidance on the use of information technology in our service as it relates to My Health Record.
This service’s My Health Record policy is:
2. Compliance with the Act
This policy is designed to ensure that our organisation remains compliant with the My Health Record Act (2012) (the Act) and its subsequent amendments.
This organisation subscribes to updates of My Health Record (2012) and other relevant acts.
This policy will be updated . . .
This policy does not supersede the requirements or effect of the Act. If it is the case that this policy is non-compliant, then the requirements or effect of the Act and its subsequent amendments supersede the policy and are binding on all.
3. Responsible Officer (RO) and Organisation Maintenance Officer (OMO)
The following individuals, in their nominated roles, are responsible for the implementation of, and compliance monitoring of, the My Health Record policy in our service:
4. How My Health Record is accessed in our service
- leave the organisation, when their security has been compromised, their conduct is under review or when their duties no longer require them to access My Health Record.
- We maintain an accurate and up-to-date list of healthcare providers who are authorised to access the My Health Record system via our Best Practice medical software in accordance with the regulations.
5. Registration for an Individual’s access to My Health Record
Registration for an individual’s access to the My Health Record is;
To be specific, My Health Record should not be accessed to obtain background information on the patients we care for without the informed consent of the patient or their carer(s).
The Responsible Officer (RO), Wendy Milgate, maintains the currency or our Health Provider Identifier – Organisation (HPI-O) and information on the Health Provider Directory (HPD) according to the requirements of the Health Identifiers Act 2010.
In our service, we collect and record the Healthcare Provider Identifiers (HPI-Is) of our individual healthcare providers upon entry or becoming part of the organisation by completing, checking, recording and collating the necessary documentation. All of the underlying documentation is stored on our secured Data Management Systems, which are subject to our secure data management policies.
In particular, the Responsible Officer will ensure that the organisation maintains an accurate and up-to-date list of authorised staff or healthcare providers – individuals who are authorised to access the My Health Record via or on behalf of the organisation using the provider portal.
The Responsible Officer will maintain a list of healthcare providers who have been authorised to access My Health Record in the past.
Our Best Practice medical software maintains an accurate and up-to-date log of authorised health care providers who have accessed My Health Record. A copy of the log can be obtained from our Best Practice medical record-keeping system at a medical practice level, or securely from a distance, without the assistance of external IT service providers.
The Responsible Officer will also maintain a list of authorised non-healthcare service providers who are authorised to access My Health Record on behalf of the organisation. This list will be reviewed at the beginning of each quarter and formally updated yearly, to remove formally-authorised users who no longer require access to My Health Record.
Information on how to access My Health Record will be a part of our induction procedures when it is required (for registered health care service providers). Information regarding My Health Record in general will be part of our induction procedures for administrative staff. Removing individuals who could formally access My Health Record from within, or on behalf of, our organisation will be included in our organisation’s termination policies.
Our Best Practice medical software is stored on individual servers that do not share user names and logons. Accordingly, although our organisation maintains many of our My Health Record policies at an organisational level, many of our My Health Record policies and records will be implemented or maintained at a medical practice level as well.
The access to My Health Record is audited by the Responsible Officer, Organisation Maintenance Officer, authorised delegates and practice managers. The Responsible Officer will maintain a list of individuals that may access and audit our organisation’s My Health Record activities. This list will be accurate and up-to-date and can be complimented by individuals who have been able to access and audit our organisation’s My Health Record activities in the past.
The Responsible Officer will monitor log files, maintain copies of our organisation’s past My Health Records activities and produce a contemporary log of our organisation’s My Health Record activities upon valid request.
Our practice allows registered healthcare service providers to access My Health Record via the organisation’s own National Authentication Service for Health (NASH) certificates under the practice’s registration for access of the My Health Record. Therefore, our registered health care professionals;
When an individual who is authorised to access the My Health Record in our practice leaves our service, we deactivate their local account by;
If the security of one of our individuals authorised to use the My Health Record has been compromised, their account will be de-activated by;
6. My Health Record User Training
In our practice, we ensure that authorised individuals who access My Health Record comprehensive training on the subject that is current and provided by a credible source. This training includes how to use the system accurately and responsibly, the legal obligations of healthcare provider organisations and individuals using the system, and the consequences of breaching those obligations.
Our organisation’s My Health Record training will be;
7. Assisted Registration
Our practice does not register patients for My Health Record.
However;
Our practice also offers to;
8. Requests to Access a Patient’s My Health Record
Our practice has established processes for identifying a person who requests access to a patient’s My Health Record.
The Responsible Officer will maintain a log of authorised users.
Authorised users will be bound by the terms of this policy.
Details of those accessing My Health Record via our Best Practice medical practice software or the Health Identifier service on the Health Professional Online Service will be maintained on our Secure Data Management Systems.
Information regarding the manner our organisation accesses My Health Record will be securely stored, regularly audited and available to the Systems Operator upon valid request.
9. Physical and Information Security Measures
Our organisation operates secure data management systems that are;
Information that outlines our policies on, who may access, staff training for, individual, and our organisations, access to My Health Record will be stored and regularly audited on our Secure Data Management Systems, which are covered by our Secure Data Management Policies.
These policies;
10. Living Document
Our My Health Record Policy is a living document and will be updated regularly, and as required.
Upon updating, our new My Health Record policy will be given a unique identifying number, appropriately distributed, and given an effective start date.
The Responsible Office will keep a record of individuals who have been supplied with a copy of our My Health Record Access Security Policy, and the date upon which the policy was supplied.
Suggestions for how our My Health Record Access Security Policy can be improved can be emailed to our Responsible Officer, Wendy Milgate, at relationshipmanager@thedoctors.com.au
The Responsible Officer for our My Health Record policy is Wendy Milgate who can be contacted via relationshipmanager@thedoctors.com.au