The Office of the Australian Information Commissioner (OAIC) is in the process of auditing 300 General Practices to ensure compliance with the Australian Privacy Principles relating to My Health Record.
Under Rule 42(1) of the My Health Records Rule 2016, any healthcare provider organisation that uses the My Health Record System (including GP clinics) must have a written access policy in place. That policy must ensure staff and contractors’ access to the MHR system is secure. The focus of OAIC’s assessments will be whether GP clinics have written access security policies in place and are complying with those policies.
The audits are focussing on:
- how staff and contractors are granted access to the MHR system;
- how that access is controlled and monitored; and
- how system risks are identified and managed.
Failure to have a suitable security access policy in place (and follow it) may amount to a breach of Australian Privacy Principles 1.2 and 11. These principles relate to the open and transparent management of personal information and the obligation to keep personal information secure.
OAIC will publish its findings and recommendations on its website in de-identified reports.
If your GP clinic receives notification of an upcoming privacy assessment from OAIC, you may wish to contact your Medical Defence Organisation for advice.
If you are a GP clinic that uses My Health Record and does not have a suitable security access policy in place, now is the time to act.
For further information about your privacy obligations, please contact Karen Keogh or Chelsea Gordon.
This article was written by Karen Keogh, Partner and Chelsea Gordon, Associate.