The Office of the Australian Information Commissioner (OAIC) has announced its plan to audit General Practice clinics’ compliance with My Health Record privacy obligations. The audits are being described by OAIC as ‘assessments’ and will focus on promoting good privacy practice.
Under Rule 42(1) of the My Health Records Rule 2016, any healthcare provider organisation that uses the My Health Record System (including GP clinics) must have a written access policy in place. That policy must ensure staff and contractors’ access to the MHR system is secure. The focus of OAIC’s assessments will be whether GP clinics have written access security policies in place and are complying with those policies.
The assessments will focus on:
- how staff and contractors are granted access to the MHR system;
- how that access is controlled and monitored; and
- how system risks are identified and managed.
Failure to have a suitable security access policy in place (and follow it) may amount to a breach of Australian Privacy Principles 1.2 (relating to the open and transparent management of personal information) and 11 (relating to the obligation to keep personal information secure).
OAIC will begin by conducting an initial survey of a number of GP clinics in Australia, and will then perform detailed assessments of a smaller sample of clinics. OAIC will publish its findings and recommendations on its website in de-identified reports.
If your GP clinic receives notification of an upcoming privacy assessment from OAIC, you may wish to contact your Medical Defence Organisation for advice.
If you are a GP clinic that uses My Health Record and does not have a suitable security access policy in place, now is the time to act.
For further information about your privacy obligations, please contact Karen Keogh or Chelsea Gordon.
This article was written by Karen Keogh, Partner and Chelsea Gordon, Associate.