Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Practice standards

Computer and information security standards

Appendix B – National eHealth system security requirements

Conforming to the Standards demonstrates sound information security governance and compliance with the following security requirements.

  • Allocation of a person to the role of Responsible Officer (as defined by the Healthcare Identifiers Act) and an Organisation Maintenance Officer (as defined by the Healthcare Identifiers Act) to be the contact person for the Healthcare Identifiers Service and the PCEHR System Operator.
  • Participation Agreement: Notification of known and suspected data breaches that may affect the PCEHR to the System Operator. This is covered in the data breach response and notification section.
  • Healthcare Identifiers Act: Protection of healthcare identifiers (Division 5, 27). Reasonable steps to protect healthcare identifiers against misuse and loss, and from unauthorised access, modification or disclosure.
  • Personally Controlled Electronic Health Records Act and Rules (Division 2 Security Requirements):
    • provision of a practice policy specifying the access control in relation to the PCEHR; how staff accessing the PCEHR will be trained and educated in security awareness; process for identification of access requesters; the security measures in place (or to be put in place)
    • dissemination and enforcement of the PCEHR practice policy
    • the policy must be version controlled, up to date and auditable with at least annual reviews
    • regular (annual) risk assessment in relation to the policy is undertaken
    • practices must have a policy or other documentation that details the computer and information security measures in place
    • practices must have a policy or other documented procedure for data breach and security incident management
    • a copy of the relevant policies must be available when requested (within 7 days) by the System Operator
    • effective and appropriate user account management.

Note: to meet PCEHR Rule 28, Retention of record codes and document codes (as below), practices should ensure that the practice team are aware that they should not be recording record and document codes, such as a patient’s individual health identifier, from the PCEHR in any format (paper or electronic).

Healthcare provider organisations must ensure that people using their information technology systems to access the PCEHR system via or on behalf of the organisation do not record, store or retain a copy of a consumer’s record code or document code for the purposes of accessing the consumer’s PCEHR, or a record in the consumer’s PCEHR, in the future.

Advertisement loading...

Advertisement

The Royal Australian College of General Practitioners

Contact Us

General Inquiries

General Enquiries

Opening hours 8:00 am-8:00 pm AEST

1800 4RACGP

1800 472 247 | +61 (3) 8699 0300 (international)

Payments

Payments

Pay invoices online

RACGP automated payment service: 1800 198 586

Follow us on

Follow RACGP on Twitter Follow RACGP on Facebook Follow RACGP on LinkedIn


Healthy Profession. Healthy Australia Logo

The Royal Australian College of General Practitioners (RACGP) ABN 34 000 223 807
RACGP House, 100 Wellington Parade, East Melbourne, Victoria 3002 Australia

Terms and conditions | Privacy statement
Sponsor conditions | Delegate conditions