Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Access myCPD through the new myRACGP Dashboard

Standards for general practices (4th edition)

including Interpretive guide for Aboriginal and Torres Strait Islander health services

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Criterion 4.2.2

Information security

Our practice ensures the security of our patient health information.

Indicators

► A. Our practice team can demonstrate that the personal health information of patients of our practice is neither stored, nor left visible, in areas where members of the public have unrestricted access or where constant staff supervision is not easily provided.

► B. Our practice ensures that our practice computers and servers comply with the RACGP computer security checklist and that:

  • computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation
  • computers have screensavers or other automated privacy protection devices are enabled to prevent unauthorised access to computers
  • servers are backed up and checked at frequent intervals, consistent with a documented business continuity plan
  • back up information is stored in a secure off site environment
  • computers are protected by antivirus software that is installed and updated regularly
  • computers connected to the internet are protected by appropriate hardware/software firewalls.

► C. If our practice uses computers to store personal health information, we have a business continuity plan that has been developed, tested and documented.

► D. Our practice has a designated person with primary responsibility for the practice’s electronic systems and computer security.

► E. Our communication devices are accessible only to authorised staff.

► F. Electronic data transmission of patient health information from our practice is in a secure format.

► G. Our practice has an appropriate method of destroying health record systems before disposal (eg. shredding of paper records, removal and reformatting of hard drives).

Explanation

Key points

  • The privacy and security of health information held by a practice is a legal obligation
  • Computer security is an important aspect of information security
  • Information security must encompass availability of information, integrity of information and designated access to information
  • Computerised practices need a contingency plan to cover computer crashes
  • The practice needs a designated staff member with primary responsibility for computer security.

RACGP resources

The RACGP Computer and Information Security Standards (CISS) and accompanying workbook will provide guidance on the essential information needed to put in place effective computer and information security.  The workbook, when completed by practice staff, will form part of the general practice’s policies and procedures manual. The computer and information security checklist provides a record of the 12 basic computer and information security categories that should be undertaken.

Computer security

It is important to have a designated member of the practice team with responsibility for computer security.

This person needs to know who and when to call for expert advice, educate staff on data security and ensure security protocols are followed. The contact details of any external expert used by the practice need to be available to other relevant practice staff.

Business continuity plan

When a practice uses computers to store patient health information, the practice needs to have a sound backup system and a contingency plan to protect practice information in the event of an adverse incident, such as a system crash or power failure. This plan needs to encompass all critical areas of the practice’s operations such as making appointments, billing patients and collecting patient health information. Once a plan has been formulated, it needs to be tested on a regular basis to ensure backup protocols work properly.

Consideration needs to be given to the increasing portability of computer based systems. These need to be managed in an equally secure manner as the main practice network. Furthermore, being potentially more accessible to people outside the practice team, the physical security of portable equipment needs to be taken into account (eg. laptop computers, personal digital assistants [PDAs] and mobile telephones carried by GPs when travelling between different locations).

Replacing equipment with hard drive memory

The practice is advised to review the RACGP Computer security guidelines: A self assessment guide and checklist for general practice (3rd edition) when equipment is to be made redundant by the practice, to ensure key information is not lost or transferred inadvertently. Deleting records is insufficient to clear data from a computer system.

Practices need to be aware that other equipment such as photocopiers and fax machines may have hard drive memory and that confidential information needs to be properly removed before the practice disposes of such equipment.

Preventing unauthorised access to patient health information

It is likely that practices will have different levels of access to patient health information for different staff members and this differentiated access needs to be documented in the practice’s policy and procedure manual. To protect the security of health information, GPs and other practice staff should not give their computer passwords to others in the team.

Patient health records and computer screens should be positioned so confidential information is not readily visible to anybody but the appropriate members of the practice team. Screen savers or other automated privacy protection devices should be used to prevent unauthorised access to computers in a situation like a doctor momentarily leaving the consultation room. Although the focus of this criterion is information security, it is noted that many doctors now use the computer screen as a useful tool for sharing information with patients during a consultation.

Active and inactive patient health records

The practice must ensure that both active and inactive patient health records are kept and stored securely. An inactive patient health record is generally considered to be the record of a patient who has not attended the practice/ service three or more times in the past 2 years. It is recommended that inactive patient health records are retained by the practice indefinitely or as stipulated by the relevant national, state or territory legislation. General practices may want to consult their GPs’ medical defence organisations when deciding on the practice’s policy with respect to the retention of records.

Changes to computer hardware and software over time may prevent older versions of medical software from running correctly on newer systems and provision needs to be made for this eventuality, which may include retaining older systems for record storage purposes.

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Criterion 4.2.2

Information security

Our practice ensures the security of our patient health information.

In a nutshell

Privacy and security of patient health information held in hard copy or electronic form by your health service is a legal requirement. Computer security is an important aspect of patients’ health information security. It includes not only the storage of patient health information, but also the availability and integrity of, and designated access to, this information.

In addition to appropriate measures to maintain information security, a computerised practice needs a contingency plan to cover information recovery situations such as computer crashes. Designating a staff member with primary responsibility for electronic systems and computer security is vital.

Key team members

  • Health service manager
  • Computer information technology manager

Key organisational functions

  • Electronic communications policies
  • Electronic records policy
  • Patient health records policy
  • Privacy and confidentiality policy and processes
  • Culling policy

Indicators and what they mean

Table 4.4 explains each of the indicators for this criterion. Refer to Criterion 4.2.2 Information security of the Standards for general practices for more information and explanations of some of the concepts referred to in this criterion. 

Table 4.4 Criterion 4.2.2 Information security
IndicatorWhat this means and handy hints
▶ A. Our practice team can demonstrate that the personal health information of patients of our practice is neither stored, nor left visible, in areas where members of the pubic have unrestricted access or where constant staff supervision is not easily provided. Your service’s privacy policy (and procedures) identifies and addresses every possible risk that members of the public might be able to view hard or electronic copies of personal health information, in any location at which your service provides services and programs.

Your health service may also have an information technology policy that sets out the conditions in which information technology is used to store, access and retrieve patient health records. The policy could clearly set out:
  • the provision of passwords and levels of security and access to patient health records
  • the conditions of storage of health record information, such as data entry in non-public areas
  • that the visibility and design of furniture and equipment to ensure privacy and confidentiality of patient information is maximised
  • the safe and secure use of portable equipment.
Your computer security policy/manual could provide that:
  • computers are only accessible via individual password to those in the health service team who have appropriate levels of authorisation
  • computers have screensavers or other automated privacy protection devices enabled to prevent unauthorised access to computers.
▶ B. Our practice ensures that our practice computers and servers comply with the RACGP computer security checklist and that:
  • computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation
  • computers have screensavers or other automated privacy protection devices enabled to prevent unauthorised access to computers
  • servers are backed up and checked at frequent intervals, consistent with a documented business continuity plan
  • backup information is stored in a secure off-site environment
  • computers are protected by antivirus software that is installed and updated regularly
  • computers connected to the internet are protected by appropriate hardware/software firewalls.
There are two ways practices can meet Criterion 4.2.2 of the RACGP Standards for general practices (4th edition) (the Standards). Practices need to comply with either:
  • Minimum compliance requirements: the RACGP Computer security guidelines: A self assessment guide and checklist for general practice (3rd edition)(the Guidelines)
OR By complying with either the Guidelines or the CISS 2nd edition, practices will meet Criterion 4.2.2 of the Standards for accreditation purposes.

For practices that choose to use the Guidelines for accreditation purposes, the RACGP strongly recommends that practices familiarise and work towards meeting the requirements set out in the CISS 2nd edition as part of the practice’s continuous quality improvement program.

Please note: practices that are participating in the national eHealth records system – which includes the personally controlled electronic health record (PCEHR) – are required to develop, maintain, enforce and communicate to staff written policies that ensure that the practice’s use of the eHealth record system is secure, responsible and accountable. Compliance with the RACGP Computer and information security standards for general practices and other office-based practices (2nd edition) (the CISS 2nd edition) will assist practices to meet these professional and legal obligations. This is a separate requirement to accreditation.
▶ C. If our practice uses computers to store personal health information, we have a business continuity plan that has been developed, tested and documented. If your health service uses computers to store personal health information, you need to have a backup system that provides for situations of computer crashes or power failure. This will ensure that in these situations, critical areas of your service – such as making appointments, billing patients and patients’ health information – are protected. The plan needs to be tested on a regular basis, to make sure that the backup protocol for information recovery works properly.

Additionally, if your service uses portable equipment (such as laptops, mobile phones or tablets), the physical security of this equipment will need to be monitored.
▶ D. Our practice has a designated person with primary responsibility for the practice’s electronic systems and computer security. Your health service needs to designate a staff member to be responsible for computer security and for updating and maintaining the computer security policy and procedure manual. This staff member is responsible for contacting the relevant expert advisor, educating staff on data security and ensuring that security protocols are being followed. All relevant staff members could also be provided with details of any external experts used by your health service.
▶ E. Our communication devices are accessible only to authorised staff. Where your health service provides electronic communication devices such as laptops, tablets or phones, it is important to ensure that only authorised staff have access to them. You can do this by providing appropriate levels of security, such as password access and guidelines for use. This could be documented in an electronics devices policy and/or manual.
▶ F. Electronic data transmission of patient health information from our practice is in a secure format. It is vital that your health service provides the necessary level of software/hardware protection in your electronic devices and computers for the secure transmission of encrypted patient health information. Access by staff members would similarly only be made available after the necessary levels of protections (such as passwords).
▶ G. Our practice has an appropriate method of destroying health record systems before disposal (e.g. shredding of paper records, removal and reformatting of hard drives). Your health service could develop a policy on the destruction and disposal of health records that sets out steps for safe disposal and compliance with privacy requirements, to ensure that:
  • physical documents are shredded or similarly destroyed
  • computer hardware/software upgrades or changes provide for removal and deletion of information or appropriate clearance of data prior to disposal
  • hard-drive memories of electronic equipment (including faxes and photocopiers) and devices are cleared prior to disposal
  • guidelines are available for the secure destruction and disposal of patient health records.
When patient records become inactive, it is recommended that they be retained indefinitely or as stipulated by the relevant national, state or territory legislation. It is also recommended that your service consult medical defence organisations when deciding on your policy with respect to retention of health records.

Case study

Below is a description of the ways in which an Aboriginal community controlled health service can ensure the security of its patient health information. Not all of these good practices are required by the Standards, but they illustrate the many practical and creative things that ACCHSs can do to ensure they deliver services of high safety and quality to their community.

The paper-based patient health records that the service still has are stored in a lockable room to which patients do not have access.

The staff induction process and on-the-job training informs staff members of the process for computer security and continuity of work practices if the computers fail.

Staff members have individual computer passwords that are automatically scheduled to be changed every 60 days. All laptops are password protected and used in accordance with the service’s security protocols.

Each computer is set to automatically display a screensaver when the computer has not been used for a set period of time.

Staff members are required to logout when they have finished entering patient information and then log back in when using any laptops or portable equipment that may contain patient health records.

Staff access to patient health information varies according to their role – for example, finance staff do not have access to patient health files but do have access to the accounting and Medicare billing software; doctors have full access to health files; and reception staff have access to patient demographics and the appointment book.

The service has a business continuity plan with protocols for levels of staff access, retrieval of electronic patient health records and other important information – such as patient appointments and billing – in the event of an adverse incident, such as a system crash or power failure. The plan is tested on a regular basis to ensure backup protocols work properly and information can be recovered. See also: case study for Criterion 1.7.1 Patient health records.

The service has specific security protocols to address:

  • email use – no confidential information is provided by email; do not reply to spam mail
  • access to the internet, usage limits and the process to gain authorisation to blocked sites
  • type of antivirus software, subscription details and how often it is automatically updated
  • how incremental and full backups of the server and other computers occur, and when
  • software and hardware firewall installation to assist in prevention of intrusion by hackers
  • asset register of all computers, laptops, printers and other devices
  • the network diagram
  • the processes for continuing business if the computers are no longer functioning. This includes the use of a manual appointment book, manual billing, use of paper-based scripts, pathology, radiology and referrals. It also directs staff members to a register of contacts and allied health professionals located in reception.

The practice manager runs a Medicare billings report and a patient data report each month the afternoon before backup and again the following morning to check that the information is identical. If there are any differences the practice manager contacts the IT provider to check the backup.

All health service computers are fitted with an uninterrupted power supply that allows approximately 2 hours of computer usage if the power supply is temporarily lost. Its smaller remote service has a backup generator in place to maintain electricity to the computer system. This allows time for clinical care to continue and backup and closure of non-essential computers if the usual power supply is interrupted.

There is a designated staff member responsible for computer and information security and liaison with the external IT provider. The health service has a formal service level agreement in place with the external IT provider, including a confidentiality agreement.

The health service has a contract with a licensed, secure, shredding company as well as shredders at each of its clinics to ensure destruction of any patient health information or confidential business information.

The health service ensures that all information, including patient health information, is removed from any computers or other equipment with hard-drive memory (such as photocopiers and fax machines) prior to the disposal/replacement of the equipment.

Showing how you meet Criterion 4.2.2

Below are some of the ways in which an Aboriginal community controlled health service might choose to demonstrate how it meets the requirements of this criterion for accreditation against the Standards. Please use the following as examples only, because your service may choose other, better-suited, forms of evidence to show how you meet the criterion.

  • Maintain a privacy and confidentiality policy and procedures.
  • Maintain an information technology policy and procedures.
  • Ensure a physical layout showing ways in which patient health information is kept from the view of members of the public.
  • Show that you maintain individual staff passwords.
  • Show that you operate screensavers.
  • Operate a server backup log.
  • Show that you maintain offsite storage of backup.
  • Show that you maintain up-to-date antivirus protection.
  • Show that you maintain hardware/software firewalls.
  • Show that you maintain a tested business continuity plan for information recovery.
  • Show that you maintain an emergency generator.
  • Show that you utilise job descriptions.
  • Maintain a logout register for laptops and mobile phones.
  • Show that you maintain a secure area for storage of portable devices.
  • Show that you maintain data encryption via public key infrastructure.
  • Show that you operate secure messaging.
  • Maintain a shredder and/or show that you maintain secure document-shredding agreement with recognised provider.
Search Standards Advanced Search
Search Interpretive guide Advanced Search

The Royal Australian College of General Practitioners

General enquiries

Opening hours 8:00 am-8:00 pm AEST

1800 4RACGP

1800 472 247 | +61 (3) 8699 0300 (international)

Follow us on

Follow RACGP on Twitter Follow RACGP on Facebook Follow RACGP on LinkedIn


Healthy Profession. Healthy Australia Logo

The Royal Australian College of General Practitioners (RACGP) ABN 34 000 223 807
RACGP House, 100 Wellington Parade, East Melbourne, Victoria 3002 Australia

Terms and conditions | Privacy statement
Sponsor conditions | Delegate conditions