Security and privacy requirements for general practitioners

GPs must access My Health Record only when providing health care, when authorised by the law or in emergencies.

My Health Record uses an authority under the law model that does not require explicit patient consent for every upload or view. However, GPs must respect patient access controls and restrictions. It is recommended healthcare providers discuss the information they are planning to upload with patients if that information is of a sensitive nature 

Documents that GPs upload to My Health Record must be accurate, current, and clinically relevant. If a GP uploads incorrect or inaccurate information this must be corrected as quickly as possible. Information uploaded to My Health Record should reflect professional standards for data quality.

Information security is important to protect access to My Health Record and involves technical safeguards and physical security which GPs can implement.

Technical safeguards include:

• the use of individual login credentials when accessing and using systems within the practice that provide access to My Health Record
• never sharing login credentials with others
• using passwords that are unique and hard to guess
• never writing down or sharing passwords
• not using personal devices to access My Health Record unless they are approved for use and encrypted by the general practice to protect patient information

Physical security measures include:

• positioning computer screens so My Health Record information cannot be viewed by unauthorised people
• locking screens or logging out of systems when leaving a workstation to prevent access to systems that can share information with My Health Record

GPs offering services at a general practice will need to comply with specific policies the practice is legally required to have in place, namely:

• My Health Record Security and Access policy, Privacy policy and
• complete any mandatory training directly related to My Health Record.

General practices will have processes in place to manage data breaches and unauthorised access to the practice systems, which will include specific requirements for the My Health Record. Individual GPs should immediately report any suspected security breaches to the relevant person within the practice, usually the Organisation Maintenance Officer (OMO) who will deal with any My Health Record breaches at the practice.