Security and privacy requirements for practice owners

All general practices participating in My Health Record have specific obligations under both the My Health Records Act 2012 (Cth) and My Health Records Rules 2026.

Rule 43 of the My Health Records Rules 2026 (formerly Rule 42 in the My Health Records Rule 2016) requires healthcare provider organisations to have, communicate and enforce a written Security and Access policy in order to register, and remain registered, to use the My Health Record system.

To ensure the My Health Record system is used responsibly and securely, practice owners must communicate and enforce the Security and Access policy to all individuals using the practice systems to access the My Health Records, including staff, contractors, and healthcare providers using the practices services.

The Security and Access Policy must cover:

• How GPs and practice staff are approved to access My Health Record and who can perform certain actions (viewing, uploading, editing).
• Processes for verifying patients before accessing or uploading to their My Health Record.
• User account management including unique logins, password protections, and prompt removal of access for staff who leave.
• Technical and physical security measures such as screen privacy, secure storage, and encrypted systems.
• Mandatory privacy, security, and My Health Record training for all staff, with regular refreshers.
• Clear internal procedures for identifying, reporting, and escalating suspected breaches.
• Regular updates to keep the policy current with legislative and system changes.

The OAIC has a Security and Access Policy template which provides guidance for healthcare provider organisations on meeting the requirements set out in Rule 43. Further information, including the Security and Access Policy template, can be found on the OAIC website.

Practice owners must ensure the practice complies with the relevant APPs related to managing, collecting and using patient information which includes but is not limited to:

• maintaining a current privacy policy
• having a process in place for patients to lodge privacy complaints
• processes to support review and correction of patient information including information in My Health Record
• ensuring My Health Record is only used for providing health care
• protecting personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

The RACGP has a privacy policy template for general practices to use as a way of meeting their compliance requirements.

Any users of the My Health Record must be authorised by the general practice. Authorisation must be documented, role based and limited to what is necessary for clinical or operational duties

Users should be aware that any access to My Health Record is recorded in an audit trail, which cannot be turned off or modified.

General practices must revoke access immediately when a GP no longer offers services from the general practice or when a staff member ceases employment with the general practice. General practices must review their My Health Record security and access policy at least annually. Reviews are also mandatory whenever material, new, or changed risks are identified, such as staff turnover or changes in the operating system.

Practice owners must ensure the clinical information system used in the general practice is conformant with the My Health Record System requirements, which have been established to minimise the cybersecurity risks posed by systems connecting to My Health Record.

Clinical information systems should also include:

• secure and unique user authentication
• role based user profiles
• encrypted data storage and transmission
• secure servers located in Australia
• access monitoring
• automatic audit logging
• strong cybersecurity standards
• timely software updates.

General practice owners should ensure there is adequate physical and environmental security including protecting server rooms from unauthorised access, ensuring physical access to computers is restricted and supervised and positioning computer monitors to prevent unauthorised viewing.

General practice owners must ensure all staff who interact with My Health Record receive initial training before accessing the My Health Record. Training should include the appropriate use and disclosure of My Health Record information, organisational and individual legislative obligations specific to the My Health Record, privacy and security obligations, detecting misuse or suspicious activity and penalties for unauthorised access.

Training should be reviewed and provided annually or updated when there are changes to legislation, system functionality, or when new, material risks are identified.

General practice owners should maintain a register of training to provide evidence of compliance if required.

The Australian Digital Health Agency provides details of recommended My Health Record Training.

Any external provider accessing the practice systems must not access any My Health Record information unless explicitly authorised. General practice owners should ensure any third parties accessing the practice systems comply with the Security and Access policy and any relevant privacy laws.

General practice owners need to have systems in place to actively prevent and manage any data breaches. Where a data breach relates to My Health Record this must be reported to the Australian Digital Health Agency who is the System Operator and must be notified of all breaches to ensure system integrity.

The OAIC must also be notified of any data breaches as they handle privacy complaints and may investigate breaches.

More information on reporting My Health Record data breaches can be found in the OAIC’s Guide to mandatory data breach notification in the My Health Record system.

General practices must ensure they remain compliant with the participation requirements for My Health Record by regularly reviewing relevant policies, cybersecurity vigilance including software updates and backups, and through a practice culture of security and safety.