Appendix B – National eHealth system security requirements
Conforming to the Standards demonstrates sound information security governance and compliance with the following security requirements.
- Allocation of a person to the role of Responsible Officer (as defined by the Healthcare Identifiers Act) and an Organisation Maintenance Officer (as defined by the Healthcare Identifiers Act) to be the contact person for the Healthcare Identifiers Service and the PCEHR System Operator.
- Participation Agreement: Notification of known and suspected data breaches that may affect the PCEHR to the System Operator. This is covered in the data breach response and notification section.
- Healthcare Identifiers Act: Protection of healthcare identifiers (Division 5, 27). Reasonable steps to protect healthcare identifiers against misuse and loss, and from unauthorised access, modification or disclosure.
- Personally Controlled Electronic Health Records Act and Rules (Division 2 Security Requirements):
- provision of a practice policy specifying the access control in relation to the PCEHR; how staff accessing the PCEHR will be trained and educated in security awareness; process for identification of access requesters; the security measures in place (or to be put in place)
- dissemination and enforcement of the PCEHR practice policy
- the policy must be version controlled, up to date and auditable with at least annual reviews
- regular (annual) risk assessment in relation to the policy is undertaken
- practices must have a policy or other documentation that details the computer and information security measures in place
- practices must have a policy or other documented procedure for data breach and security incident management
- a copy of the relevant policies must be available when requested (within 7 days) by the System Operator
- effective and appropriate user account management.
Note: to meet PCEHR Rule 28, Retention of record codes and document codes (as below), practices should ensure that the practice team are aware that they should not be recording record and document codes, such as a patient’s individual health identifier, from the PCEHR in any format (paper or electronic).
Healthcare provider organisations must ensure that people using their information technology systems to access the PCEHR system via or on behalf of the organisation do not record, store or retain a copy of a consumer’s record code or document code for the purposes of accessing the consumer’s PCEHR, or a record in the consumer’s PCEHR, in the future.