Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Planned maintenance activity on Wednesday 18 July from 8pm to 10pm AEST may impact performance of the RACGP website.

Practice standards

Computer and information security standards

Standard 3: Information security policies and procedures

Our practice has documented policies and procedures for managing computer and information security

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 3.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 3 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Security policy and procedures compliance indicatorsLevel 1 InitialLevel 2 RepeatableMinimumLevel 4 ManagedLevel 5 Optimised
Level 3 Defined
3.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy, periodically reviewed Complete written policy, reviewed annually
3.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
3.3 Compliance indicators Not done and/or only verbally defined 30% completed 70% completed 90% completed 100% completed
3.4 Practice team agreements Informally defined Partially documented Fully documented Documented and updated as required
Accessible on request
Documented, annually reviewed and updated
Accessible to all practice team members
3.5 External service provider agreements Informal verbal Partial set of standard policies used Partial set of standard policies adapted for practice Full set of policies contextualised for practice Contractual and confidentiality policies written, communicated and annually reviewed
3.6 PCEHR policy Template used, with practice-specific policy documented Policy documented and version controlled
Ad hoc training on legal responsibilities
Reviewed annually
Communicated and accessible to practice team members
Education in legal obligations of interaction with the PCEHR regularly reiterated (required to be eligible to register for the PCEHR under PCEHR Rule 25(4))
Reviewed annually
Communicated and accessible to practice team members
Education in legal obligations of interaction with the PCEHR regularly reiterated (required to be eligible to register for the PCEHR under PCEHR Rule 25(4))
Reviewed annually
Communicated and accessible to practice team members
Education in legal obligations of interaction with the PCEHR regularly reiterated (required to be eligible to register for the PCEHR under PCEHR Rule 25(4))
Adapted and reproduced with permission from Dr Patricia Williams

Helpful templates for this Standard

Templates 1.1–12.1 will assist in achieving compliance. Completion of these templates will ensure you have fully documented the requirements of this Standard.

3.1   Policy content

Practices should document in the policy and procedure manual all of the policies and procedures relating to the security, installation and use of computers, and electronic communication. Responsibilities for each component of computer and information security should be clearly defined, the policies should be clear, and the procedures should contain simple instructions that are easy to follow. It is of utmost importance to think through and discuss the contents of the manual with the practice team to ensure compliance and implementation.

All policies should have the following general structure:

  • purpose and objectives of the policy
  • scope of the policy (i.e. to whom and what it applies, and under what circumstances)
  • definition of computer and information security incidents and their consequences
  • organisational structure and defined roles, responsibilities and levels of authority
  • reporting requirements and contact forms.

Additional information on what should be in each section is provided in the relevant section of this document. The templates will provide guidance as to what information should be recorded in the policies.

3.2 Policy communication

The policy should be in written format and communicated to relevant practice team members.

3.3 Compliance indicators

Assessing the practice’s current status in relation to the compliance indictors (at the beginning of each Standard section) is important. This provides a simple method to implement improvements in this security status.

3.4 Practice team agreements

A policy and procedures manual provides information and guidance to the practice team on the protocols in managing the computer and information systems. It is a source of information to clarify roles and responsibilities, and to facilitate the orientation of new practice team members. Confidentiality and privacy agreements for practice team members to sign, together with an appropriate computer use agreement (e.g. on internet and email usage), should be included in this manual. All practice team members and others, as identified in the risk assessment, should sign these agreements. These act to protect the owners of the practice in the event of legal action against the practice arising out of a security breach.

A generic confidentiality agreement can be found in Template 1.4. This agreement can be used to ensure that practice team members and other people working in a practice who may have access to confidential patient or business information comply with privacy and security of information as required under legislation, including the Privacy Act 1988 (amended) and the National Privacy Principles.

While there are significant levels of trust inherent in the healthcare environment, caution should be exercised in automatically extending this to external service providers.

3.5 External service provider agreements

There is an onus on the practice to ensure that anyone who has legitimate access to practice clinical and/or business information is aware of their obligations to comply with practice policies related to that information. Since technical service providers and those providing software and system support are usually granted unrestricted access to practice data, the following gives guidelines on what contractual agreements should contain.

Contractual agreements with technical service providers

The practice should have a contract in place for the external service providers they use. Contractual arrangements with outsourced technical service providers should include:

  • data confidentiality: sensitive clinical and business information must be kept private
  • remote access: if the technical service provider accesses the network remotely, there has to be agreement on what they can or cannot view. If they can view ‘everything’, including files saved on workstations, then all practice team members should be aware of this. Entities to whom information may be disclosed by a practice (or the types of entities to whom a practice would be likely to disclose information) must be stated in the practice’s published privacy policy
  • backups and restoration procedures: what is the procedure? How often are the procedures tested? When is the ability to restore data tested?
  • response times: how long will it take the technical service provider to give phone advice? Provide assistance via remote access? Attend onsite? Provide after-hours assistance?
  • costs: what are the routine maintenance costs? What about additional work in case of a computer malfunction? What are the differences in costs in business hours and after hours?
  • regular maintenance: does the IT service provider undertake monthly server checks? Does the software provider perform software and drug updates and how often?
  • audit log: what audit log checking will be undertaken of the network and how will this be reported to the practice?
  • secure disposal of information assets: how are information assets (e.g. backups) disposed of or returned to the practice? (see Section 11)
  • cloud services: where is the data stored? What security assurances are provided?

3.6 National eHealth record system (PCEHR) policy

In addition to the computer and information security policy, a policy to cover the specific requirements of the PCEHR Act and Rules is required, as specified in the PCEHR Participation Agreement. Parts of this policy may refer to other practice policies and therefore it is important to ensure that all policies are dated and have version numbers in order to meet the requirements of the legislation.

Templates 1.1, 1.2, 2.26 and 4.1 will make it easier for you to achieve compliance.

Advertisement loading...