Our team has been made aware that the Australian Digital Health Agency is conducting audits of healthcare organisations, including pharmacy to ensure compliance with these guidelines. Specifically, the Agency is asking for pharmacies to provide a copy of their current My Health Record Security and Access policy under Rule 43(1) of the Rule. Compliance with this request is mandatory under Rule 43(2).

The Australian My Health Record System: A Brief Overview
The My Health Record system is a centralised digital repository that securely stores an individual’s health information, letting authorised healthcare providers access and share essential medical data. This system is managed by the Australian Digital Health Agency, which serves as the System Operator. The goal is to enhance patient care by providing healthcare professionals with a comprehensive view of a patient’s medical history and relevant documents, thus helping with more informed and effective treatment decisions at the point of care.

The Agency’s Role in Ensuring Security and Compliance
The Australian Digital Health Agency conducts routine reviews of various healthcare organisations, including pharmacies, to ensure the My Health Record system’s security, privacy, and compliance is maintained. One of the critical requirements for these pharmacies is to have a My Health Record Security and Access policy in place. This policy, commonly known as the My Health Record Security and Access policy, is under Rule 42 of the My Health Records Rule 2016.

Understanding the Rule 42 Policy and Mandatory Compliance
Rule 42 outlines the essential elements that must be included in a pharmacy’s My Health Record Security and Access policy. The policy is required regardless of the size of the business and extends to sole traders. These elements encompass various parts of security, privacy, and data management to ensure the confidentiality and integrity of patients’ health information. 

At a minimum, your Security and Access policy must reasonably address the following matters:

• How people are authorised to access the My Health Record system, and how access is deactivated or suspended when specific circumstances arise.
• The training that is provided to employees before they access the My Health Record system, including:

– How to use the system accurately and responsibly

– The legal obligations of healthcare provider organisations and individuals and

– The consequences of breaching those obligations.

• The process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator.
• The physical and information security measures taken by the healthcare provider organisation and people accessing the My Health Record system.
• Mitigation strategies to promptly identify, act upon and report security risks.
• Assisted registration information (if applicable).

The Australian Digital Health Agency issues formal requests to pharmacies under Rule 43(1) of the Rule, requiring them to provide a copy of their current My Health Record access policy. Compliance with this request is required under Rule 43(2). After receiving the policy, the Agency reviews its content to assess whether the required topics outlined in Rule 42(4) are adequately covered. The review focuses on including these topics rather than evaluating the policy’s effectiveness.

Corum’s Cyber Defence and Safeguard: Empowering Pharmacy Compliance
In response to the Australian Digital Health Agency’s audits of pharmacy My Health Record access policies, we recognise the need to provide comprehensive assistance to our customers. Our Corum Cyber Defence and Safeguard program is designed with your pharmacy’s success and compliance in mind.

As part of this program, we offer subscribed customers access to a set of industry-specific and standards-compliant Cyber Security Policies. The set of policies includes a My Health Record Security and Access Policy. This means you need not navigate the complexities of writing your own policy. Our in-house CISO has carefully crafted a policy that aligns with the requirements outlined in Rule 42 of the My Health Records Rule 2016. With this policy at your fingertips, your pharmacy is well-prepared for audits and compliant with the legislation as it currently stands. 

If you are worried about the security of your pharmacy systems and want to establish robust cyber defences in your pharmacy and protect yourself from ransomware, speak to your Corum customer service manager or contact us at 1300 669 865.