C o n t r o l l e d D o c u m e n t

Doc-ID: HEALTHINTRA-1880-4817

National eHealth Record System Implementation Guidelines

1. PURPOSE

The purpose of these guidelines is to:

• provide guidance to NT Health employees, contractors and any healthcare provider authorised to use a NT Health Clinical Information System (NT Health Staff) about their responsibilities in accessing and using the national eHealth record (PCEHR or personally controlled electronic health record) system; and

• promote compliance with the requirements of the Personally Controlled Electronic Health Record and Healthcare Identifiers Acts, Regulations and Rules.

2. BACKGROUND

2.1 National eHealth Record System

The Australian Government’s national eHealth record system was launched on 1 July 2012, following the passage of the Personally Controlled Electronic Health Records Act 2012. The Australian Government Department of Health is the national eHealth record System Operator.

People seeking healthcare in Australia can register for the national eHealth record – a secure, electronic summary of an individual’s important health information.

The national eHealth record system builds on the successful implementation of the Northern Territory’s My eHealth Record service, and will grow in content and functionality over time, in a similar way to the My eHealth Record implementation.

Medicare data, including MBS, PBS, Australian Organ Donor Register and Australian Childhood Immunisation Register data is incorporated into the national eHealth record system for those people who want such information to be part of their record.

Information on the national eHealth record system is available at http://www.ehealth.gov.au.

2.2 Healthcare Identifiers

The Healthcare Identifiers Service (HI Service) is a national system for uniquely identifying healthcare providers (organisations and individual healthcare providers) and consumers.

A healthcare identifier is a unique 16 digit reference number which helps to ensure the right health information is associated with the right individual. The HI Service forms the basis of other eHealth initiatives such as the national eHealth record system and the NT’s Secure Electronic Messaging Service.

The Australian Government Department of Human Services acting as the HI Service Operator manages the assignment, maintenance and disclosure of healthcare identifiers to healthcare providers and consumers. This is legislated under the Healthcare Identifiers Act 2010.

The HI Service became operational in July 2010. Information on the Service is available at http://www.medicareaustralia.gov.au/provider/health-identifier/.

3. SCOPE

These guidelines apply to all NT Health staff who have been authorised to access the national eHealth record system, within the following entities:

• NT Department of Health;

• Top End Health Service;

• Central Australia Health Service; and

• any other entity from time to time which is in the control of the Minister for Health and which performs, or is to perform, functions related to the activities and functions of the entities described above.

These guidelines also apply to any Contracted Service Provider of NT Health who has been authorised to access the national eHealth record system or the HI Service on behalf of NT Health.

These guidelines must be read in conjunction with the NT Health National eHealth Record System Participation Policy.

4. POLICY DETAILS 4.1 Consumer Information

Consumers who attend a NT Health facility will have access to material that:

• provides information on the national eHealth Record system and how NT Health operates with the national system;

• describes the differences between handling of information at the local system level and the national eHealth record system;

• outlines the process for withdrawal of consent for upload of clinical documents;

• outlines the process for restricted access controls including access codes and disclosing existence of a national eHealth record; and

• provides guidance on the raising and resolution of issues or complaints regarding NT Health’s access, use or disclosure of their national eHealth records.

4.2 National Healthcare Identifiers

NT Health’s collection, use and disclosure of the Individual Healthcare Identifiers (IHI), Healthcare Provider Identifiers - Individual (HPI-I) and Healthcare Provider Identifiers - Organisation (HPI-O) must be in compliance with the Healthcare Identifiers Act 2010 and Regulations.

NT Health maintains its own client identifier, the Hospital Record Number (HRN) as its primary client identifier. NT Health will use the Individual Healthcare Identifiers (IHIs) for e-health communications and for other purposes permitted under the Healthcare Identifiers Act 2010 and Regulations.

NT Health will comply with any Conformance, Compliance and Accreditation requirements set by the operators of the HI Service and the national eHealth record Service in relation to computer software it uses to connect to these services.

4.3 Registration and Authority to Act

The Northern Territory Department of Health is registered with the HI Service Operator as the Seed Organisation for NT Health and has been issued with a Healthcare Provider Identifier - Organisation (HPI-O).

NT Health has entered into a participation agreement with the national eHealth record System Operator and is registered to access and use the national eHealth record system.

The Chief Information Officer is NT Health’s Responsible Officer (RO) in dealing with the Healthcare Identifiers Service and the national eHealth record system.

The RO is responsible for oversighting the registration of Organisational Maintenance Officers (OMOs) with the HI Service and the national eHealth record system, and the network of HPI-Os required for NT Health’s eHealth communications, including connecting to the national eHealth record system.

The RO and OMOs for NT Health are authorised to act on its behalf in dealings with the HI Service Operator and national eHealth record System Operator.

4.4 Organisational Hierarchy and Access Flags

In relation to connecting to the national eHealth record system, the RO will define an appropriate organisational hierarchy for NT Health and assign access flags that are appropriate for the size and complexity of the structure of NT Health and consistent with NT Health’s internal information sharing norms. The organisational hierarchy will define the seed (head) organisation and the network

(subordinate) organisations that fall under that seed organisation, and the network organisations for which access flags are appropriate.

To identify the healthcare facility that has transacted with the national eHealth record, the RO will ensure that a network HPI-O is created and an access flag is set for each NT Health facility (eg Royal Darwin Hospital or Borroloola Health Centre) that uploads clinical documents into the national eHealth record. This is necessary to identify the facility in the consumer’s access list and audit log.

The RO will ensure that the organisational hierarchy structure and access flag assignments are reviewed as the structure changes, or where the national eHealth record System Operator or a consumer query reveals potential structural issues. NT Health commits to considering requests from the national eHealth record System Operator for reasonable changes that are consistent with NT Health’s internal information sharing policies, protocols and procedures.

The RO will ensure that an up-to-date record, which details the linkages between organisations in the NT Health organisational hierarchy, is maintained with the national eHealth record System Operator.

4.5 Advanced Access Controls/Consumer Consent

By default, the national eHealth record access control setting permits all participating healthcare organisations to upload, view and download their consumer’s clinical documents.

A number of control mechanisms are in place to allow the consumer to restrict access through the national eHealth record consumer online portal, or at the point of care.

4.5.1 Withdraw Consent to Upload

Each time a consumer attends a NT Health facility the consumer can request the health provider not to upload document/s to their national eHealth record.

NT Health will not upload document/s to the national eHealth record if the consumer withdraws consent. The requirement not to upload the document for the event will be flagged in the Clinical Information System that is used to upload documents to the national eHealth record system.

This withdrawal of consent is applicable for the particular event/episode/document and only for the specific facility. If the consumer attends the same facility or another facility at a future date, then it is the consumer’s responsibility to advise any further withdrawal of consent.

If consent is withdrawn after a clinical document has been uploaded into the national eHealth record, it is the consumer’s responsibility to remove the document from the national eHealth record system.

4.5.2 Withdraw Consent to Access

Each time a consumer attends a NT Health facility the consumer can request the health provider not to access or view their national eHealth record.

NT Health will not access or view the national eHealth record if the consumer withdraws consent.

This withdrawal of consent is applicable for the particular event/episode/document and only for the specific facility. If the consumer attends the same facility or another facility at a future date, then it is the consumer’s responsibility to advise any further withdrawal of consent.

4.5.3 Advanced Access Controls/Disclosing Existence

Through the national eHealth record consumer online portal, a consumer can set advanced access controls limiting which healthcare organisations are allowed to access the consumer’s record.

These controls apply at the level of healthcare organisations for which an access flag has been set.

A consumer can restrict viewing of all information (by setting a Record Access Code or RAC) or specific documents (by setting a Limited Document Access Code or LDAC).

Where these are in place, on presentation at a health facility, a consumer can provide their RAC or LDAC code to permit access to their national eHealth record or to any restricted document/s.

Where a RAC or LDAC code has been provided by a consumer to allow access, NT Health staff will not keep a copy of the code for future use.

There are some documents to which consumers cannot apply advanced access controls. These are shared health summaries, information about advanced care directives and consumer-entered health summaries.

A consumer may elect not to disclose the existence of their national eHealth record which will prevent healthcare providers from sending documents to, or viewing, the consumer’s national eHealth record. This is initially set and maintained by the consumer through the consumer online portal. The consumer can change it at any time in the same way that they can change other advanced access controls.

Where a consumer has elected not to disclose the existence of their national eHealth record, they can at the time of presenting for healthcare choose to disclose the existence of their national eHealth record to the healthcare organisation.

Consumers will be provided with information that any access controls they set for a particular NT Health facility will restrict direct access to their national eHealth record by staff acting on behalf of that facility. It will also note that these restrictions will not apply to copies of the same clinical documents held in, or downloaded to, NT Health’s local Clinical Information Systems.

4.5.4 Emergency Access

Section 64 of the Personally Controlled Electronic Health Record Act 2012 allows healthcare organisations to override advanced access controls in the case of a serious threat to an individual’s life, health or safety, or to public health and safety, where it is not practicable to ascertain the wishes of the consumer.

The eHealthNT Clinical Portal used for viewing the national eHealth record will allow users to override the advanced access control and assert to the System Operator that the record is being accessed in the circumstances of averting a serious threat.

Staff who use the override option must be able to justify the circumstances for the override during any audit by the System Operator.

4.6 Identification of NT Health Staff with Authorised Access to the National eHealth Record system

NT Health staff must only access the national eHealth record if this access is required by the duties of their role and their access is authorised. Staff who have been allocated a national Healthcare Provider Identifier – Individual (HPI-I) are authorised to access the national eHealth record for the purposes of providing healthcare to a consumer. The default mode of access to the national eHealth record is via the Clinical Information System they are authorised to use and the eHealthNT Clinical Portal.

NT Health staff who have not been authorised, must not seek access to a consumer’s national eHealth record.

4.6.1 Access via the Clinical Information System

All staff whose roles require them to access the national eHealth record will be provided access via a Clinical Information System. The HPI-I or alternative identifier assigned to authorised users by NT Health will be the identifier for the national eHealth record system access via the Clinical Information System.

NT Health staff will ensure that they assign a secure password to their user account and keep their password secret.

NT Health will immediately suspend or deactivate individual user accounts access to the national eHealth record in cases where a user:

• leaves the organisation, or

• has had the security of their account compromised, or

• has had a change of duties so that they no longer require access to the national eHealth record system.

Only user accounts assigned to individual staff will be authorised to access the national eHealth record. Group or shared logons will not have access to the national eHealth record system. All users will abide by the NTG End User ICT Services Policy.

All access to the national eHealth record will be logged and will be available to be audited by the System Operator. The Clinical Information System will pass onto the national eHealth record system the NT Health user identifier each time an access is made, and will also maintain a local access log.

These records will be maintained to allow audits to be conducted by the System Operator.

4.6.2 No Access via the Provider Portal

NT Health does not permit access to the national eHealth record via the Provider Portal. All access will be via a NT Health Clinical Information System as described in section 4.6.1.

4.7 Uploading Clinical Documents to the National eHealth Record

In uploading clinical documents to the national eHealth record system, NT Health will:

• maintain a local copy of every document uploaded to the national eHealth record;

• not infringe intellectual property or moral rights;

• not upload documents that contain defamatory material;

• only upload content for registered consumers;

• only upload documents approved by an authorised clinician; and

• take appropriate measures to ensure data quality and accurate identification of the consumer.

4.8 Viewing National eHealth Record Documents

Every time a clinical decision is made based on the information in a viewed national eHealth record clinical document, it is recommended that the source document details are noted in the consumer’s NT Health medical record.

4.9 National eHealth Record Training

All staff with authorisation to access the national eHealth record system on behalf of NT Health will be required to undertake national eHealth record training before they first access the system.

The national eHealth record training will provide information about roles and responsibilities in accessing the national eHealth record and use of NT Health’s Clinical Information Systems and eHealthNT Clinical Portal. Training will consist of a combination of training specific to the clinical software used by NT Health to access the national eHealth record and training materials provided by the System Operator through the learning centre.

If any new functionality is introduced into the system, additional training will be made available to those with authorised access to the national eHealth record system.

NT Health will maintain records of training as it relates to the national eHealth record.

4.10 Privacy and Security Requirements

The Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010 have strict prohibitions and associated penalties regarding the unauthorised collection, use and disclosure of health information. Staff who are provided with access to the national eHealth record system must make themselves familiar with the security and privacy requirements of these systems.

4.11 Reporting Security Incidents

If any person becomes aware of a security incident, it is their responsibility to follow the reporting procedure outlined in the Department of Health’s Information Security Incident Guidelines.

A security incident is:

• when any unauthorised person accesses the national eHealth record; or

• when a staff member with access to the national eHealth record discovers that someone else may have gained access to their user account; or

• when an individual’s password is disclosed to another individual or individuals; or

• the accidental misuse or unauthorised disclosure of information from a person’s national eHealth record.

Security breaches must be reported to the Chief Information Officer or the Director, ICT, which may result in the following:

• the user account may be suspended until the extent and severity of the security incident is determined;

• the Chief Information Officer is notified of the incident; and

• the Chief Information Officer is required to report the incident to the System Operator.

4.12 Responding to Consumer Requests/Complaints

NT Health staff will make consumers aware of the process for raising issues or complaints and will log any issues of which they are made aware of.

Where a consumer asks a NT Health staff member to correct a national eHealth record document created by NT Health, and the health provider agrees, the request will be logged with the eHealthNT Clinical Services Team and the document modified within 5 working days. Alternatively, the

consumer may remove the document from the national eHealth record if they so choose.

In cases where there is disagreement between the health provider and the consumer about amendments to a national eHealth record clinical document, the consumer will be made aware of the ability to lodge a complaint with the System Operator or the Office of the Australian Information Commissioner.

4.13 Assisted Registration

Assisted registration is another channel for consumers to apply to be registered for the national eHealth record with the assistance of a registered healthcare organisation. The assisted registration

process involves the checking of a consumer’s identity before providing the consumer’s identifying information including their Individual Healthcare Identifier to the national eHealth record System Operator.

The manager of a NT Health facility that provides assisted registration to a consumer on behalf of NT Health must ensure that:

• the staff member undertaking assisted registration has been trained in the assisted registration process, and a record of this is made in the record of the training maintained by the eHealthNT Clinical Services Team;

• the ‘known customer’ model used for consumer identification complies with the PCEHR (Assisted Registration) Rules 2012;

• the one page assisted registration application form is provided to the consumer to complete along with the ‘Essential Information about assisted Personally Controlled Electronic Health Record registration’ document; and

• for each assisted registration that is completed, the one page assisted registration application form is signed by the consumer and the signed application form scanned to the consumer’s health record kept by the facility.

5. IMPLEMENTATION

Chief Operating Officers and Executive Directors are responsible for ensuring that all staff within their areas of responsibility adhere to NT Health’s National eHealth Record Participation Policy and National eHealth Record Implementation Guidelines.

5.1 Maintaining NT Health’s National eHealth Record Participation Policy

As the Department’s Responsible Officer and Seed Organisational Maintenance Officer, the Chief Information Officer:

• has legal responsibility for compliance with the Department’s National eHealth Record Participation Policy and National eHealth Record Implementation Guidelines, and national eHealth record legislation;

• is responsible for the implementation and compliance monitoring of the National eHealth Record Participation Policy and National eHealth Record Implementation Guidelines and for their

maintenance;

• will maintain a copy of the authorised current and all previous versions of the policy and implementation guidelines, and make them available on request by the System Operator;

• is responsible for ensuring the accuracy of National eHealth Record Participation Policy and National eHealth Record Implementation Guidelines and their compliance with national eHealth record legislation; and

• will ensure that the policy and implementation guidelines remain current and reflects changes in national eHealth record legislation and in the structure of the organisation.

5.2 System Operator’s Access to the NT Health National eHealth Record Participation Policy

The Chief Information Officer will ensure that copies of the Department of Health’s National eHealth Record Participation Policy and National eHealth Record Implementation Guidelines are made available to the System Operator within 5 working days of receiving the request where this request has been made in writing. The Chief Information Officer will ensure that the versions of the policy and implementation guidelines provided are the versions that were in force on the dates specified by the System Operator in its written request.

6. ASSOCIATED NTG AND DEPARTMENT OF HEALTH POLICIES, STANDARDS AND GUIDELINES

• NTG End User ICT Services Policy

• Department of Health Information Security Incident Guidelines

• Department of Health Privacy Policy

7. RELEVANT LEGISLATION AND GOVERNMENT POLICIES

• Information Act

• Healthcare Identifiers Act 2010 (Cth)

• Healthcare Identifiers Regulations 2010 (Cth)

• Personally Controlled Electronic Health Records Act 2012 (Cth)

• Personally Controlled Electronic Health Records Regulations 2012(Cth)

• PCEHR Rules 2012 (Cth)

• PCEHR (Participation Agreement) Rules 2012 (Cth)

• PCEHR (Assisted Registration) Rules 2012 (Cth)

8. REFERENCES

Much of the content for these guidelines has been drawn from the Inner East Melbourne Medicare Local Sample Security and Access Policy template the Victorian Eastern Health Service national eHealth record system (eHealth Record) Policy, the Queensland Health Personally Controlled Electronic Health Record (PCEHR) System Participation Policy and Implementation Standard and the Western Australian Department of Health Personally Controlled Electronic Health Record (PCEHR) System Policy.

NT Health thanks these organisations for making their policies available.

9. DEFINITIONS (main source - national eHealth record Rules 2012)

Access control mechanisms include default access controls and advanced access controls.

Access flag means an information technology mechanism made available by the System Operator to define access to a consumer’s national eHealth record.

Access list means the record associated with a consumer’s national eHealth record that specifies the registered healthcare provider organisations permitted to access a consumer’s national eHealth record.

Advanced access controls means the access controls available through the national eHealth record consumer online portal, which enable a registered consumer to set controls on the registered healthcare provider organisations and nominated representatives who may access the consumer’s national eHealth record, and the records within the national eHealth record.

Consumer-entered health summary means the summary of information, including medications and allergies, which a registered consumer may enter into his or her national eHealth record and which is available to anyone with access to the consumer’s national eHealth record.

Contract Service Provider has the same meaning as in the Information Act.

Default access controls means the access controls that apply where a registered consumer has not set controls on the registered healthcare provider organisations or nominated representatives who may access the consumer’s national eHealth record.

Limited Document Access Code or LDAC means a code which may be used to restrict access to individual records within a consumer’s national eHealth record.

Healthcare identifier has the same meaning as in section 9 of the Healthcare Identifiers Act 2010.

Identified healthcare provider has the same meaning as in the Healthcare Identifiers Act 2010.

Network hierarchy means a network of healthcare provider organisations created and managed in accordance with subsections 9A(3) to (7) of the Healthcare Identifiers Act 2010.

Network organisation has the same meaning as in the Healthcare Identifiers Act 2010.

NT Health includes NT Department of Health, Top End Health Service, Central Australia Health Service and any other entity from time to time which is in the control of the Minister for Health and which performs, or is to perform, functions related to the activities and functions of the entities on behalf of NT Health.

Organisation Maintenance Officer has the same meaning as in the Healthcare Identifiers Act 2010.

Provider portal means the portal provided by the System Operator that permits registered healthcare provider organisations to access the national eHealth record system without having to use a Clinical Information System.

Record Access Code or RAC means a code which may be used to restrict access to a consumer’s national eHealth record in accordance with paragraph 5(1)(a).

Remove, in relation to a record in a consumer’s national eHealth record, means rendering the record inaccessible to the consumer, their nominated representatives and any registered healthcare provider organisations involved in the care of the consumer, including in the case of a serious threat in accordance with national eHealth record rules 6 and 7.

Responsible Officer has the same meaning as in the Healthcare Identifiers Act 2010.

Seed organisation has the same meaning as in the Healthcare Identifiers Act 2010.

Seed OMO is the Organisation Maintenance Officer for a seed organisation and has primary responsibility for OMO roles and coordination of OMO activities in network organisations.

Service Operator has the same meaning as in the Healthcare Identifiers Act 2010.

NT Health Staff includes employees and contractors of NT Health and any healthcare provider authorised to use a NT Health Clinical Information System (CIS)

System Operator is the Commonwealth Department of Health.

Verified healthcare identifier means a healthcare identifier assigned to a consumer in relation to which the Service Operator has evidence, to the Service Operator’s satisfaction, of the consumer’s identity.

Leonard Notaras Effective: 1 December 2014

Chief Executive Review Date: 1 December 2015