All templates
My Health Records Act · Rule 42

My Health Record Security and Access Policy Template — Rule 42

The Rule 42 policy required of every registered My Health Record provider organisation. Covers responsible officer duties, authorisation of users, identification and authentication, physical and technical security, breach response, audit and review.

My Health Records Act 2012My Health Records Rule 2016Privacy Act 1988

Download this free template

Enter your email to download the My Health Record Security and Access Policy template in Word format.

No spam. We'll only send you compliance tips relevant to your practice. Unsubscribe any time.

What's in this template?

This free Rule 42 policy template gives every registered My Health Record provider organisation the policy they are legally required to hold. It is built directly from the structure of the OAIC's official Rule 42 template and the Australian Digital Health Agency's published guidance, then tailored for use in an Australian medical practice or allied health service.

The template covers 14 sections plus a sign-off block:

  1. Purpose — links the policy to Rule 42 of the My Health Records Rule 2016 and section 73 of the My Health Records Act
  2. Scope — every worker, every system, every access pathway (clinical software, NASH PKI, mobile, remote)
  3. Legislative and regulatory framework — table of every Act, Rule and scheme that applies
  4. Roles and responsibilities — Responsible Officer, authorised users, all workers
  5. Authorising, reviewing and removing access — same-day removal when workers leave
  6. Identification, authentication and access controls — passwords, MFA, screen lock, NASH certificate handling
  7. Physical and technical security — server, workstation, paper, backup, audit logging
  8. Mobile devices and remote access — BYOD rules, lost device reporting
  9. Training and awareness — links to the Staff Training and Awareness Procedure
  10. Detecting, reporting and managing breaches — 1-hour reporting, System Operator and OAIC notification
  11. Audit, monitoring and oversight — quarterly audit log review and 2-yearly policy review
  12. Related documents — cross-references to your other compliance documents
  13. Definitions — HPI-O, HPI-I, IHI, NASH, Responsible Officer, System Operator
  14. Approval and review — formal sign-off table

Editable placeholder fields

  • {{practice_name}}, {{abn}}, {{hpi_o}}, {{practice_address}}, {{phone}}, {{email}}
  • {{responsible_officer}} — the person named to the Australian Digital Health Agency
  • {{clinical_software}} — your conformant clinical system (Best Practice, Medical Director, etc.)
  • {{access_review_frequency}} — e.g., quarterly, every 6 months
  • {{it_support_contact}}, {{training_records_owner}}
  • {{review_date}}, {{next_review_date}}

Who needs a Rule 42 policy?

A documented Security and Access Policy is mandatory for every organisation registered to the My Health Record system, regardless of size. That includes:

  • General practices of any size, including solo GPs
  • Specialist medical practices registered to the system
  • Allied health practices (physiotherapy, podiatry, psychology, etc.) connected via conformant software
  • Pharmacies dispensing prescriptions through My Health Record
  • Aboriginal Community Controlled Health Organisations
  • Private hospitals and day surgeries registered to the system
  • Pathology and diagnostic imaging providers uploading results

If you have a Healthcare Provider Identifier — Organisation (HPI-O) and a NASH PKI certificate, this policy applies to you.

Rule 42 at a glance

Rule 42 of the My Health Records Rule 2016 requires every registered provider organisation to have a written policy that addresses, at a minimum:

  • How authorised users are nominated and managed
  • How users are identified and authenticated when they access the system
  • The physical, technical and procedural safeguards in place
  • How the organisation trains and maintains the awareness of users
  • How the organisation detects, reports and manages potential security breaches
  • How access is suspended or removed
  • How compliance with the policy is monitored

This template covers each of those requirements in the order an auditor will look for them, with editable placeholders so the policy reflects your specific practice rather than a generic stock document.

My Health Records Act requirement

The legal force behind Rule 42 comes from section 73 of the My Health Records Act 2012, which requires registered healthcare provider organisations to have, comply with, and enforce a policy of this kind. Failure to have a compliant policy is a breach of registration conditions and can result in:

  • Suspension or cancellation of My Health Record system registration
  • Civil penalties under the Act
  • Reputational damage if a breach occurs without an adequate policy in place

The Australian Digital Health Agency, as System Operator, may at any time request a copy of your policy as part of compliance monitoring or in response to an incident. Practices that complete RACGP accreditation are also typically asked to evidence a Rule 42 policy under criterion C6.4 (Information security).

How to customise this template

  1. Download the Word document and replace every {{placeholder}} with your details
  2. Nominate your Responsible Officer — typically the practice principal, practice manager, or a senior clinician
  3. Confirm your HPI-O and NASH PKI certificate location with your practice manager or IT contact
  4. Tailor section 6 (Identification and authentication) to match how your conformant software actually works
  5. Set your access review cadence in section 5 — quarterly is good practice for most practices
  6. Have it approved by the Responsible Officer and signed in the approval table at the back
  7. Communicate it to all authorised users and require them to sign the Staff Training and Awareness Procedure acknowledgement
  8. Schedule the next review — at least every 2 years, or sooner if your software, processes or the legislation change

Related templates and tools

This policy is the foundation document. Pair it with the two procedures that bring it to life:

  • My Health Record Staff Training and Awareness Procedure — the Rule 42(2)(a) training procedure with a built-in training register
  • My Health Record Emergency Access Procedure — when and how clinicians may access a record under section 64 without consent

For broader information security obligations, see the Computer and Information Security Policy and the Privacy Policy in the RACGP library.

Frequently asked questions

Is a My Health Record Security and Access Policy mandatory?

Yes. Rule 42 of the My Health Records Rule 2016, made under section 73 of the My Health Records Act 2012, requires every registered healthcare provider organisation participating in the My Health Record system to have a documented security and access policy. This applies to solo practitioners as well as larger organisations. The Australian Digital Health Agency, as System Operator, may request a copy at any time.

What is Rule 42?

Rule 42 is the part of the My Health Records Rule 2016 that prescribes the minimum content of every registered provider's security and access policy. It covers user authorisation, authentication, training, physical and technical security, breach handling, and access removal. A policy that does not address every Rule 42 matter is not compliant.

Who is the Responsible Officer?

The Responsible Officer is the person nominated by the organisation to be the contact point for the Australian Digital Health Agency on My Health Record matters. They are accountable for approving the security and access policy, authorising users, ensuring training is delivered, and managing breaches. In a small general practice this is usually the practice principal or practice manager. The Responsible Officer is named at registration and updated through the Healthcare Identifiers Service.

What are the penalties for not having a Rule 42 policy?

The most common consequence is suspension or cancellation of My Health Record system registration. The Act also provides for civil penalties, and unauthorised access by a worker (which is more likely without a clear policy) can attract criminal penalties of up to 2 years' imprisonment under sections 59 to 62 of the Act. Practices undergoing accreditation may also fail evidence requirements under RACGP criterion C6.4.

How often does the policy need to be reviewed?

The Australian Digital Health Agency expects the policy to be reviewed at least every two years, and immediately whenever there is a material change — a new clinical software system, a change to the legislation or rule, a breach, or a change of Responsible Officer. The template includes a built-in review schedule.

Does this policy replace our broader privacy policy?

No. The Rule 42 policy is specific to the My Health Record system. You still need a general Privacy Policy covering the Australian Privacy Principles (APPs) and a Computer and Information Security Policy. The three documents reference each other and form your overall information governance set. ClinicComply provides templates for all three.

Is this policy enough on its own to comply with Rule 42?

The policy is the cornerstone, but Rule 42(2)(a) also requires a training procedure for authorised users. Most practices pair this Security and Access Policy with the Staff Training and Awareness Procedure (downloadable separately) so the training, knowledge check and refresher cadence are documented as well.

Can a sole-trader GP use this template?

Yes. The Australian Digital Health Agency's own sole-trader guidance is built on the same Rule 42 framework — only the scale of the safeguards changes. A solo practitioner is both the Responsible Officer and the only authorised user, so several sections collapse to single-person responsibilities, but every Rule 42 topic still has to be covered. This template is structured so you can simply remove sections that do not apply (e.g., reviews of multiple users) and keep the rest.

Related templates

Rule 42(2)(a)

My Health Record Staff Training and Awareness Procedure

Procedure that satisfies Rule 42(2)(a) by setting out how staff are trained before being granted My Health Record access, the topics covered, the knowledge check, refresher cadence, and a printable training register for audit evidence.

View template
Section 64

My Health Record Emergency Access Procedure

Procedure for using emergency access to a patient's My Health Record under section 64 of the Act. Defines the four-part legal test, step-by-step procedure, documentation expectations, audit review, and a printable emergency access log.

View template
C6.3

Privacy Policy

A comprehensive privacy policy covering the 13 Australian Privacy Principles (APPs), patient data collection, use, disclosure, and storage. Includes state-specific Health Records Act references.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime