My Health Record Staff Training and Awareness Procedure Template

What's in this template?

This procedure is the second half of Rule 42 compliance — the training procedure required by Rule 42(2)(a) of the My Health Records Rule 2016. It sets out exactly how your practice trains every worker before they are given access to the My Health Record system, the topics covered, the knowledge check, and the refresher cadence.

The template covers 11 sections plus a sign-off block and a printable training register appendix (Appendix A) that you can use as audit evidence:

1. Purpose — links the procedure to Rule 42(2)(a)
2. Scope — employees, locums, contractors, students, volunteers
3. Roles and responsibilities — Responsible Officer, Training Coordinator, workers
4. Training pathway — pre-access training, annual refresher, triggered re-training
5. Training content — built-in training matrix with seven topics and time allocations
6. Knowledge check — pass mark of 80%, repeatable until passed
7. Recording training — what the register captures and 7-year retention
8. Awareness reinforcement — meetings, posters, privacy moments
9. Non-compliance — automatic suspension when refreshers are missed
10. Related documents — cross-references to the Security and Access Policy and Emergency Access Procedure
11. Review — 2-yearly review cycle

Appendix A — Training register: a ready-to-print table that captures worker name, role, date completed, trainer, and refresher due date. This is the document an auditor will ask to see.

Editable placeholder fields

• {{practice_name}}, {{abn}}, {{hpi_o}}, {{practice_address}}, {{phone}}, {{email}}
• {{responsible_officer}} — your nominated Responsible Officer
• {{training_coordinator}} — the person who actually runs the training
• {{training_format}} — facilitated, e-learning, or blended
• {{training_records_owner}} — usually the practice manager
• {{review_date}}, {{next_review_date}}

Why this procedure matters

Rule 42 is not satisfied by a Security and Access Policy alone. Rule 42(2)(a) explicitly requires a training procedure that ensures every authorised user understands their obligations under the My Health Records Act before they touch the system. Practices that have a policy but no training procedure are routinely flagged in compliance reviews.

The cost of getting this wrong is real:

• Sections 59 to 62 of the Act make unauthorised access by a worker a criminal offence with penalties of up to 2 years' imprisonment
• The Australian Digital Health Agency may suspend a provider's registration if it cannot evidence training
• A worker who breaches the system after inadequate training exposes the practice owner to civil penalty proceedings

What good training looks like

A training program that satisfies Rule 42(2)(a) needs to do four things, all of which this procedure builds in:

• Cover the right topics — the legal framework, the practice's specific policy, breach reporting, and emergency access
• Be delivered before access is granted, not after the worker has already been logging in for weeks
• Test understanding with an objective knowledge check
• Be repeated at least annually and whenever the legislation, software, or policy changes

The training matrix in section 5 lists seven mandatory topics with suggested time allocations, drawn from the Australian Digital Health Agency's published education modules and the RACGP Practice Owners' Guide.

Rule 42(2)(a) requirement

The full text of Rule 42(2)(a) requires a registered provider organisation's policy to address "the training that authorised users are required to undertake before being authorised to access the My Health Record system, and the ongoing training and awareness of those users". The Australian Digital Health Agency's compliance guidance interprets this as needing:

• A documented training program
• Records of who has been trained
• A way to refresh training when the system or law changes
• A clear consequence when training is not completed

This procedure operationalises each of those expectations.

How to customise this template

1. Download the Word document and replace every {{placeholder}} with your details
2. Nominate a Training Coordinator — usually the practice manager or a senior nurse
3. Choose your training format in section 5 — facilitated team session, e-learning, or blended
4. Adopt the training matrix as-is or substitute equivalent training material from the Australian Digital Health Agency's website
5. Set your knowledge check — you can use the seven topics in the matrix as a basis for your own short quiz
6. Print Appendix A and start logging completions, or replicate the register in your HRIS or learning management system
7. Have it approved by the Responsible Officer in the sign-off table
8. Schedule the first refresher for 12 months after each worker's completion date

Related templates

This procedure works alongside:

• My Health Record Security and Access Policy — the policy this procedure trains workers on
• My Health Record Emergency Access Procedure — section 64 use; included in the training matrix
• Staff Training and Orientation Policy — the broader RACGP-aligned training policy

Frequently asked questions

Is a My Health Record training procedure mandatory?

Yes. Rule 42(2)(a) of the My Health Records Rule 2016 requires every registered provider organisation to document the training that authorised users complete before accessing the system, and the ongoing training thereafter. A Security and Access Policy alone is not enough — the training procedure is a separate Rule 42 requirement.

How often do staff need refresher training?

ClinicComply recommends an annual refresher, which aligns with the Australian Digital Health Agency's published guidance and matches RACGP accreditation expectations. Re-training is also triggered immediately by any material change to the My Health Records Act, your clinical software, or your Security and Access Policy.

What topics must the training cover?

At a minimum, training must cover: the My Health Record system and identifiers; authorised collection, use and disclosure under the Act; the civil and criminal penalties for unauthorised access; your organisation's Security and Access Policy; how to recognise and report a breach; and the Emergency Access Procedure. The training matrix in section 5 lists each topic with suggested time allocations.

What is the training register and why do I need one?

The training register is the auditable record showing who has been trained, on what, when, and when their refresher is due. Without a register you cannot evidence Rule 42(2)(a) compliance. Appendix A of the template is a ready-to-print register; many practices keep it as a spreadsheet or in their HRIS instead. Records should be kept for at least 7 years after a worker leaves.

Can a worker access My Health Record before they finish training?

No. The procedure requires training and a passed knowledge check before access is granted. New starters should not be given My Health Record credentials on day one — schedule training in their first week and grant access afterward. Locums and short-term contractors must complete the same training before they touch the system.

What happens if a staff member misses their refresher?

Under this procedure, the Responsible Officer suspends the worker's My Health Record access until the refresher is completed and the knowledge check is re-passed. Suspending access is far less risky than allowing untrained access to continue, both for the practice and for the worker.

Can solo practitioners use this template?

Yes. A solo GP is both the Responsible Officer and the only authorised user. The procedure still applies — you need to evidence that you have completed the required training and that you refresh it annually. Use Appendix A as your personal training log. If you employ a practice nurse or receptionist who handles My Health Record-related tasks, they need to be added to the register.

Does this procedure cover Australian Digital Health Agency e-learning modules?

The procedure is agnostic about the specific training material — it simply requires that the seven topics in the matrix are covered. The Agency's free e-learning modules and the RACGP's My Health Record resources are excellent options that satisfy the topic list. Many practices use the Agency e-learning as the foundation and add a short practice-specific briefing on top.