Criterion 4.2.2 E If our practice uses computers to store personal health information, our practice has an Information Disaster Recovery Plan that has been developed, tested and has been documented (documented)
Above this the Criterion guidelines are to use the GPCG Computer Security Self Assessment Guide and Checklist for General Practitioners has further information for practices about information disaster recovery plans. GPCG Computer Security Self Assessment Guide and Checklist for General Practitioners Backups 1. Backups of data done daily 2. Back-ups of data stored offsite 3. Back-up procedure last tested (by performing a restoration of data)... 4. Back-up procedure has been included in a documented disaster recovery plan. We use this in our surgery and it made it easier for us to formulate our policies on IT. Thankyou to whomever designed it! fee ------------------------ [EMAIL PROTECTED] wrote: > It has to be part of the Disaster Recovery Plan - Criterion 4.2.2 D > It doesnt seem to be whatever the accreditation companies decided, it is > probably what has been added to RACGP 3rd Standards book after GPCG > recommended > it but it is definitely there. > fee Fee, If you can't see it in print from the standards, then it doesn't exist! This is from the RACGP website to-day. > Indicators > > 1. Patient health information in our practice is neither stored nor left visible in areas where members of the public have unrestricted access, or where constant staff supervision is not easily provided (interview, direct observation). > 2. our facsimile machines, printers and other communication devices are only accessible to authorised staff (direct observation). > 3. our GP(s) and staff can describe how they ensure security of patient health records (interview). > 4. if our practice uses computers to store patient health information, our practice ensures that: > * our GP(s) and staff have personal passwords to authorise > appropriate levels of access to health information > * screensavers or other automated privacy protection devices are enabled > * backups of electronic information are performed at a frequency consistent with a documented information disaster recovery plan > * backups of electronic information are stored in a secure offsite environment > * antivirus software is installed and updated > * all internet connected computers have hardware/software firewalls installed (document review). > 5. if our practice uses computers to store personal health information, our practice has an information disaster recovery plan that has been developed, tested and is documented (document review). It does NOT specify what should be in the disaster plan. It advises GPs to use the following resources, and it notes that these resources contain 'suggestions for additional security procedures'. That's NOT the same as a requirement. Again from the RACGP website to-day: > The RACGP Handbook for the management of health information in private medical practice (www.racgp.org.au), and the General Practice Computing Group's (GPCG) Computer security self assessment guide and checklist for general practitioners (www.gpcg.org) provide information and explanations on the safeguards and procedures that need to be followed by general practices in order to meet appropriate legal and ethical standards concerning privacy and security of patient health information. These documents also contain suggestions for additional security procedures. What happens when you let human beings loose to measure the performance of other human beings is the problem. People change suggestions into requirements. In the absence of any clear authority on the accreditation bodies' part to 'improve' on the college's standards, I strongly suspect that this has happened in the case of your survey and others. I prefer my keyboards to be black, so you'll have black ones too. Everyone knows that black ones go faster. Sorry, not part of the standard, it shouldn't be happening like that. Greg >> -- Original Message -- >> Date: Mon, 26 Mar 2007 15:18:22 +1000 >> From: Greg Twyford <[EMAIL PROTECTED]> >> To: General Practice Computing Group Talk <[email protected]> >> Subject: Re: [GPCG_TALK] backup! >> Reply-To: General Practice Computing Group Talk <[email protected]> >> >> >> [EMAIL PROTECTED] wrote: >> >>>> -- Original Message -- >>>> Date: Mon, 26 Mar 2007 11:49:55 +1000 >>>> From: Greg Twyford <[EMAIL PROTECTED]> >>>> I'd suggest that you read 4.2.2 again. Test restores aren't mentioned. >>>> >>> Try passing accreditation without being able to prove that test restores >>> are being done! >>> >>> We passed 3rd Standards in Nov and it was definitely a question. Yes it >> >> is >> >>> a requirement, and staff ARE meant to understand how, when, where and > > how > >>> often this is done. It is meant to be documented and surveyors take this >>> subject VERY seriously. >>> >>> fee >> >> Fee, >> >> I don't doubt what you say, as it's exactly what the GP I referred to experienced. However, all this tells me is that the accreditation bodies >> >> themselves decide what is required. >> >> If they don't follow the College standards, what do they decide to follow? And where do they get the right to pick and choose what they include? >> >> Particularly if the surveyors have no particular IT knowledge. >> >> Moreover, how do practices know what they expect if it isn't in the college's standards? Do the accreditation bodies send out their own lists of requirements to practices beforehand? >> >> Greg >> -- >> Greg Twyford >> Information Management & Technology Program Officer >> Canterbury Division of General Practice >> E-mail: [EMAIL PROTECTED] >> Ph.: 02 9787 9033 >> Fax: 02 9787 9200 >> >> PRIVATE & CONFIDENTIAL >> *********************************************************************** >> The information contained in this e-mail and their attached files, >> including replies and forwarded copies, are confidential and intended >> solely for the addressee(s) and may be legally privileged or prohibited >> from disclosure and unauthorised use. If you are not the intended >> recipient, any form of reproduction, dissemination, copying, disclosure, >> modification, distribution and/or publication or any action taken or >> omitted to be taken in reliance upon this message or its attachments is >> prohibited. >> >> All liability for viruses is excluded to the fullest extent permitted by >> law. >> *********************************************************************** >> _______________________________________________ >> Gpcg_talk mailing list >> [email protected] >> http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk > > > _______________________________________________ > Gpcg_talk mailing list > [email protected] > http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk > > -- Greg Twyford Information Management & Technology Program Officer Canterbury Division of General Practice E-mail: [EMAIL PROTECTED] Ph.: 02 9787 9033 Fax: 02 9787 9200 PRIVATE & CONFIDENTIAL *********************************************************************** The information contained in this e-mail and their attached files, including replies and forwarded copies, are confidential and intended solely for the addressee(s) and may be legally privileged or prohibited from disclosure and unauthorised use. If you are not the intended recipient, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication or any action taken or omitted to be taken in reliance upon this message or its attachments is prohibited. All liability for viruses is excluded to the fullest extent permitted by law. *********************************************************************** _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
