Skip to content

Colour theme

Region

Opens the same page on another regional site.

Philippines site language

English, Filipino (national language), or Tagalog. Applies to this regional site.

Search site

Search pages and articles

Ctrl+K · Search site
Menu

RACGP accreditation: the IT and information security readiness checklist

A practical IT and information-security readiness checklist for the lead-up to RACGP accreditation. Access control and unique logins, audit logging, tested backups, secure messaging, device and patch management, MFA, privacy handling, and business continuity.

Key takeaways

  • RACGP accreditation assesses your whole practice against the RACGP Standards for general practices. Information security and IT are one part of that, woven through the criteria on privacy, records, and safe systems.
  • The IT elements that matter most are practical: unique logins per person, role-based access, audit logging, tested backups with restore evidence, secure electronic messaging, managed and patched devices, multi-factor authentication, and a written business continuity plan.
  • Surveyors look for evidence, not intentions. A policy plus a record that it is actually followed (logs, test-restore results, a signed access register) is worth far more than a policy alone.
  • Start early. Backups should be tested, access should be tidied, and unique logins should be in place well before your assessment, not scrambled the week before.
  • This checklist reflects common, widely understood IT good practice. Always confirm the specific indicators against the current edition of the RACGP Standards, because clause numbers and wording change between editions.

How IT fits into RACGP accreditation

Accreditation against the RACGP Standards for general practices looks at the whole practice: clinical care, patient rights, safety, and the systems that hold it all together. Information technology and information security are not a separate silo in the Standards. They run through the criteria on privacy, health records, and safe, well-run systems, because almost everything a modern practice does touches a computer.

This guide is a practical readiness checklist for the IT and information-security side of that preparation. It is organised the way a practice actually works, not clause by clause. That is deliberate: the RACGP Standards are revised between editions, and specific indicator numbers and wording change. Rather than quote clause references that may be out of date, this guide focuses on the underlying controls that consistently matter, and points you to confirm the current detail against the edition you are being assessed under.

Two principles apply throughout. First, surveyors look for evidence, not intentions. A policy on its own is weak; a policy plus a record that it is actually followed is strong. Second, start early. The items that trip practices up (proving a backup restores, converting shared logins to individual ones, writing a continuity plan) take time and cannot be assembled convincingly the week before.

Access control and unique logins

Every person who uses a clinical or practice system should have their own individual login. Shared accounts (a single “reception” login, a password on a sticky note) break accountability: you cannot tell who did what, and you cannot cleanly remove access when someone leaves.

Checklist:

  • Each staff member, including locums and contractors, has a unique named account.
  • Access is role based: people can reach what their role needs and no more. Reception, nursing, and clinical roles have different access.
  • There is a written register of who has access to which systems and at what level.
  • A documented process exists to grant access on hire and revoke it promptly on departure, including remote access and cloud services.
  • Administrator rights are limited to the few who genuinely need them, and admin accounts are separate from everyday logins.

The register plus the join-and-leave process is the evidence a surveyor will want to see.

Audit logging

Your clinical system should record who accessed or changed what, and when. Audit logs matter for accreditation and for privacy: if a patient asks who viewed their record, or you need to investigate suspicious activity, the log is your answer.

Checklist:

  • Audit logging is enabled in your clinical and practice management systems.
  • Logs capture record access and changes to sensitive data, not just logins.
  • Someone is responsible for reviewing logs periodically, and you know how to produce a log for a specific patient or user if asked.
  • Logs are retained for a sensible period and protected from tampering.

Be ready to demonstrate that logging is on and to explain how you would retrieve a specific entry.

Tested backups and recovery evidence

Backups are where good intentions most often fail. Accreditation, insurers, and plain common sense all expect that you can recover your data, and the only way to know is to test it.

Checklist:

  • Backups run regularly and automatically and cover clinical data, practice management data, and key configuration.
  • At least one backup copy is kept offline or immutable so ransomware cannot encrypt it along with everything else.
  • You have performed a test restore and kept a dated record of the result. This is the single most valuable piece of evidence in this whole checklist.
  • Backups are encrypted and access to them is controlled.
  • You know your target recovery time and recovery point (how quickly you can be back, and how much data you could lose) and they are realistic for the practice.

If you take one action after reading this guide, make it a documented test restore. Trucell covers the detail on the backup and recovery page, and it maps directly to the “regular backups” strategy in the Essential Eight.

Secure electronic messaging

Clinical correspondence (referrals, reports, results) should move over secure electronic messaging, not ordinary email, which is not designed for sensitive health information in transit.

Checklist:

  • Referrals and results are sent and received through a recognised secure messaging channel used by your referrers and pathology and imaging providers.
  • Ordinary email is not used to send unprotected patient information; where email to patients is used, there is a clear, consented, and appropriate process.
  • Message delivery can be confirmed, so correspondence does not silently fail.
  • Staff know which channel to use for which purpose.

Secure messaging also underpins compliant patient-facing workflows. For example, digital consent and Medicare assignment-of-benefit flows depend on being able to prove who agreed and when. Trucell’s RadForms solution handles that kind of linked, auditable capture for imaging teams, and the reasoning behind a compliant digital assignment of benefit is explained in this article on the assignment-of-benefit checkbox.

Device and patch management

Every device that touches patient data is part of your security boundary: desktops, laptops, tablets, and any device used for remote access. Unmanaged or unpatched devices are a common way in.

Checklist:

  • You keep an inventory of devices that access practice systems, including who uses each one.
  • Operating systems and key applications receive security updates promptly, and unsupported systems are identified for replacement.
  • Devices are protected with reputable, up-to-date endpoint security.
  • Portable and personal devices used for practice work are controlled: encryption, screen locks, and the ability to remove access if a device is lost.
  • Old equipment is securely wiped before disposal or reuse.

Patch and device management map directly to the “patch applications” and “patch operating systems” strategies of the Essential Eight.

Multi-factor authentication

Multi-factor authentication (MFA) requires a second proof of identity beyond a password. Because so many breaches start with a stolen password, MFA is one of the most effective controls you can put in place, and it is increasingly expected by both insurers and accreditation-minded security guidance.

Checklist:

  • MFA is enabled on email, on remote access (VPN or remote desktop), and on cloud services.
  • MFA is enabled on clinical and practice management systems where they support it.
  • Staff understand why MFA is used and how to use it, and there is a safe process for handling lost second factors.

MFA is usually the quickest high-value win in the whole readiness process.

Privacy and health-information handling

Protecting patient information is both an accreditation expectation and a legal obligation under the Privacy Act and the Australian Privacy Principles, alongside any applicable state health-records law. The IT controls above exist largely to serve this.

Checklist:

  • You have a current privacy policy and a clear process for how patient information is collected, stored, accessed, transferred, retained, and disposed of.
  • Consent is handled clearly, including for sharing information with other providers.
  • Patients can access their own information through a defined process.
  • Staff receive privacy and information-security awareness training, and you keep a record of it.
  • You have a plan for responding to a data breach, including your obligations to notify where required.

Note that HIPAA is a United States framework and does not apply in Australia; your obligations are the Privacy Act, the Australian Privacy Principles, and relevant state legislation. Confirm your specific legal duties with a suitably qualified adviser.

Business continuity

Accreditation looks for evidence that the practice can keep caring for patients when something goes wrong: a system outage, a ransomware event, loss of internet, or loss of premises. That is your business continuity plan.

Checklist:

  • There is a written business continuity and disaster recovery plan covering major IT failures.
  • The plan names who does what, how staff communicate, and how you keep seeing patients on a bad day (for example, downtime procedures for booking and clinical notes).
  • It links to your tested backups and your recovery time and recovery point targets.
  • Staff know the plan exists and it has been reviewed or rehearsed recently, with a record of that review.
  • Key vendor and support contacts are documented and current.

A plan that has been read and rehearsed is far more convincing, and far more useful in a real incident, than one that has never been opened.

Putting it together

None of these controls is exotic. Together they describe a practice that takes patient data seriously and can keep running under pressure, which is exactly what accreditation, insurers, and your patients want. Work through the checklist a few months out, fix the gaps while there is time, and keep the evidence as you go: registers, logs, dated test-restore results, and a rehearsed continuity plan.

If you want a hand mapping your systems against these expectations, Trucell’s GP and medical practice IT support service and our Essential Eight readiness resources are built to help practices get ready without the last-minute scramble.

A note on scope

This is general guidance, not compliance or legal advice. It reflects common, widely understood IT and information-security good practice, and it does not reproduce or replace the RACGP Standards. Specific indicators, clause numbers, and wording change between editions of the Standards. Before relying on this checklist, confirm the current requirements against the edition of the RACGP Standards for general practices you are being assessed under, the current ACSC Essential Eight guidance at cyber.gov.au, and, for your privacy obligations, a suitably qualified adviser and the relevant Australian and state legislation.

Frequently asked questions

Quick answers to the questions buyers ask most about this topic.

What IT does a practice need for RACGP accreditation?

At a practical level, a practice preparing for RACGP accreditation should have unique individual logins with role-based access, audit logging turned on in the clinical system, regular backups that have been test-restored, secure electronic messaging for clinical correspondence, managed and patched devices, multi-factor authentication on remote and cloud access, clear privacy and health-information handling, and a written business continuity plan. These support the RACGP Standards criteria on privacy, records, and safe systems. Confirm the exact indicators against the current edition of the Standards.

Does RACGP accreditation require the Essential Eight?

The RACGP Standards do not simply reprint the ACSC Essential Eight, but the two align closely in practice. Controls such as multi-factor authentication, patching, restricting administrator access, and tested backups support the Standards criteria on protecting health information and running safe systems. Using the Essential Eight as your technical baseline is a sensible way to build the evidence accreditation looks for. Check both the current Standards and the ACSC guidance, because each is updated over time.

How far ahead should we prepare our IT for accreditation?

Begin at least a few months out. Some items take time and cannot be faked close to the assessment: proving a backup can actually be restored, converting shared logins to unique individual accounts, tidying up who has access to what, and writing and rehearsing a business continuity plan. Starting early also means any gaps surface while there is time to fix them calmly rather than in a rush.

What evidence do accreditation surveyors want for information security?

Surveyors look for evidence that a control is real and used, not just written down. Good examples include a register of user accounts and their access levels, screenshots or logs showing audit logging is enabled, a dated record of a successful test restore from backup, your secure messaging setup, a device and patch inventory, and a business continuity plan with evidence it has been reviewed or rehearsed. Pair every policy with a record that shows it is followed.

Is patient data handling part of accreditation?

Yes. Handling of health information is central to the RACGP Standards and also a legal obligation under the Privacy Act and the Australian Privacy Principles, plus any applicable state health-records law. Accreditation looks for clear practices around consent, access, storage, secure transfer, retention, and disposal of patient information. The IT controls in this checklist exist largely to protect that information. Confirm your legal obligations with a suitably qualified adviser.

← Back to IT support Contact us → PACS & RIS services →