Hearing Services Program (HSP) HSP Cloud Service Provider Checklist / IRAP Assessment - MANAGE IT Regulatory
Provider Factsheet - Management of Client Records
The Department of Health (the department) is responsible for managing
and administering the Australian Government Hearing Services Program
(the program).
As specified in the Service Provider Contract
(the contract), program client records are owned by the Commonwealth.
Contracted Service Providers (providers) must manage, store, transfer
and dispose of program client records in accordance with the contract, program legislation, the Archives Act 1983, the Privacy Act 1988 and the Freedom of Information Act 1982.
Client personal and health information is deemed sensitive information under the Australian Privacy Principles (APP) and extra precautions are required in the management of this information. Cloud Storage
Cloud storage allows for shared access to documents via the internet or a company network, but must still ensure the protection of client records. Under clause 17.5 of the contract, program client records must not be taken outside Australia without prior written approval from the Commonwealth. This includes storing client records on overseas servers.
The Australian Signals Directorate (the ASD) no longer certifies cloud service providers and all previous certifications are now void. Providers can continue to use their previously certified cloud services. Any new providers entering the program or existing providers wishing to change their cloud provider or start using cloud services must contact the Program at hearing@health.gov.au before storing client records on a new service.
- Providers must not use unsecured cloud services, such as Google Drive, Google Docs, Dropbox etc, as these may be hosted overseas and do not have Privacy Act protections.
- If providers wish to change cloud providers or start using a cloud service, the security of the service must be assessed. Only an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment. Providers should request a copy of a current IRAP assessment of the cloud service before contacting the program.
- Any agreement with a supplier of cloud storage services must include an agreement that the client records will be hosted on an Australian server, will not be disclosed outside Australia and that the records will be encrypted to at least the equivalent of Unclassified with a Dissemination Limiting Marker of Sensitive: Personal or Official with an Access‑Information Management Marker of Personal-Privacy.
Related Articles
HSP Data Compliance Survey Questions - MS Azure documents and survey overview
Contracted Service Provider Notice Use of Cloud Services for storage of client records (CSPN - 202014) The HSP Compliance survey is for clients currently using cloud services for the storage of client records. See below questions on the survey and ...
How to update Hearing Services Program Maintenance Agreement – 1 October 2023
How to update Hearing Services Program Maintenance Agreement – 1 October 2023 Please refer to the attached Hearing Services Program maintenance agreement form.docx Navigate to Config > System > Document Comments Select Type HSP Maintenance Terms . ...
HSP E-Claiming Guide - Send / Receive Claims
1.1 HSP E-Claim Export/Import Overview When a file is created to send to HSP it marks the claims as 'Pending' and locks it so it can’t be changed. When HSP returns the file, and it is imported to Manage the following happens: · The claim status is ...
HSP configuration
HSP configuration module provides integration with Australian Government Hearing Services Program. It enables Manage users to prepare claims for the HSP portal and import claims processed by HSP. General On this tab, you can specify whether your ...
HSP MS Azure Certification that Data is hosted in Australia delete - duplicate
Typically a new customer's HSP contract would indicate that their data is being hosted in Australia. If proof is required, here are the 3 documents downloaded from the Azure website on 22 April 2021.