lock and key

Sign in to your Emdat InQuiry account.

Account Login

Forgot your password?

Providing the security to care for your privacy

What is this document?

Below is a brief outline of the HPP Guidelines that may apply to the dictation and transcription of Medical records. For a complete overview of the Guidelines, please visit Both the Privacy Act and the Health Records Act applies to the private sector. As such, patients in the private sector will be able to exercise rights under both schemes. Under both schemes, health information must be information from which an individual's identity is apparent or could reasonably be ascertained. As such, de-identified information is not the focus of the new privacy laws.

Below are pertinent points that relate to document security with particular regard to Internet security. As such, de-identified information is not the focus of the new privacy laws.


Information that is retained should be protected against misuse, loss, unauthorised access and modification. TRANSBORDER DATA FLOWS.


Information should generally only be transferred outside Australia where the recipient is subject to laws substantially similar to the NPP's

Collection of information


The key elements of consent are that it be:

  • Given voluntarily -- individuals must be able to exercise of genuine choice about granting or withholding consent without pressure or duress.
  • Informed -- the individual must be made aware of and understand the implications of their consent, after having received appropriate information.

Express And Implied Consent.

The following scenario is a taken from the federal guidelines to illustrate implied consent.

An individual presents to medical practitioner, discloses health information, and this is written down by the practitioner during the consultation. This will generally be regarded as giving implied consent to the practitioner to collect information for certain purposes. The extent of these purposes will usually be evident from the discussion during the consultation.

Consent not need be in writing the patient need not necessarily fill out any particular documentation.

Security Of Information.

This principle requires the health service provider to have security safeguards in place to protect health information. These safeguards apply to personal information held in paper for, electronically, and on audio or videotaped.

Given the sensitivity of health information reasonable steps need to be taken by an organisation in securing health information and they should reflect a very high standard of security.

If personal information is not securely stored and managed there is an increased risk of privacy breaches. Therefore, the principle requires that steps be taken to protect information against both accidental loss and intentional practices that may lead to breaches of security include

  • Leaving medical notes unattended as a public counter,
  • Not disposing of health records in a secure manner, inadequate controls regarding which staff can access health information this might include inadequate password control and
  • Storing sensitive data on a laptop computer that is taken off site and not stored securely. Review your security arrangements.
  • Make sure that your storage transfer and disposal systems for both paper and electronic records are secure
  • Computer screens and patient records should be out of view of other people.
  • Computers should have firewalls, password protection and encryption tools for the transfer of the health records to help stop any potential compromise to patient records. Further, you should build audit trails into the computer system so that any misuse of information can be traced.

Ensure That Commercial Contractors Comply With The Privacy Laws. Information technology contractors or other third party contracts who would have access to personal information held by your organisation should be asked to provide assurances that they will comply with the privacy laws

Data Security And Email Regulations

Reasonable steps to comply with the guidelines included ensuring information is securely transferred; for example not transmitting health information via non-secure e-mail and monitoring information systems to test and evaluate and data security

Email And The Internet.

This is a paste from NSW Department of Health

9.1.4 The Internet

  • It is acknowledged that the Internet is an efficient and cost-effective way of transmitting data between the public health system and authorised health care providers in the private sector. However it must also be recognised that there is community concern about some aspects of its use. It is essential to ensure that the privacy and integrity of personal health information transmitted via the Internet is protected to a high level by appropriate policies and procedures encompassing both administrative practices and data security. The broad guidelines set out below represent minimum standards for Internet transmission of personal information between the public health system and authorised external users. Administrative procedures

  • Technological safeguards can provide a high standard of protection against security incidents such as system intruders. However such incidents are less likely to be the occasion of a breach than a lapse in good practice involving human factors. Data security

The level of data security should be adequate to ensure:

  • Data privacy - the message is encrypted in whole or in part so that interceptors cannot read its contents.
  • Message content integrity - the message received by the recipient is exactly as transmitted by the sender and has not been tampered with either accidentally in transit or intentionally by an infiltrator.
  • Non-repudiation of message content - the sender cannot deny being the source of a message nor can the recipient deny receipt. Standards

The trend is towards the use of a Public Key Infrastructure Framework to ensure acceptable data security when transmitting information across an open network such as the Internet. Public key infrastructure involves encrypting or scrambling data at one end and unscrambling it at the other using paired keys to encrypt and decrypt.

The following processes should conform to a generally recognised standard such as Standards Australia's PKAF (Public Key Authentication Framework):

  • Message authentication, validation and non-repudiation encryption algorithm
  • Establishing user identification and authentication
  • Management of encryption key generation, distribution and storage
  • Registration and certification processes.

Notes from Emdat Re HPP9 And Email

Transborder Data Flows.


Information should generally only be transferred outside Australia where the recipient is subject to laws substantially similar to the NPP's

Our server is situated in Chicago Illinois, where the American HIPPA Laws are substantially similar to the NPP's.

Transferring via FTP or any other means to INDIA, where creation of word documents is undertaken, is a breach of the Guidelines, as India does not have any similar Laws.

Under both schemes, health information must be information from which an individual's identity is apparent or could reasonably be ascertained.

In Medical Documentation, Identified data is collected. Emdat technology automatically removes the dictation and identified data from a workstation as soon as the typist completes the transcription. Word documents must, by nature, be saved to a hard drive before they can be sent anywhere. Word documents are the most non-secure format to use for Medical Transcription, and unless highly supervised in-house, should never be used by out-source contractors. An "At Home" typist will have your sensitive patient information stored on her hard drive if working in word.

All Licensed Emdat Transcription Partners Comply with NPP. Emdat uses its own secure proprietary program, InScribe for transcription. All contractors supplied with emdat passwords have signed confidentiality agreements, and our secure technology takes care of "accidental" breaches, ie dictation and transcription is not saved to local workstations.

Emdat does not use non-secure email. All document delivery solutions satisfy the rigid security requirements.

Audit Trail

Complete logging of all modifications made to each and every document, including editor, editor's role, time of edit, and purpose of edit.

Emdat is fully encrypted during the entire Internet transfer process – voice and text.

Disaster Prevention/Recovery

Our data centre facilities are the best in the industry and ensure detailed disaster prevention/recovery procedures to manage and minimize damage or disruption and ensure stability in case of a disaster. Our dynamic-mode backup system is operational 24 hours per day with no data loss or interruption in service in the event of system failure.

Data Storage and Transmission Features

Secure physical storage of all data and secure transmission. This includes constant surveillance by network experts; premises protected by armed guards, backup generators, and securely encrypted transmission between emdat servers and user machines.

emdat services provide complete workflow solutions via a secure browser interface. Users of InQuiry require only a browser to access these services. The software runs on servers hosted by emdat.

The importance of browser-based technology lies in the deployment of our software. While non-browser-based systems require you to download the program (typically many megabytes in size) and install it on your computer, emdat's core workflow administration and management applications require nothing more than a browser on the end-user's desktop.

Unlike other ASP solutions that require the trancriptionist to use Microsoft Word, emdat has provided specific proprietary word processors or tools. emdat has built its core applications to work on dial-up modems, regular computers and require extremely small (typically less than 3mg) software downloads for applications. emdat systems perform the required document format conversion so that users can retain their existing infrastructure and productivity tools wherever possible. Emdat can create an HL7 document for placing in your EMR, and integrates with all major Australian software.

In Summary

Why entrust your sensitive patient information to just anyone? As your partner in the management of your secure data, emdat has ensured compliance with all Privacy Laws, and can offer you peace of mind. A home based typist, secretarial service or "Transcription Company" cannot. The minute anyone mentions email, or Microsoft word, you should run a mile – these people are putting you at risk! Emdat allows Doctors to see more patients, administrators to streamline management of files, and Hospitals and Practices to do what they do best – Care for patients!