Guideline to secure messaging requirements for ePIP

The National E-Health Transition Authority (NEHTA) has released a guide for general practices to verify that their secure messaging service complies with the requirements of the eHealth Practice Incentive Program (ePIP), due on February 1.

The guidelines also contain advice for secure messaging companies and for IT support companies or Medicare Locals on the steps they need to go through to ensure that an SMD-compliant secure messaging product also complies with the ePIP requirement.

For general practices, the guidelines state that practices must first obtain a Healthcare Provider Identifier – Organisation (HPO) before selecting a standards-compliant product from NEHTA's ePIP product register or checking to see if the product used is listed as compliant.

Practices must also obtain a NASH PKI digital certificate for HPOs (previously known as the Department of Human Services' eHealth record organisation PKI certificate), which is the authentication mechanism to access a patient's PCEHR and was given approval as the same for secure messaging in late November.

The guidelines state that all of the products listed on the ePIP register for secure messaging – including Argus, HealthLink and Medical-Objects – conform to the required specifications.

Some clinical software products have an inbuilt secure messaging component, such as Medical Director's MDExchange, while others have worked with one or several of the secure messaging providers to ensure compliance. Medical Director has an agreement with HealthLink, for example, while Best Practice uses Argus as the default service, although practices can elect to use a different one.

The guidelines strongly recommend that if practices have yet to choose an SMD product, they seek advice from their clinical software provider to ensure the products are compatible.

While most practices will use the secure messaging provider or an external IT company to install and configure the SMD product, NEHTA warns that practices will still need to complete some tasks.

These include publishing and linking the practice's HPI-O and the practitioners' HPI-Is on the Healthcare Provider Directory (HPD). Practices can access the HPD through Health Professional Online Services (HPOS).

This listing should be accompanied by details of the practice’s endpoint location service (ELS). The ELS is usually operated by the secure messaging provider, although the National Health Services Directory is also building an ELS directory.

NEHTA has also provided a commissioning requirements checklist that must be completed, signed and retained as evidence that the SMD product has been properly installed and configured.

For a copy of the guidelines, go to and click on PIP Implementation Overviews, then Secure Messaging Capability, and download the commissioning requirements PDF.

Posted in Australian eHealth

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2022 Pulse+IT Communications Pty Ltd
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.
Supported by Social Media Agency | pepperit