5 RACGP IT Requirements You’re Probably Failing Without Knowing

If your clinic still uses shared logins, you have already failed one of RACGP’s 5th Edition checks.

Most Australian medical practices genuinely believe they are doing the right thing when it comes to IT and data security. There is a lot of effort that goes into accreditation, paperwork, staff training, quality improvement, and providing safe patient care every day. But the reality is that meeting RACGP accreditation and being truly compliant in daily operations are two very different things.

Many clinics pass accreditation successfully and still have serious gaps in the way they store, access, and protect patient information. The most common reason is not neglect or carelessness. It is simply that things change quickly in technology and policies fall out of date without anyone noticing.

RACGP’s 5th Edition Standards outline very clear requirements for information security, privacy, risk management, and clinical governance. But what is written on paper is often not what happens in real life. When systems are rushed, staff are busy, people share accounts to save time, backups are assumed to work, emails are used informally, or IT is left to “we will fix it later”, the risk grows quietly in the background.

What is RACGP?

RACGP stands for The Royal Australian College of General Practitioners. It provides the national standards that clinics must meet to maintain accreditation, including governance, safety, privacy, data handling, business continuity, and technology requirements. These standards are designed to ensure that patient information is protected and that practices operate safely and reliably every day.

Even though most clinics aim to follow RACGP guidelines, almost every practice fails at least one of the IT-related checks without realising it. This is especially common in smaller clinics or busy multi-site practices that rely on shared systems or older technology.

This article breaks down five of the most commonly overlooked RACGP IT requirements and provides a simple checklist to help you review your own environment. You may be surprised how many apply to you.

1. Encryption and Data Protection

Encryption sounds technical, but the principle is simple. Patient data needs to be unreadable to anyone who should not access it. This includes data stored on servers, laptops, hard drives, and in transit between devices.

Too many clinics assume encryption is something that automatically happens. In reality, many Australian practices are storing large amounts of unencrypted patient data without realising it. If a laptop is stolen or a hard drive fails, that information can be accessed if encryption was never enabled.

Checklist

• All computers and laptops have full disk encryption enabled.

• All portable devices are encrypted and protected with strong passwords.

• The server is encrypted, and you have proof, not just someone’s word.

• Data transferred between the clinical database and remote locations is encrypted end-to-end.

• Removed or retired hard drives are wiped securely before disposal.

USBs are not used for sensitive data unless encrypted.

Common failure points

• Old laptops used by doctors for home visits.

• USB drives used for reports or exports.

• Portable backups without encryption.

• Machines temporarily given to locums or students.

If you cannot confirm encryption with certainty today, it probably means it is not configured properly.

2. User Access Control

RACGP guidelines require individual user accounts and access levels based on job roles. Shared logins are one of the most common failures, and yet many practices still use the same password for multiple staff members to save time or avoid admin work.

Shared accounts remove accountability, increase insider risk, and create major investigation problems after incidents. They also make it impossible to track who made changes, who viewed records, and whether inappropriate access occurred.

Checklist

• Every user has their own unique login and password.

• Access levels are assigned based on responsibilities, not one-size-fits-all.

• Accounts for past employees are removed immediately.

• Temporary staff have expiry dates on their access.

• Two factor authentication is enabled wherever possible.

• Admin permissions are restricted to only those who truly need them.

Common failure points

• Receptionists with admin-level access.

• Doctor accounts shared with students or nurses.

• Accounts left active for staff who left months ago.

• Non-clinical staff able to access sensitive data unnecessarily.

If your clinic still uses shared logins, you have already failed one of RACGP’s 5th Edition checks.

3. Backups and Data Recovery

Most clinics believe their backups are working, but have never actually tested restoring data. A backup that has not been tested might as well not exist.

Backup failures are one of the top causes of data loss in Australian medical practices. The system may be running, but files may be corrupted, incomplete, or inaccessible. If the server fails, ransomware hits, or a natural disaster occurs, it is too late to discover that the backup has not worked for months.

Checklist

• Backups run daily and are automatically monitored.

• Backups are stored in multiple locations including offline or cloud.

• Backups are encrypted and protected from ransomware.

• A full restore test is performed regularly and documented.

• You know exactly how long recovery will take and what the worst case looks like.

Common failure points

• Someone assumes backups are working but has never checked.

• Backups stored on the same device that could fail.

• Backups encrypted by ransomware because they are online and accessible.

• Only partial data is backed up, not the full system.

RACGP requires evidence of regular testing. If you do not have written proof, it will not count.

4. Email and Communication Policies

Email is the number one entry point for cyberattacks in Australian businesses. RACGP standards require secure handling of patient information and safe use of email systems.

Yet email is often where clinics take the most shortcuts. Free email platforms, personal email accounts, or informal forwarding all appear convenient until something goes wrong. Sending patient records without encryption or using personal Gmail accounts to contact specialists or labs is considered a breach.

Checklist

• Staff are trained on safe email use and phishing prevention.

• A written policy exists and is actively followed.

• Clinical or patient information is not sent unencrypted.

• Personal email accounts are not used for work communication.

• There is a secure method for sending and receiving sensitive records.

• Attachments are protected with password or secure messaging tools.

Common failure points

• Staff forwarding emails to personal accounts to check from home.

• Doctors using personal email instead of secure messaging tools.

• No training on phishing or email safety.

• No control over who can send or receive external emails.

The weakest inbox becomes the entry point for the entire network.

5. Disaster Recovery and Business Continuity Testing

RACGP requires clinics to have a plan for system failure, disaster events, cyberattacks, and operational interruptions. Most practices have at least a basic plan, but very few test it properly.

A disaster recovery plan that has never been tested is just a document. You only know if a plan works when you simulate a real scenario.

Checklist

• A documented disaster recovery and continuity plan exists.

• Everyone knows who is responsible for what during an emergency.

• The clinic can operate temporarily without its main systems.

• Staff know how to handle appointments and prescriptions when systems fail.

• The plan has been tested at least once in the last 12 months.

• Results of the test were reviewed and improvements made.

Common failure points

• Nobody knows where the document is.

• Only one person understands how the server works.

• No documented process for cyberattacks or system downtime.

• Testing is skipped to save time.

A disaster is not the time to discover that your plan does not work.

So How Did You Score?

If you read through the five categories and found more than one weakness, you are not alone. Most practices fail at least two or three without knowing.

The goal is not perfection. It is progress. RACGP standards are designed to protect patient data, reduce operational risk, and prevent situations that could damage trust, reputation, or financial stability.

Improving these areas builds resilience, protects staff and patients, and ultimately strengthens your clinic.

What matters most is being honest about where you are now and taking the next step.

Not sure where your clinic stands or what to fix first? Book a free IT check here, and let us walk through the five RACGP requirements with you. We will help you understand what is working, what needs attention, and how to protect your clinic in a simple and realistic way.