Who Is Really Logged In?

User management is one of those tasks that slips down the priority list when the phones are ringing and the waiting room is full. But it supports three things that matter every day: cyber security, clinical audit trails, and smoother billing workflows.

It is also worth reviewing now, with modernised Assignment of Benefit processes on the horizon for bulk billed and simplified billing services.

How many staff are sharing an account right now?

Shared logins usually start for practical reasons. A “Treatment Room” user on the ECG workstation. A shared reception login because it feels quicker. A generic admin account that everyone knows.

The challenge is that shared accounts make it harder to track who did what, and they can compromise security. Australian Government cyber security guidance aimed at small businesses explicitly states that sharing accounts can make it difficult to track malicious activity and recommends creating an account for each staff member, wherever possible.

A quick check:

• Could you identify who booked a specific appointment?
• Could you identify who recorded or imported a result?
• If something looks suspicious, could you isolate the issue to one person rather than disrupting the whole team?

Reception logins and booking accountability

Here is a scenario that most practices have seen.

An appointment is booked into the wrong session time. The clinic runs late, the patient is frustrated, and you want to provide coaching and feedback so it does not happen again.

If reception staff share a login, you lose the clean link between the action and the individual. Even if you have a fair idea who made the booking, you cannot rely on the system history to support a constructive conversation, targeted training, or ongoing improvement.

What helps:

• Give each receptionist their own login.
• Keep access consistent using role-based permissions, so everyone can do their job without overreaching.
• Make “use your own login” part of onboarding and refresh it during team meetings.

Treatment Room logins and the clinical audit trail

Shared “Treatment Room” logins are especially risky when clinical information is being recorded.

A common example is an ECG machine connected to a workstation, with nurses using a single generic user account. It may feel efficient, but your audit trail may not clearly show which nurse recorded the ECG.

That matters for clinical governance, patient queries, incident reviews, and quality improvement.

A better approach:

• Keep the device workflow working, but have each nurse sign in using their own user account.
• If you truly need a shared workflow temporarily, treat it as an exception. Keep a list of who has access, and change login details when staff change roles or leave.

Are staff details, including email addresses, up to date?

User management is not only about logins and passwords.

Accurate staff details can improve the behaviour of third-party applications and integrations. Many tools work best when each staff member is uniquely identified for notifications, auditing, support requests, and access approvals.

A quick tidy-up can make a real difference:

• Confirm every active staff member has the correct name, role and email address.
• Check permissions still match what they do today.
• Remove duplicates and old user records that can create confusion.

User lists tend to grow over time especially in practices with casual staff, students, and contractors.

From a security perspective, old accounts should be addressed promptly. The longer an account remains active after someone leaves, the greater the risk you face and the harder it is to keep things tidy.

A practical approach that works for many practices:

• Monthly: review active users.
• Immediately: deactivate accounts for staff who have left the practice, ideally the same day.
• Periodically: review who has elevated access permissions and whether they still need

The QAIC’s Notifiable Data Breaches reporting continues to show health service providers as the leading sector reporting breaches, which is a useful reminder that simple controls can have a real value.

Third-party access and database security

Most practices rely on external support at some point, whether that is an IT provider or another third party. That is normal. The key is keeping it controlled and well recorded.

Ask yourself:

• Does each third-party have a named account, rather than a shared “IT Support” login?
• Is access limited to what they need?
• Are passwords strong and unique?
• Is access removed when it is no longer required?

If you cannot answer those questions quickly, it is worth tightening up. Even in a small practice, third-party access is an area where good habits pay off.

Medicare rejections and practice policy

This is where user management supports better billing governance.

Many practices find the biggest sticking point is Medicare rejections, not only resolving them, but also capturing them early enough and ensuring they are not resubmitted without the right checks.

Whether your process is digital or paper-based, it works best when responsibility is assigned to named individuals, with a trackable record of actions taken:

• Who checks rejections, and how often?
• Where are rejections recorded so nothing is missed?
• What can be fixed immediately, and what needs escalation?
• How do you confirm it is resolved before it goes back?

Clear ownership is much harder to achieve when multiple staff members are using the same login.

AoB changes and why user management matters

Assignment of Benefit (AoB) is the process by which a patient assigns their Medicare benefit so it can be paid directly to the provider, which underpins bulk billing.

Changes are coming that modernise this process, including electronic options that reduce reliance on paper-based steps. The current commencement date for the new AoB processes for Medicare bulk billed and simplified billing services is 1 July 2026.

As claiming and consent-related workflows become more digitally enabled, traceability becomes even more important. Named users make it easier to confirm who completed key steps and to investigate issues quickly when something does not look right.

Best Practice Software is working on an implementation for secure logins and web forms to support an electronic Assignment of Benefit form for patients. 

A practical user management checklist

If you are looking for a simple place to start, focus on a few practical changes that reduce risk quickly and make day-to-day workflows easier to manage. Small improvements in user management also set your practice up for what is coming next across the industry.

• Replace shared reception logins with individual user accounts.
• Replace shared Treatment Room logins with individual clinician logins, especially where results are recorded from devices.
• Confirm staff details are accurate, including email addresses. Remove duplicates and outdated user records to reduce confusion. Deactivate staff accounts for those who have left the practice on the same day, wherever possible.
• Review third-party access and ensure it is named, documented, and secured.
• Document your Medicare rejection handling process with clear ownership and a simple tracking method.

With updates to My Health Record and the modernisation of the Assignment of Benefit process on the way, strong user management frameworks are more important than ever. Accurate user details, appropriate access levels, and clear audit trails will help your practice stay prepared for the changes ahead.

For further guidance on improving your user management processes, contact our Training Team at [email protected].