Skip to main content

Updates and news

25 June 2026:  Letter to implementers from the Agency’s Chief Digital Officer

Frequently asked questions

When does EP CP2.3 sunset?

EP CP2.3 is due to be sunset on 30 September 2026.

Why is EP CP2.3 being retired?

EP CP3.0 was published on 16 April 2021 and republished as EP CP3.0.1 on 22 December 2022 following editorial changes to reflect the move to a single National Prescription Delivery Service (NPDS).

EP CP2.3 is being retired to ensure all connected systems meet current clinical-safety, security and privacy requirements

  • Only active and verified IHIs may be used in prescriptions and ASL transactions, reducing patient identification risks. 
  • Systems operating outside their conformant configuration must not interact with the NPDS/ASLR, protecting system integrity. 
  • Enhanced transmission-failure handling requires automatic cancellation and user notification to reduce clinical risk from uncertain prescription status.
  • Strong-password controls mandated where MFA is not used. 
  • Secure password storage required using salted ASD-approved hashing algorithms. 
  • Internet-facing systems must check credentials against known breached-password sources and force password resets where compromised credentials are detected. 
  • Encryption of personal and sensitive information in transit is explicitly mandated. 

How can implementers ensure that the testing process does not carry them past the sunsetting date?

Implementers who submit a mature self-assessment by 31 July 2026 will be prioritised to ensure testing can be completed before the EP CP2.3 sunsetting date, subject to timely responsiveness during the conformance testing process.

What does the deadline of 31 July 2026 represent?

To clarify logistics and empower industry, all implementers that submit their test evidence by 31 July 2026 will be allocated a testing session prior to the conformance profile sunset date. 

By making the guarantee of testing availability to implementers that meet this submission date, the Agency aims to address concerns that circumstances outside the control of implementers may prevent them from reaching conformance by 30 September 2026, when CP2.3 expires. This guarantee of testing availability to implementers who submit test evidence by 31 July 2026 should provide certainty to those participants that have not yet achieved conformance with CP3.0.1 that testing capacity constraints will not be a barrier to successful registration.

What happens to systems that do not meet the deadline of 30 September 2026 for conformance?

Systems that do not meet the deadline will be enrolled in a case-management process where the individual circumstances of the system’s readiness and its client base are considered.  Participation in case management does not automatically extend conformance status and any operational impacts will be considered on a case-by-case basis.

Is there an escalation process for concerns about the progress of my system through the conformance pipeline?

Any concerns regarding the conformance process can be raised via ConnectedCare.escalations@digitalhealth.gov.au.  This email address is monitored at a senior level within the Australian Digital Health Agency.

Conformance Requirement Specific FAQs

Our system is only used for telehealth. Do we need to meet conformance requirements that don’t align to our business model?

Yes. The Agency does not have discretion to assign Conformance IDs to systems that do not meet the full suite of conformance requirements in a conformance profile.

When submitting test evidence for assessment against CP v3.0.1, can we include some test results using requirements from draft CP v4.0? 

We perform assessment for only one conformance profile version.  At this stage the only available conformance profile to assess systems against is CP3.0.1.

PRES-24 requires the display of "all data fields" to the prescriber. Does the system need to represent data that is already stored in the GUI, on layers behind the screen or stored elsewhere in the system?

Yes. Prescribers must be given an opportunity to review the prescription in full prior to issuing, and make any required amendments, to ensure patient safety.

PRES-18 has a requirement for “Hospital Provider Number (HPN), if it exists”.  Can you please confirm if this pertains to the physical Hospital’s location provider number (when the ePrescription is prescribed from a hospital location).  What is the format for this number (is it similar to a provider’s location provider number, or something different).

Hospital Provider Number is the number that is administered by Services Australia. For more information about the format and use you may contact Services Australia.

Is it mandatory for our system to connect to the NPDS and the ASLR? 

The connection requirements for each software system type are:

  • Dispensing systems must connect to the NPDS and ASLR. 
  • Prescribing systems must connect to the NPDS. It is optional for prescribing systems to connect directly to ASLR. 
  • Mobile Intermediaries can connect to the NPDS, ASLR or both. 
  • Mobile Applications must only connect to a Mobile Intermediary.

What’s the difference between Electronic Prescription and Evidence of Prescription? 

Electronic Prescription is an electronic clinical document containing all the information required to dispense medicine to an individual. It is recognised by law and pharmacies can dispense from it.

Evidence of Prescription is a short electronic document that is sent via SMS or email to Subject of Care It contains a token (QR code or URI) which can be scanned by a pharmacist in order to retrieve the prescription. It is illegal to dispense from an Evidence of Prescription.

v3.0.1 requires stronger passwords and security compared to previous profile versions. Will users be expected to provide new and stronger passwords when v3.0.1 software goes live?

If the software product has a feature that automatically expires old passwords then no action is required as those passwords will be automatically upgraded during the normal use of the software product.

If the software product does not expire passwords then the user will need to be prompted to do so on first use of the v3.0.1 software product.