SPQF
7

Practice Environment and Infrastructure

Our physical and digital environment supports safe care and a positive experience.

Version 1.0 - First Edition

Why This Domain Matters

The environment in which care is delivered is not a background consideration - it is a clinical one. A poorly maintained consulting room, an inaccessible entrance, an unreliable clinical system, or a cybersecurity incident can each cause direct harm to patients or to the people who care for them. Yet the physical and digital infrastructure of specialist practices is rarely subject to any formal quality standard.

This domain addresses the full scope of the practice environment: the premises patients walk into, the rooms in which they are examined or treated, the systems used to manage their care, and the plans that exist to keep the practice functioning when things go wrong. It also covers the practice's obligations around sterilisation, waste, and environmental safety - areas where lapses carry regulatory as well as clinical consequences.

A practice that scores strongly in Domain 7 is one where the environment itself reinforces the quality of care - where nothing about the physical space or the technology undermines the experience, the safety, or the dignity of the people who use it.

Quality Statements

Our rooms are designed, equipped, and maintained to support safe clinical practice.

Indicators

  • 7.1.1 All consulting rooms provide adequate space for clinical examination
  • 7.1.2 Consulting rooms include appropriate privacy screening and acoustic separation
  • 7.1.3 Adequate lighting is available for clinical assessment in all consulting rooms
  • 7.1.4 Procedure rooms are equipped with appropriate clinical furniture and fittings for the procedures performed
  • 7.1.5 Procedure rooms have documented equipment lists that are reviewed at least annually
  • 7.1.6 Emergency equipment appropriate to the risk profile of the practice is available, accessible, and maintained (including resuscitation equipment where applicable)
  • 7.1.7 Oxygen and suction equipment (where present) is checked and serviced in accordance with manufacturer recommendations
  • 7.1.8 Clinical equipment is calibrated and maintained in accordance with applicable standards or manufacturer instructions
  • 7.1.9 Equipment maintenance records are kept and reviewed
  • 7.1.10 Sharps containers, clinical waste bins, and hand hygiene facilities are accessible in all consulting and procedure rooms
  • 7.1.11 Temperature-sensitive medications and products are stored appropriately (where applicable)
  • 7.1.12 Crash trolley or emergency kit is checked at defined intervals and documented

Every patient can access and navigate our practice safely and with dignity.

Indicators

  • 7.2.1 The practice entry is step-free or has an accessible alternative entry route
  • 7.2.2 Accessible toilet facilities are available to patients (or their location is clearly communicated at booking)
  • 7.2.3 Consulting rooms can accommodate patients using wheelchairs, mobility aids, or bariatric equipment
  • 7.2.4 Signage is clear, readable, and guides patients from entry to reception and waiting areas
  • 7.2.5 The practice has a documented process for supporting patients who require additional assistance to access the building or rooms
  • 7.2.6 Booking and reception staff are aware of accessibility considerations and can assist patients proactively
  • 7.2.7 Patients with sensory impairments (hearing or vision) are accommodated in the practice communication and appointment process
  • 7.2.8 Interpreter requirements are identified at booking and appropriate arrangements are made (see also Domain 4)
  • 7.2.9 Car parking or public transport access information is provided to patients at the time of booking
  • 7.2.10 Emergency exit routes are clearly marked and accessible to patients with disabilities

Our premises are clean, safe, and free from environmental hazards.

Indicators

  • 7.3.1 A documented cleaning schedule exists and is followed for all clinical and non-clinical areas
  • 7.3.2 Cleaning products used are appropriate to the surfaces and areas being cleaned (including clinical-grade products in procedure areas)
  • 7.3.3 Cleaning records or logs are maintained
  • 7.3.4 Cleaning staff receive induction and ongoing training appropriate to clinical environments
  • 7.3.5 Enhanced cleaning is carried out after any contamination event
  • 7.3.6 The practice has a documented process for pest management
  • 7.3.7 Ventilation in consulting and procedure rooms is adequate and maintained
  • 7.3.8 Waiting areas and reception are maintained to a clean and presentable standard
  • 7.3.9 Physical hazards in the practice (e.g. trip hazards, trailing cables, unstable furniture) are identified and addressed
  • 7.3.10 The practice complies with applicable work health and safety requirements in relation to the physical environment

We reprocess reusable instruments in accordance with applicable standards and in a way that protects patient and staff safety.

Indicators

  • 7.4.1 A documented reprocessing procedure exists for all reusable medical devices used in the practice
  • 7.4.2 Reprocessing is conducted in accordance with AS/NZS 4815 (office-based healthcare) or AS/NZS 4187 (where a more complex procedure profile applies)
  • 7.4.3 Reprocessing is conducted in a dedicated area with appropriate separation of clean and dirty workflow
  • 7.4.4 Staff responsible for reprocessing have received documented training in the procedure
  • 7.4.5 Sterilisation equipment (autoclave) is tested, validated, and serviced in accordance with manufacturer instructions and applicable standards
  • 7.4.6 Sterilisation cycle records are maintained and include cycle parameters and load identification
  • 7.4.7 Instrument packaging is inspected prior to use and out-of-date or damaged items are removed from circulation
  • 7.4.8 Single-use devices are not reused
  • 7.4.9 The practice has a defined process for managing a reprocessing failure or instrument recall
  • 7.4.10 Where reprocessing is outsourced, the provider's credentials and compliance are verified and documented

We manage clinical and general waste safely, lawfully, and in a way that protects staff, patients, and the environment.

Indicators

  • 7.5.1 Clinical, sharps, pharmaceutical, and general waste streams are clearly separated and labelled
  • 7.5.2 Waste management procedures are documented and followed by all clinical and cleaning staff
  • 7.5.3 Sharps containers are approved, correctly labelled, not overfilled, and disposed of via a licensed contractor
  • 7.5.4 Clinical waste (including pathological waste) is collected by a licensed clinical waste contractor at appropriate intervals
  • 7.5.5 Waste disposal documentation (including contractor consignment notes) is retained for the required period
  • 7.5.6 Pharmaceutical waste (including expired medications) is disposed of via appropriate channels and not placed in general waste
  • 7.5.7 The practice complies with applicable state or territory waste regulations
  • 7.5.8 Staff are trained in waste segregation and the management of contamination incidents

Our IT systems are fit for purpose, kept up to date, and protected against foreseeable threats.

Indicators

  • 7.6.1 Clinical and administrative software is licenced, current, and supported by the vendor
  • 7.6.2 Operating systems on all practice devices are within vendor support lifecycle (no end-of-life OS in use on clinical devices)
  • 7.6.3 Automatic security updates and patches are applied to all devices and systems
  • 7.6.4 Antivirus or endpoint protection software is installed and active on all practice devices
  • 7.6.5 Practice Wi-Fi separates clinical and administrative networks from patient guest access
  • 7.6.6 Multi-factor authentication (MFA) is enabled for access to clinical software, email, and remote access systems
  • 7.6.7 Access to clinical systems is role-based and user accounts are deactivated promptly when staff leave
  • 7.6.8 Passwords are managed in accordance with current guidance (minimum complexity requirements; not shared between systems; not written on physical notes near devices)
  • 7.6.9 Patient data is not stored on personal devices unless encrypted and subject to a documented access policy
  • 7.6.10 The practice has a documented cybersecurity incident response procedure
  • 7.6.11 Staff have received cybersecurity awareness training in the past 24 months
  • 7.6.12 The practice is enrolled in My Health Record and meets its obligations for secure messaging in accordance with the Australian Digital Health Agency standards (where applicable)
  • 7.6.13 The practice has considered and documented its obligations under the Notifiable Data Breaches scheme

We manage system disruptions in a way that maintains continuity and patient safety.

Indicators

  • 7.7.1 A documented data backup procedure exists and is tested at defined intervals
  • 7.7.2 Backups are stored in a location separate from primary systems (including at least one offsite or cloud-based copy)
  • 7.7.3 The practice has a documented downtime procedure for when the practice management system is unavailable
  • 7.7.4 Staff are aware of the downtime procedure and know where to find it
  • 7.7.5 Clinical notes can be accessed (in read-only mode at minimum) during a system outage
  • 7.7.6 The practice has a documented process for restoring normal operations and reconciling data following a downtime event
  • 7.7.7 Hardware failures and system outages are logged and reviewed for patterns
  • 7.7.8 The practice has identified its IT support provider and has a current support contract or arrangement in place

We have plans to maintain safe operations and protect patient welfare when normal operations are disrupted.

Indicators

  • 7.8.1 A documented business continuity plan (BCP) exists for the practice
  • 7.8.2 The BCP identifies credible disruption scenarios relevant to the practice (e.g. extended power outage, premises unavailability, key staff absence, major system failure, natural disaster)
  • 7.8.3 The BCP assigns clear roles and responsibilities for each scenario
  • 7.8.4 The BCP includes procedures for contacting and managing patients affected by a disruption
  • 7.8.5 The BCP includes procedures for maintaining access to patient records during a disruption
  • 7.8.6 The BCP is reviewed at least annually and following any significant disruption event
  • 7.8.7 The practice has tested at least one element of the BCP (e.g. data restoration, downtime procedure) in the past 12 months
  • 7.8.8 Contact details for essential services (IT support, utilities, building manager, clinical waste contractor, locum agencies) are documented and accessible without relying on systems that may be affected by the disruption
  • 7.8.9 The practice has considered its obligations to patients with ongoing clinical needs in the event of an extended closure
  • 7.8.10 Critical physical infrastructure (power, heating/cooling, water) is assessed for risk and mitigation options are documented

Not sure what counts as evidence?

The evidence guide provides concrete examples of what evidence looks like at each maturity level for every indicator in this domain.

View Evidence Guide

Ready to assess your practice?

Rate your practice against every indicator in this domain using the self-assessment tables.

Self-Assessment Guide

Notes for Practice Managers

7.4 (Sterilisation) is the highest-stakes area in this domain for most specialist practices. An instrument reprocessing failure that results in patient exposure to blood-borne pathogens is a notifiable incident, triggers a patient notification exercise that can run to hundreds of letters, and creates significant reputational and medico-legal exposure. The two most common causes of reprocessing failures in Australian specialist practices are inadequate staff training (particularly in locum or cover arrangements) and the use of autoclaves that have never been formally validated. If your practice performs any invasive procedure - even minor ones like skin biopsy or intrauterine device insertion - this quality statement warrants close attention.

7.6 (Cybersecurity) is now a patient safety issue, not just an IT issue. In 2022 and 2023, several Australian healthcare providers experienced ransomware attacks that took clinical systems offline for weeks. The indicators in 7.6 are not aspirational - they reflect current baseline expectations from the Australian Digital Health Agency, the OAIC, and private health insurers with cybersecurity risk requirements. Multi-factor authentication (7.6.6) and role-based access controls (7.6.7) are the two changes that deliver the greatest risk reduction and cost the least to implement.

The Notifiable Data Breaches scheme (7.6.13) catches many practices off guard. Under the Privacy Act, a practice must notify both the OAIC and affected individuals within 30 days of becoming aware of an eligible data breach. Ransomware attacks, sending a clinical letter to the wrong address, and emailing a patient list to an unintended recipient all have the potential to trigger notification obligations. The OAIC's published guidance and the ADHA's breach response materials are the starting point.

7.7 (System Reliability) is not just about technology. The downtime procedure question (7.7.3) is one of the most revealing indicators in this domain. Most practices do not have a documented downtime procedure. When asked what would happen if the practice management system went down for a day, the honest answer is often "we would not know which patients had appointments, we could not access their records, and we would have no documented process for managing any of it." For a practice that sees 40 patients a day, that is not a trivial risk. A downtime procedure does not need to be complicated - it needs to be real, accessible, and known to the people who would need to use it.

7.8 (Business Continuity) is the domain most practices defer and the one most likely to matter suddenly. A flood, a burst pipe, an extended power outage, or the sudden unavailability of the principal practitioner all require the practice to have thought in advance about how it will respond. The most important element is not the document itself but the two questions it forces you to answer: who is responsible, and where are the contact details they will need when normal systems are unavailable?

Discuss this domain

Have a question about Practice Environment and Infrastructure? Join the SPQF community to discuss implementation, share evidence examples, and learn from other practices.

Join the Community
Evidence Guide All Resources
PDF Downloads: Framework Self-Assessment Evidence Guide
Previous
6. Workforce and Team Capability
Next
8. Continuous Improvement