Since July 2012, Australians have been able to choose to register for their own personally controlled electronic health (eHealth) record.
An eHealth record is an electronic summary of a person’s health information. Healthcare providers are able to add a consumer's health records to their eHealth record, in accordance with their access controls. This may include information such as medical history and treatments, diagnoses, medications and allergies.
You can control your own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), the PCEHR Rules 2012 and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the Australian Government’s eHealth record system.
The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.
Follow these tips to protect your eHealth record:
- Read the terms and conditions carefully before you opt-in.
- Be aware of the different access settings available to you.
- Consider setting up advanced access controls and an ‘access code’.
- Read the privacy notices and policies of your healthcare providers and the eHealth record System Operator.
- Talk to your healthcare providers regularly about what information they will be adding to and accessing from your eHealth record. Ask how they will involve you in this process.
- Know your privacy rights when it comes to having a nominated or authorised representative.
- Check your eHealth record audit trail regularly for unexpected or unauthorised access to your record.
- Check your eHealth record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete.
- Keep your eHealth record secure, including by protecting your password and only accessing your record from a secure device.
- Exercise your privacy rights.
- Remember you can choose to opt-out at any time.
For an extended version of these tips see Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record.
Healthcare providers should be aware of the following information:
- Know your obligations under the PCEHR Act: there are serious penalties if you don’t comply.
- Understand that while there are new obligations for information stored on the eHealth record system, you must continue to comply with your current legal obligations.
- Develop robust processes for handling eHealth records and ensure staff are adequately trained to follow them.
- Tell your patients about what information you intend to add to and access from their eHealth record and explain what you will do with the information.
- Ensure that you do not collect more information from an eHealth record than is necessary.
- Collect, use and disclose information in a patient’s eHealth record only for the limited and authorised purposes allowed under the eHealth record system.
- Know how the eHealth record system can be used in an emergency situation.
The OAIC’s role in the eHealth record system
The Office of the Australian Information Commissioner (OAIC) regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.
The functions and enforcement powers available to the OAIC include:
- seeking a civil penalty from the Courts
- seeking an injunction to prohibit or require particular conduct
- accepting enforceable undertakings
- using existing Privacy Act 1988 investigative and enforcement mechanisms, including conciliation of complaints and formal determinations
- accepting data breach notifications from the System Operator, repository operators and portal operators.
If an individual thinks their eHealth record has been mishandled, they should first complain to the healthcare provider or other entity that they think is at fault. If they are not satisfied with the response, an individual can complain to the System Operator (via the Medicare Call Centre: 1800 723 471), the OAIC or the state and territory regulator (if the healthcare provider is a state or territory entity).
To complain to the OAIC about the handling of an eHealth record, go to the complaints section of this website.
Where can you get more information?
For more information about eHealth and privacy, and the OAIC’s role as the independent regulator of the privacy aspects of the eHealth record system please watch our eHealth video presentation [http://www.youtube.com/watch?v=9Oh9Rx1H3fs&feature=youtu.be].
eHealth privacy fact sheets for consumers
- Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record
- Privacy fact sheet 18: The OAIC and the eHealth record system
- Privacy fact sheet 19: How to manage your eHealth record
- Privacy fact sheet 20: Consent and the handling of personal information in your eHealth record
- Privacy fact sheet 21: Young people and the eHealth record system
- Privacy fact sheet 22: Medicare and your eHealth record
- Privacy fact sheet 23: Emergency access and your eHealth record
- The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013, which outline the Commissioner’s approach to enforcement issues under eHealth, were made on 19 June 2013. The Guidelines are available on Comlaw.
- For information about the consultation process for the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 please see the Draft Enforcement Guidelines.
- The Draft Mandatory Breach Notification Guide provides general guidance to help entities meet their mandatory data breach notification reporting obligations under the PCEHR Act.
More information about Healthcare Identifiers can be found on the Healthcare Identifiers page of this site.
Department of Health
Enquiries: 1800 723 471 (1800 PCEHR1)