Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Privacy business resource 6: Healthcare identifiers and the eHealth record system

pdfPrintable version406.18 KB

Updated September 2014

The aim of this resource is to set out the role of healthcare identifiers in the personally controlled electronic health record system (the eHealth record system). This advice is for anyone using or considering using healthcare identifiers and eHealth records.

Information about compliance obligations under the healthcare identifiers system is available on the Office of the Australian Information Commissioner (OAIC)’s website.

The role of healthcare identifiers under the eHealth record system

The Healthcare Identifiers (HI) Service issues three kinds of healthcare identifiers: identifiers for individual healthcare consumers (IHIs) and identifiers for healthcare provider individuals (HPI-Is) and organisations (HPI-Os).

Under the eHealth record system, healthcare identifiers are used to:

  • Identify the patient whose eHealth record you wish to access. You can gain access to an individual’s eHealth record by using the individual’s IHI. Sometimes the IHI will be sufficient, or other information may also be required, such as the patient’s access code or additional identifying information
  • Help ensure that the right health information is associated with the right individual’s eHealth record by associating their IHI with clinical documents.

Healthcare providers, individuals and their representatives must have and use their own healthcare identifier to participate in the eHealth record system.

Relevant laws

Healthcare identifiers and the eHealth record system are regulated by the Healthcare Identifiers Act 2010 (HI Act) and the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act).

The OAIC regulates the handling of IHIs by all entities and regulates the handling of personal information under the eHealth record system by Commonwealth government agencies, private sector organisations and some state and territory bodies in particular circumstances.

IHIs are automatically issued to all Australians who are registered with Medicare. The eHealth record system, on the other hand, is an opt-in system and people may later opt-out if they choose.

An IHI may only be collected, used and disclosed for purposes authorised under the HI Act and information in a patient’s eHealth record may only be collected, used and disclosed for purposes authorised under the PCEHR Act. Authorised purposes under both Acts are broadly similar and both allow the information to be collected, used and disclosed to provide healthcare to the patient.[1]

The HI Act and Healthcare Identifiers Regulations 2010 contain criminal penalties and the PCEHR Act contains civil penalties for breaches of the penalty provisions. The Information Commissioner may accept undertakings from a person to take or refrain from specific action in order to comply with the PCEHR Act, and may apply to a Court for enforcement of those undertakings. The Information Commissioner can also apply to a Court for an injunction to restrain a person from engaging in conduct or require a person to do something, to prevent a contravention of the PCEHR Act.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

For further information

telephone: 1300 363 992
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at


[1] The relevant sections of the HI Act are Division 3 and Division 4. The relevant section of the PCEHR Act is Part 4.