Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

My Health Records

On 15 November 2018, the Minister for Health announced that the opt-out period would be extended until 31 January 2019. The OAIC’s resources have now been amended to reflect that.

My Health Record is an Australian Government initiative which aims to provide secure online summaries of individuals’ health information. A My Health Record allows an individual’s doctors, hospitals and other healthcare providers to view the individual’s health information, in accordance with their access controls. Individuals are also able to access their record online.

The My Health Record system opt-out period commenced on 16 July 2018, and you now have until 31 January 2019 to advise the Australian Digital Health Agency if you do not want a My Health Record to be automatically created for you. Although the My Health Record system has previously been a self-register model, every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will now be automatically registered to have a My Health Record, unless they choose not to have one.

For further information about the My Health Record and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record Help line on 1800 723 471. You can also read the OAIC’s opt-out FAQs below.

FAQs — Opt-out period 2018

How can I opt-out of having a My Health Record created for me?

From 16 July 2018 to 31 January 2019 you can opt-out online or by phone. For further information about the My Health Record system and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record Help line on 1800 723 471.

What do I need to consider when deciding whether to opt-out?

It is your choice whether you want to have a My Health Record. You should make yourself aware of the potential benefits of having a My Health Record.

It is important to understand that if you have a My Health Record, your health information may be uploaded to that Record and viewed by other health practitioners. If you have any concerns, or would like to discuss whether a My Health Record is right for you, please speak to your healthcare provider.

You may also wish to consider:

What information will be in a My Health Record when it is created?

The first time you or your healthcare provider access your My Health Record there may be little, or no information in it. Two years’ worth of your Medicare information will, by default, be automatically included in your My Health Record unless you give notice not to include it.

The upload of Medicare information will be triggered the first time someone accesses your My Health Record – this could be either you or your healthcare provider (whoever does so first). If you choose, you can remove this information after you log in. Your previous medical history such as older tests and medical reports will not be in your My Health Record (unless they are added in future by a healthcare practitioner).

After your My Health Record is created, healthcare providers can add clinical documents about your health over time. This may include:

  • an overview of your health uploaded by your doctor, called a Shared Health Summary
  • hospital discharge summaries
  • reports from test and scans, like blood tests
  • medications that your doctor has prescribed to you; and
  • referral letters from your doctor(s).

Can I choose what goes into my record?

If you do not opt-out and have a My Health Record created for you, you are assumed to have given a standing, or ongoing consent to records containing your health information being uploaded to your record by healthcare providers involved in your care, in accordance with any access controls you have put in place. There is no general requirement for your healthcare provider to obtain your consent on each occasion prior to uploading clinical information to your My Health record. There is also no general requirement for you to review clinical information prior to it being uploaded.

This is subject to two important exceptions:

  • where you have told your healthcare provider that a particular record, all records, or a specific class of records must not be uploaded
  • where certain laws of a State or Territory require that consent to upload particular health information be given expressly or in a particular way.

If you want to restrict a particular record, all records or a specified class of records from being included in your record, you should discuss this issue with your healthcare provider.

You can exercise further control over your record, such as controlling which healthcare providers have access to your My Health Record, by changing your privacy settings, known as ‘access controls’ — for more information please see the OAIC’s Privacy fact sheet 19: How to manage your My Health Record or the Australian Digital Health Agency’s information sheet Keeping your healthcare information secure: Simple security and privacy tips.

Who will be able to view my My Health Record?

Healthcare Providers

Healthcare providers, such as doctors, physiotherapists and pharmacists, will be able to view the information in your My Health Record for the purpose of providing you healthcare, subject to any access controls you put in place. It is important to remember that if you don’t log in and set up access controls, by default, all healthcare providers will be able to upload information and relevant to your care.

Nominated and authorised representatives

You may want to allow someone else access to your My Health Record, such as a carer, family member or trusted friend. If so, you can appoint them as a nominated representative. All nominated representatives must act in accordance with your will and preferences.

An authorised representative is someone who can manage a My Health Record on someone's behalf. The My Health Record owner may be the authorised representative’s child, an incapacitated adult, or someone of any age who, for whatever reason, cannot manage their own My Health Record.

Other permitted entities

There are limited circumstances where your health information may be accessed by healthcare providers, the Australian Digital Health Agency or other registered entities for reasons other than for your healthcare, including:

  • For the management of the My Health Record system
  • Where it is necessary to lessen or prevent a serious threat to an individual’s life, health or safety and it is unreasonable or impracticable to obtain your consent
  • Where it is necessary to lessen or prevent a serious threat to public health or public safety
  • Where it is authorised by law
  • For purposes relating to a healthcare provider’s indemnity cover
  • To comply with a court or tribunal order
  • For law enforcement purposes.

Secondary use of My Health Record data

By default, de-identified information extracted from your My Health Record may be provided to third parties, such as medical researchers, for purposes other than your healthcare. You can choose not to have your de-identified data used for secondary purposes by selecting the ‘withdraw participation’ function in your My Health Record. Your identified personal information in your My Health Record cannot be used for secondary purposes without your consent. For more information see the Framework to guide the secondary use of My Health Record system data.

Penalties

There are laws and serious penalties in place to protect your personal health information. There are both civil (fines of up to $540,000) and criminal (up to two years’ imprisonment) penalties for any unauthorised collection, use or disclosure of information contained in the My Health Record system. For example, information in your My Health Record is not permitted to be cross referenced with Centrelink and Tax Office data, accessed by your employer or accessed by your insurance company.

You can complain to the OAIC if you believe that the personal information in your My Health Record may have been mishandled. For more information on how to make a complaint, go to the OAIC’s privacy complaints page.

What are access controls? How do I set them up?

By default, documents in your My Health Record are set to general access for healthcare providers. You can change your access controls at any time by logging into your My Health Record.

You have the option to exercise controls around who can or can’t see your health information. The changes to privacy and security controls you can make are:

  • setting a Record Access Code to give access only to selected healthcare providers
  • controlling access to specific documents, to limit who can view them
  • giving access to a nominated representative such as a family member, close friend or carer.
  • ‘effectively removing’ (or deleting) a document so that it is not visible to your treating healthcare providers.

For more information about how to set up your access controls see the My Health Record website.

If a My Health Record is created for me, what can I do to help keep my information secure?

  • Be aware of the different access settings available to you.
  • Consider setting up advanced access controls and an ‘access code’. Set up notifications so that you will receive an SMS or email when someone new accesses your My Health Record.
  • Read the privacy notices and policies of your healthcare providers and the Australian Digital Health Agency.
  • Talk to your healthcare providers regularly about what information they will be adding to and accessing from your My Health Record. Ask how they will involve you in this process.
  • Know your privacy rights when it comes to having a nominated or authorised representative.
  • Check your My Health Record Access History regularly for unexpected or unauthorised access to your record.
  • Check your My Health Record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete.
  • Keep your My Health Record secure, including by protecting your password and only accessing your record from a secure device.
  • Exercise your privacy rights.
  • Remember you can choose to opt-out any time between 16 July 2018 and 31 January 2019, or cancel your record any time after it has been created for you.

For an extended version of these tips see Privacy fact sheet 15: Tips for protecting the personal information in your My Health Record.

For more information, see the OAIC’s Privacy fact sheet 19: How to manage your My Health Record and Australian Digital Health Agency’s guide to Keeping your healthcare information secure.

What happens if I didn’t opt-out, and a record was created for me? Can it be deleted?

You can cancel your My Health Record at any time which will mean that it cannot be accessed by you or your health care providers. However, it cannot be removed or deleted entirely from the My Health Record system.

This is because the Australian Digital Health Agency is required to retain all records uploaded to the My Health Record system for a period of 30 years after the death of the record owner. However once you cancel your record, your information is securely held in the My Health Record system and cannot be accessed except in specific circumstances.

You can cancel your existing My Health Record online through the Consumer Portal, or request cancellation by phone or in writing. If you had a record created for you as part of the opt-out trial, you can cancel your My Health Record yourself online by linking it to your existing MyGov account, entering the record and selecting ‘Cancel’ in your My Health Record.

For more information on the My Health Record system:

The resources are:

Videos are also available:

Visit Privacy and the My Health Record System

More information can be found in the My Health Record system section of this website.