Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy fact sheet 19: How to manage your My Health Record

Australia’s My Health Record system has been designed to help you manage your health information. You can control what information is stored on your My Health Record and who has access to it. To control access to your record, you will need to adjust the privacy settings, known as ‘access controls’. This fact sheet looks at what access controls can be set and what they do. It also discusses the importance of communicating with your healthcare provider about your My Health Record.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

The My Health Record system opt-out period commenced on 16 July 2018, and you now have until 31 January 2019 to advise the Australian Digital Health Agency if you do not want a My Health Record to be automatically created for you. Although the My Health Record system has previously been a self-register model, every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will now be automatically registered to have a My Health Record, unless they choose not to have one.

For further information about the My Health Record and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record helpline on 1800 723 471. You can also read the OAIC’s opt-out FAQs.

What are access controls?

Personal control is a central feature of the My Health Record system. If you choose to set up access controls, you can specify which healthcare providers and nominated representatives (e.g. your spouse) may access your record and which documents they can see.

If you do not set access controls, the default access controls will apply.

It is also important to talk to your healthcare providers about the type of information that is likely to be uploaded to your My Health Record. You should advise them if there is any record or class of records that you do not want uploaded.

What are the default access controls?

When you register for a My Health Record, the default access controls will automatically apply until you set advanced access controls.

The default access controls permit all healthcare providers involved in your care to access your My Health Record and the documents within it. Healthcare providers can search for and access your record by providing the System Operator (the Australian Digital Health Agency) with specific details about you, such as your name, date of birth and Medicare number.

How do advanced access controls work?

Using the advanced access controls will allow you to limit access to the whole of your My Health Record and/or to limit access to specific documents within it.

It is important to note that access controls apply at a healthcare provider organisation level, not to individual healthcare providers. This means, for example, that if you receive treatment in a hospital, you grant access to the hospital rather than individual doctors or other staff.

If you restrict access to documents in your My Health Record, the healthcare provider organisations that uploaded those documents will still be able to access them.

For more information on managing access controls, go to the ‘Help’ section of your My Health Record or the My Health Record information sheet: Keeping your healthcare information secure: Simple security and privacy tips.

Other ways you can exercise control over your My Health Record

Requesting that records not be uploaded

If there are specific records that you do not want uploaded to your My Health Record, you should tell your healthcare provider not to upload those records. They must comply with your request.

Blocking or removing healthcare providers that previously had access

If you want to block or remove a healthcare provider from having access to your My Health Record you can do so via the ‘Access List’.

The Access List provides a list of healthcare providers that have accessed your My Health Record and also allows you to cancel their access.

Removing records from your My Health Record

If a document has been uploaded to your My Health Record and you would like to have it removed, you can have it ‘effectively removed’.[1] This means it can no longer be viewed by you or any healthcare providers, even in an emergency. You can ask the healthcare provider who uploaded the document to remove it or you can remove it yourself by logging in to your My Health Record.

Set up Notifications

You can monitor access to your My Health Record by choosing to receive notifications by email or SMS. You can set up notifications by logging into your My Health Record and selecting ‘Profile and Settings’. You can choose to be automatically notified of the following:

  • A healthcare organisation (for example a hospital or medical practice) opens your My Health Record for the first time
  • A healthcare provider opens your My Health Record in an emergency
  • A new shared health summary is uploaded to your My Health Record
  • Advance care planning document changes (added/removed/reinstated) occur on your My Health Record
  • A Nominated Representative (for example someone you have permitted to access this My Health Record) opens your record
  • Someone new is able to access your My Health Record

It is important to note that you will not be able to receive notifications when a healthcare provider uploads a new document to your record (other than a Shared Health Summary). For this reason, you should regularly login and check your ‘Access History’ which will display any documents that have been uploaded and the name of the organisation that uploaded the document.

Nominated and authorised representatives

A nominated representative is a person that you choose to give access to the information in your My Health Record, such as a family member.

Nominated representatives have the same level of access to your information as you do, unless you restrict their access.

An authorised representative is a person who is assigned to act on behalf of another person in managing their My Health Record, for example a parent or legal guardian. They control how the My Health Record is managed and how the information is accessed.

Authorised representatives are entitled to do anything that the individual can do with respect to accessing and managing the individual’s My Health Record.

Emergency access

Healthcare providers are permitted to collect, use and disclose the information in your My Health Record if it is unreasonable or impracticable to obtain your consent and they reasonably believe that this is necessary to lessen or prevent a serious threat to your or another individual’s life, health or safety. They can also collect, use and disclose the information in your My Health Record without your consent if they reasonably believe that this is necessary to lessen or prevent a serious threat to public health or safety.

If these conditions are not met when emergency access is gained, the healthcare provider will be breaching the law and penalties may apply.

For more information on emergency access, please see the OAIC’s Privacy fact sheet 23: Emergency access and your My Health Record.

More information

For more information on protecting your privacy in the My Health Record system, please see the OAIC’s Privacy fact sheet 15: Tips for protecting the personal information in your My Health Record.

For more information on the OAIC’s role in the My Health Record system, please see the OAIC’s Privacy fact sheet 18: The OAIC and the My Health Record system.

Footnotes

[1] A document that has been ‘effectively removed’ will not be viewable on the individual’s My Health Record, but it may still be stored and accessible via the Australian Digital Health Agency for medico-legal reasons or other reasons authorised or required by law.