Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 19: How to manage your My Health Record

pdfPrintable version192.75 KB

March 2016

Australia’s My Health Record system has been designed to help you manage your health information. You can control what information is stored on your My Health Record and who has access to it. To control access to your record, you will need to adjust the privacy settings, known as ‘access controls’. This fact sheet looks at what access controls can be set and their effect. It also discusses the importance of communicating with your healthcare provider about your My Health Record.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

In most parts of Australia you need to actively register for a My Health Record. However, people whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains will have a My Health Record automatically created for them by the Australian Government. If you are registered as living in either of these areas and don’t want a My Health Record, you will need to opt-out by 27 May 2016.

You can use the postcode checker on the My Health Record website to see if your registered Medicare address is in one of these areas. If it is, you should also receive a letter and brochure from the Australian Government with further information.

This fact sheet is for everyone who already has or will soon have a My Health Record and anyone else who is thinking of registering for one. This includes people whose registered Medicare address is in Northern Queensland and the Nepean Blue Mountains region.

What are access controls?

Personal control is a central feature of the My Health Record system. If you choose to set up access controls, you can specify which healthcare providers and nominated representatives (e.g. your spouse) may access your record and which documents they can see.

If you do not set access controls, the default access controls will apply.

It is also important to talk to your healthcare providers about the type of information that is likely to be uploaded to your My Health Record. You should advise them if there is any record or class of records that you do not want uploaded.

What are the default access controls?

When you register for a My Health Record, the default access controls will automatically apply until you set advanced access controls.

The default access controls permit all healthcare providers involved in your care to access your My Health Record and the documents within it.  Healthcare providers can search for and access your record by providing the System Operator with specific details about you, such as your name, date of birth and Medicare number.

How do advanced access controls work?

Using the advanced access controls will allow you to limit access to the whole of your My Health Record and/or to limit access to specific documents within it.

It is important to note that access controls apply at a healthcare provider organisation level, not to individual healthcare providers. This means, for example, that if you receive treatment in a hospital, you grant access to the hospital rather than individual doctors or other staff.

If you restrict access to documents in your My Health Record, the healthcare provider organisations that uploaded those documents will still be able to access them.

For more information on managing access controls, go to the ‘Help’ section of your My Health Record.

Other ways you can exercise control over your My Health Record

Requesting that records not be uploaded

If there are specific records that you do not want uploaded to your My Health Record, you should tell your healthcare provider not to upload those records. They must comply with your request.

Blocking or removing healthcare providers that previously had access

If you want to block or remove a healthcare provider from having access to your My Health Record you can do so via the ‘Access List’.

The Access List provides a list of healthcare providers that have accessed your My Health Record and also allows you to cancel their access.

Removing records from your My Health Record

If a document has been uploaded to your My Health Record and you would like to have it removed, you can have it ‘effectively removed’.[1] This means it can no longer be viewed by you or any healthcare providers, even in an emergency. You can ask the healthcare provider who uploaded the document to remove it or you can remove it yourself by logging in to your My Health Record.

Turn off automatic checking for your My Health Record

Your healthcare provider’s information system may be able to automatically check whether you have a My Health Record.

You can choose to turn off this mechanism. If you do this, organisations will still be able to manually search the My Health Record system for your record.

Nominated and authorised representatives

A nominated representative is a person that you choose to give access to your My Health Record, such as a family member.

Nominated representatives have the same level of access to your information as you do, unless you restrict their access.

An authorised representative is a person who is assigned to act on behalf of another person in managing their My Health Record, for example a parent or legal guardian. They control how the My Health Record is managed and how the information is accessed.

Authorised representatives are entitled to do anything that the individual can do with respect to accessing and managing the individual’s My Health Record.

Emergency access

Healthcare providers are permitted to collect, use and disclose the information in your My Health Record if it is unreasonable or impracticable to obtain your consent and they reasonably believe that this is necessary to lessen or prevent a serious threat to your or another individual’s life, health or safety. They can also collect, use and disclose the information in your My Health Record without your consent if they reasonably believe that this is necessary to lessen or prevent a serious threat to public health or safety.

If these conditions are not met when emergency access is gained, the healthcare provider will be breaching the law and penalties may apply.

For more information on emergency access, please see the OAIC’s Privacy fact sheet 23: Emergency access and your My Health Record.

More information

For more information on protecting your privacy in the My Health Record system, please see the OAIC’s Privacy fact sheet 15: Ten tips for protecting the personal information in your My Health Record

For more information on the OAIC’s role in the My Health Record system, please see the OAIC’s Privacy fact sheet 18: The OAIC and the My Health Record system


Footnotes

[1] A document that has been ‘effectively removed’ will not be viewable on the individual’s My Health Record, but it may still be stored and accessible via the System Operator for medico-legal reasons or other reasons authorised or required by law.