Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 20: Consent and the handling of personal information in your My Health Record

Note: This fact sheet does not apply to people living in the Northern Queensland and Nepean Blue Mountains areas

pdfPrintable version194.73 KB

March 2016

In most parts of Australia you need to actively decide to register for a My Health Record, which means that you must consent to having a My Health Record before one can be established. However, people whose registered Medicare address is in one of two areas — Northern Queensland and Nepean Blue Mountains in NSW — will have a My Health Record automatically created for them by the Department of Health, unless they tell the Department that they do not want one.

This fact sheet is for people whose registered Medicare address is in areas of Australia outside Northern Queensland and Nepean Blue Mountains in NSW. The fact sheet sets out what you are consenting to when you register for a My Health Record, and in what situations further consent may need to be sought. It also discusses the meaning of consent.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

In most parts of Australia you need to actively register for a My Health Record. However, people whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains will have a My Health Record automatically created for them by the Australian Government. If you are registered as living in either of these areas and don’t want a My Health Record, you will need to opt-out by 27 May 2016.

You can use the postcode checker on the My Health Record website to see if your registered Medicare address is in one of these areas. If it is, you should also receive a letter and brochure from the Australian Government with further information.

What are you consenting to?

When you register for a My Health Record, you are required to give a standing, or ongoing, consent to records containing your health information being uploaded to your record by healthcare providers involved in your care.

This is subject to two important exceptions:

  • where you have told your healthcare provider that a particular record, all records, or a specific class of records must not be uploaded
  • where certain laws of a State or Territory require that consent to upload particular health information be given expressly or in a particular way.

When registering for a My Health Record, you will also be asked whether you consent to the inclusion of certain types of Medicare information. For more information, please see the OAIC’s Privacy fact sheet 22: Medicare and your My Health Record.

If you want to restrict a particular record, all records or a specified class of records from being included in your record, you should discuss this issue with your healthcare provider.

You can exercise further control over your record, such as controlling which healthcare providers have access to your My Health Record, by changing your privacy settings, known as ‘access controls’ — for more information please see the OAIC’s Privacy fact sheet 19: How to manage your My Health Record.

Providing consent

When you register for a My Health Record, you are required to give a standing consent for the upload of documents to your record as a condition of registration. For your consent to be valid, four key elements should be satisfied:

  • you must be adequately informed before giving consent
  • it must be provided voluntarily
  • it must be current and specific
  • you must have the capacity to understand and communicate your consent.[1]

If you are considering whether or not to register for a My Health Record you should consider what it means to ‘consent’ to information being uploaded to your record.

It is important for you to educate yourself about the My Health Record system, including what sort of personal information may be stored on a record and who can access it. If there are specific records that you do not want uploaded to your record, you should tell your healthcare provider not to upload the records, and they must not do so. If you do not say otherwise, you are considered to have consented to the inclusion of information in your My Health Record.

If you change your mind and don’t want a document that has been uploaded to your My Health Record to be included in your record, you can:

  • restrict access to the document using the advanced access control settings on your record
  • ask the healthcare provider who uploaded the document to edit or delete it, or
  • remove the document yourself by logging in to your record.

State and territory legislation

The My Health Records Act 2012 (My Health Records Act) recognises that under some state and territory laws consent must be given expressly, or in a particular way, before information related to specific areas of health is disclosed.

The state and territory laws which have specific consent requirements regarding the disclosure of health information are listed in clause 3.1.1 of the My Health Records Regulation 2012. If a state or territory law is listed in this clause, then the consent requirements of those laws overrule the standing, or ongoing, consent model of the My Health Record.

More information

For more information on protecting your privacy, please see the OAIC’s Privacy fact sheet 15: Ten tips for protecting the personal information in your My Health Record.

For more information on the OAIC’s role in the My Health Record system, please see the OAIC’s Privacy fact sheet 18: The OAIC and the My Health Record system


Footnotes

[1] For more information see Office of the Australian Information Commissioner, ‘Key Concepts’, Australian Privacy Principles Guidelines, April 2015

For further information

telephone: 1300 363 992

email: enquiries@oaic.gov.au

write: GPO Box 5218, Sydney NSW 2001

Or visit our website at www.oaic.gov.au