21 October 2021

The independent privacy regulator for the My Health Record system and Healthcare Identifiers Service has detailed its compliance and monitoring activity in its 2020–21 digital health annual report.

The Office of the Australian Information Commissioner (OAIC) regulates the privacy provisions contained in the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the annual report highlights the OAIC’s work to ensure privacy measures for Australia’s digital health systems are upheld.

“Over the past year my office has worked proactively to regulate the protection and security of the personal information at the core of both the My Health Record system and the Healthcare Identifiers Service,” Commissioner Falk said.

“We have used our investigative and assessment functions to make sure health service providers are aware of and uphold their obligations to protect the personal information of Australians.

“Digital innovation in the health sector has the power to improve health outcomes for Australians.

“Compliance with strict privacy controls is key to public trust and confidence in digital health services and realising this potential.”

During the reporting period, the OAIC provided detailed privacy advice to stakeholders such as the Australian Digital Health Agency and Department of Health, including a submission to the review of the My Health Records Act. It also developed and promoted guidance for providers and individuals, including new resources about the My Health Record emergency access function and guidance for healthcare providers on rule 42.

The OAIC completed three audits of regulated entities in the digital health sector, including assessments of pathology and diagnostic imaging services, and two mobile health applications. The regulator also commenced an assessment of 300 general practitioners’ compliance with the requirement in the My Health Records Act to have an access security policy.

In 2020–21, the OAIC received and finalised seven complaints in relation to the My Health Records system, and received and finalised one complaint relating to the Healthcare Identifier Service. The OAIC was notified of two data breaches involving the My Health Record system.

Read the Annual report of the Australian Information Commissioner’s activities in relation to digital health 2020–21.

Key 2020–21 statistics

My Health Record

  • Finalised one Commissioner-initiated investigation
  • Completed 3 privacy assessments, commenced an additional privacy assessment
  • Finalised 7 privacy complaints
  • Finalised 2 data breach notifications
  • Received 11 enquiries
  • Received 7 complaints
  • Received 3 data breach notifications
  • Finalised one privacy complaint
  • Received 2 enquiries
  • Received one privacy complaint.

Healthcare Identifier Service

  • Finalised one privacy complaint
  • Received 2 enquiries
  • Received one privacy complaint.