Consumers can control their own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), the PCEHR Rules 2012 and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the Australian Government’s eHealth record system.
The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.
The OAIC’s role in the eHealth record system
The Office of the Australian Information Commissioner (OAIC) regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.
The functions and enforcement powers available to the OAIC include:
- seeking a civil penalty from the Courts
- seeking an injunction to prohibit or require particular conduct
- accepting enforceable undertakings
- using existing Privacy Act 1988 investigative and enforcement mechanisms, including conciliation of complaints and making determinations
- accepting data breach notifications from the System Operator, repository operators and portal operators.
If an individual thinks their eHealth record has been mishandled, they should first complain to the healthcare provider or other entity that they think is at fault. If they are not satisfied with the response, an individual can complain to the System Operator (via the Medicare Call Centre: 1800 723 471), the OAIC or the state and territory regulator (if the healthcare provider is a state or territory entity).
To complain to the OAIC about the handling of an eHealth record, go to the Individuals section of this website.
Where can you get more information?
For more information about eHealth and privacy, and the OAIC’s role as the independent regulator of the privacy aspects of the eHealth record system please watch our eHealth video presentation.
eHealth privacy fact sheets for consumers
- Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record
- Privacy fact sheet 18: The OAIC and the eHealth record system
- Privacy fact sheet 19: How to manage your eHealth record
- Privacy fact sheet 20: Consent and the handling of personal information in your eHealth record
- Privacy fact sheet 21: Young people and the eHealth record system
- Privacy fact sheet 22: Medicare and your eHealth record
- Privacy fact sheet 23: Emergency access and your eHealth record
- The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013, which outline the Commissioner’s approach to enforcement issues under eHealth, were made on 19 June 2013. The Guidelines are available on Comlaw.
- The Guide to mandatory data breach notification in the PCEHR system provides general guidance to help entities meet their mandatory data breach notification reporting obligations under the PCEHR Act.
More information about Healthcare Identifiers can be found on the Healthcare Identifiers page of this site.
Department of Health
Enquiries: 1800 723 471 (1800 PCEHR1)
Website: EHealth — Home