Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

eHealth records

Since July 2012, Australians have been able to choose to register for their own personally controlled electronic health (eHealth) record. An eHealth record is an electronic summary of a person’s health information. Healthcare providers are able to add information about a consumer's health to their eHealth record, in accordance with the consumer's access controls. This may include information such as medical history and treatments, diagnoses, medications and allergies.

Consumers can control their own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), the PCEHR Rules 2012 and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the Australian Government’s eHealth record system.

The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.

The OAIC’s role in the eHealth record system

The Office of the Australian Information Commissioner (OAIC) regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies (in particular circumstances).

The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.

The functions and enforcement powers available to the OAIC include:

  • seeking a civil penalty from the Courts
  • seeking an injunction to prohibit or require particular conduct
  • accepting enforceable undertakings
  • using existing Privacy Act 1988 investigative and enforcement mechanisms, including conciliation of complaints and making determinations
  • accepting data breach notifications from the System Operator, repository operators and portal operators.


If an individual thinks their eHealth record has been mishandled, they should first complain to the healthcare provider or other entity that they think is at fault. If they are not satisfied with the response, an individual can complain to the System Operator (via the Medicare Call Centre: 1800 723 471), the OAIC or the state and territory regulator (if the healthcare provider is a state or territory entity).

To complain to the OAIC about the handling of an eHealth record, go to the Individuals section of this website.

Where can you get more information?

For more information about eHealth and privacy, and the OAIC’s role as the independent regulator of the privacy aspects of the eHealth record system please watch our eHealth video presentation.

eHealth privacy fact sheets for consumers

OAIC Guidelines

Healthcare Identifiers

More information about Healthcare Identifiers can be found on the Healthcare Identifiers page of this site.

Department of Health

Enquiries: 1800 723 471 (1800 PCEHR1)

Website: EHealth — Home