A My Health Record allows an individual’s doctors, hospitals and other healthcare providers (such as physiotherapists) to view the individual’s health information, in accordance with their access controls. Individuals are also able to access their record online.
In most parts of Australia individuals need to actively register for a My Health Record. However, people whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains will have a My Health Record automatically created for them by the Australian Government unless they have opted-out by 27 May 2016.
The My Health Records Act limits when and how health information included in a My Health Record can be collected, used and disclosed. Unauthorised collection, use or disclosure of My Health Record information is both a breach of the My Health Records Act and an interference with privacy.
The OAIC’s role in the My Health Record system
The Office of the Australian Information Commissioner (OAIC) regulates the handling of personal information under the My Health Record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s My Health Record. The OAIC can also conduct ‘Commissioner initiated investigations’.
The functions and enforcement powers available to the OAIC under the My Health Records Act and Privacy Act 1988 include:
- investigating and conciliating complaints
- accepting enforceable undertakings
- making determinations
- seeking an injunction to prohibit or require particular conduct
- seeking a civil penalty from the Courts
- accepting mandatory data breach notifications from the System Operator, health care provider organisations, repository operators and portal operators
If an individual thinks that information in their My Health Record has been mishandled, they should first complain to the healthcare provider or other entity that they think is at fault. If they are not satisfied with the response, an individual can complain to the System Operator (via the Medicare Call Centre: 1800 723 471), the OAIC or the state and territory regulator (if the healthcare provider is a state or territory entity).
To complain to the OAIC about the handling of a My Health Record, go to the Individuals section of this website.
Where can you get more information?
For more information about healthcare providers’ responsibilities under the My Health Record system, and the OAIC’s role as the independent regulator of the privacy aspects of the system please watch our video presentation.
My Health Record privacy fact sheets for consumers
The OAIC has developed fact sheets for individuals about the My Health Record system. Fact sheets 46 and 47 only apply to individuals whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains areas, while fact sheets 20 and 21 apply to individuals that live in parts of Australia that do not include Northern Queensland and the Nepean Blue Mountains.
Fact sheets 15, 18, 19, 22 and 23 apply to everyone who has a My Health Record or is considering whether to register for one.
- Privacy fact sheet 15: Ten tips for protecting the personal information in your My Health Record
- Privacy fact sheet 18: The OAIC and the My Health Record system
- Privacy fact sheet 19: How to manage your My Health Record
- Privacy fact sheet 20: Consent and the handling of personal information in your My Health Record (this fact sheet does not apply to people living in the Northern Queensland and Nepean Blue Mountains areas)
- Privacy fact sheet 21: Young people and the My Health Record system (this fact sheet does not apply to people living in the Northern Queensland and Nepean Blue Mountains areas)
- Privacy fact sheet 22: Medicare and your My Health Record
- Privacy fact sheet 23: Emergency access and your My Health Record
- Privacy fact sheet 46: My Health Record system – What to expect in Northern Queensland and Nepean Blue Mountains
- Privacy fact sheet 47: Young people and the My Health Record system (Northern Queensland and Nepean Blue Mountains)
- The My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016, which outline the Commissioner’s approach to enforcement under the My Health Record system, were made on 18 March 2016. The Guidelines are available on the Federal Register of Legislation.
- The Guide to mandatory data breach notification in the PCEHR system provides general guidance to help entities meet their mandatory data breach notification reporting obligations under the My Health Records Act. These guidelines currently use the term ‘PCEHR’. PCEHR means a My Health Record, formerly a “Personally Controlled Electronic Health Record”, within the meaning of the My Health Records Act 2012 (Cth) (formerly called the Personally Controlled Electronic Health Records Act 2012 (Cth)).
More information about Healthcare Identifiers can be found on the Healthcare Identifiers page of this site.
Department of Health
Enquiries: 1800 723 471