My Health Record emergency access function FAQs and flowchart
Frequently asked questions
When can I use the emergency access function to access a patient’s My Health Record?
You may need to override a patient’s My Health Record access controls to obtain key health information in certain emergency situations.
However, it is expected that the need to use the emergency access function will be rare. You can only override a patient’s access controls to collect, use or disclose health information contained in their My Health Record where you reasonably believe that:
- it is necessary to lessen or prevent a serious threat to an individual’s life, health or safety, and it is unreasonable or impracticable to obtain the healthcare recipient’s consent, or
- it is necessary to lessen or prevent a serious threat to public health or safety.
Unless these requirements are met, you can generally only access a patient’s My Health Record in accordance with the access controls they have in place for the purpose of providing healthcare. Otherwise, you may be breaching the law and penalties may apply.
Your organisation will be granted emergency access for 5 days. You will need to maintain accurate records of the circumstances that triggered your use of the emergency access function, so that you can refer to this information if further information is requested (e.g., to respond to a patient enquiry or a request for information by the Australian Digital Health Agency or the Office of the Australian Information Commissioner (OAIC)).
If I work in an emergency department, can I use the emergency access function for all patients?
Working in an emergency department does not automatically authorise you to use the emergency access function for your patients. Regardless of where you work, you must ensure that the requirements for using the emergency access function have been met.
However, most patients do not have access controls in place, and you will be able to view their record in the normal course of using the My Health Record system.
What information can I view using the emergency access function?
The emergency access function overrides any access controls set by the patient. Your organisation will have access to all your patient’s My Health Record information when you use the emergency access function, except for deleted information, hidden documents, and personal health notes.
Note: As most patients don’t have any restricted information, additional information may not be available.
What should I do if I have used the emergency access function in error or in an unauthorised way?
A data breach occurs when someone has collected, used or disclosed information without authorisation or something has happened to compromise the security or integrity of the My Health Record system. This includes where the emergency access function has been used by mistake, or other circumstances where the requirements for using the function have not been met. If you know or suspect a My Health Record data breach has occurred your organisation must take certain steps:
- Contain the breach
- Evaluate any risks associated with the breach
- Notify the System Operator and the OAIC of the breach
- Take steps to prevent/mitigate further breaches.
These FAQs complement the OAIC’s guidance on My Health Record emergency access function and flow chart (below) to help healthcare providers in your organisation to decide whether to use the emergency access function.
More information about notifiable data breaches under the My Health Records Act and how to report a potential breach can be found in the OAIC’s video, flow chart and Guide to mandatory data breach notification in the My Health Record system.
Unauthorised use of the emergency access function may be subject to civil and/or criminal penalties under the My Health Records Act and will constitute an interference with privacy under the Privacy Act 1988.