Handling information in a My Health Record

Last updated: 19 July 2019

On this page

  • Authorised and unauthorised handling of health information in a My Health Record
  • Reporting a data breach and what actions to take
  • Our powers to deal with a breach

A healthcare provider organisation registered to use the My Health Record system is authorised to collect, use and disclose health information to provide health care to a patient. A sole practitioner may also register to use the My Health Record system and they’re also referred to as a healthcare provider organisation.

The My Health Records Act 2012 (My Health Records Act) covers the authorised collection, use or disclosure of health information on the My Health Records system. These authorised actions will not breach the Privacy Act 1988 (Privacy Act). However, once this information is downloaded to a local computer system, most of the rules in the My Health Records Act no longer apply to its collection, use or disclosure. Instead, the Privacy Act, local state or territory health information and privacy laws and professional obligations apply, just like other health information that a healthcare provider organisation handles.

A healthcare provider organisation must follow a My Health Record’s access control settings when collecting, using or disclosing information from it—or the default controls if the patient hasn’t set any. The My Health Record system has been designed so that if a patient has set access controls these automatically apply to their patient’s record and the healthcare provider organisation doesn’t need to take any action.

Other reasons for handling information in a My Health Record

The My Health Records Act also allows a healthcare provider organisation to collect, use and disclose information from a patient’s My Health Record in ways that are not consistent with the access controls. These situations include where:

  • it’s necessary for managing the My Health Record system (for example, correcting errors or omissions) and would be reasonably expected by the patient
  • it’s necessary to lessen or prevent a serious threat to a patient’s life, health or safety and it’s unreasonable or not practical to get the patient’s consent (for example, they’re unconscious or suffering from dementia)
  • the law requires it
  • the patient has consented to the collection, use or disclosure
  • it’s necessary for a reason related to a healthcare provider organisation’s indemnity cover

Unauthorised handling of information in a My Health Record

Any unauthorised collection, use or disclosure of health information from a patient’s My Health Record in a way that is not authorised by the My Health Records Act, will breach the Act and may be liable for a civil or criminal penalty. Penalties may apply including where a person knowingly handles information in an unauthorised way, or is reckless about whether it is unauthorised.

Such a breach is an interference with privacy and may be investigated under the Privacy Act and subject to enforcement action and other remedies.

Data breaches

Due to the sensitivity of health information, under the My Health Records Act it’s mandatory for certain entities to notify us and the My Health Record System Operator of a data breach involving the My Health Record system.

The My Health Record System Operator is the Australian Digital Health Agency.

The My Health Records Act also requires relevant entities to take a number of steps as soon as practicable after becoming aware of a My Health Record data breach. These steps differ slightly depending on the whether the data breach has occurred or may have occurred.

For more information, see Guide to Mandatory Data Breach Notification in the My Health Record System.

Our enforcement and investigative powers

When an individual or organisation is authorised to collect, use or disclose health information under the My Health Records Act, this action is also authorised under the Privacy Act. This means that if a particular collection, use or disclosure is authorised by the My Health Records Act then it will not breach the Privacy Act.

An unauthorised collection, use or disclosure of health information in a patient’s My Health Record is an ‘interference with privacy’ under the Privacy Act. It triggers our investigative and enforcement functions and powers under the Privacy Act. This means we can investigate a complaint from an individual about the handling of the information in their My Health Record and investigate the acts or practices of the organisation believed to have breached the Privacy Act.

If appropriate, we usually try to resolve a complaint through conciliation.

Our enforcement powers under the My Health Records Act and the Privacy Act include:

  • accepting an enforceable undertaking
  • making a determination
  • applying to a court for an injunction
  • applying to a court for an order that an individual pay a civil penalty

For more information about My Health Record, visit the My Health Record website (which includes online training modules for clinical and non-clinical employees) and the Australian Digital Health Agency

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au