My Health Record access controls

Last updated: 19 July 2019

On this page

  • What access controls do
  • Applying access controls and using access history

The My Health Record system’s access controls allow an individual to restrict who can access their My Health Record and which documents they can view. They can also use access history to see who has accessed their My Health Record.

A healthcare provider organisation should be familiar with the access controls that a patient can set as they may affect how they use a patient’s My Health Record.

The access controls set by a patient can be bypassed in a situation where it’s unreasonable or not practical to get consent from the patient and the healthcare provider organisation reasonably believes that access is necessary to lessen or prevent a serious threat to the patient or to another individual’s life, health or safety.

Under the My Health Records Act 2012, a healthcare provider organisation must not discriminate against or refuse to give health care to a patient because the patient has set particular access controls in their My Health Record.

Applying access controls

A patient can stop a particular healthcare provider organisation from having access to their My Health Record (or particular documents) using access controls. A patient can’t stop a particular individual in a healthcare provider organisation from having access.

If a patient does not set access controls, the default access controls apply and a healthcare provider organisation can view all clinical documents in their patient’s My Health Record, as well as upload documents to the patient’s My Health Record.

Record Access Code

An individual can limit access to their entire My Health Record with a Record Access Code. If a patient has a Record Access Code, a healthcare provider organisation won’t be able to view documents in the patient’s My Health Record unless the patient gives them their Record Access Code. Once a healthcare provider organisation has accessed their patient’s My Health Record using the Record Access Code, they are included on a provider access list. From now on, they don’t need to use the Record Access Code to access the patient’s My Health Record.

An individual can remove a healthcare provider organisation from their provider access list at any time.

Limited Document Access Code

A Limited Document Access Code operates like a Record Access Code but will also allow a healthcare provider organisation to view documents marked ‘restricted’.

Using access history

The access history page in a patient’s My Health Record shows:

  • the date and time a patient’s My Health Record was accessed
  • the healthcare provider organisation who accessed the My Health Record
  • the action that was performed (for example, when a clinical document was created or removed, when individual contact details were changed, when representatives were added or removed), including by the patient themselves

An individual can also choose to be notified whenever a healthcare provider organisation accesses their My Health Record for the first time or in an emergency.

For more information about My Health Record, visit the My Health Record website (which includes online training modules for clinical and non-clinical employees) and the Australian Digital Health Agency

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au