Published: 10 October 2023
When a reporting entity becomes aware that a My Health Record data breach has or may have occurred, they must notify the System Operator (Australian Digital Health Agency) and the Office of the Australian Information Commissioner (OAIC), unless they are a state or territory body. State or territory bodies must report a My Health Record data breach to the System Operator.
Data breaches that occur outside of the My Health Record system may need to be notified to the OAIC under the Notifiable Data Breaches (NDB) scheme.
What is a My Health Record data breach?
A reporting entity must make a My Health Record data breach notification if it becomes aware that:
- a person has, or may have, contravened the My Health Records Act 2012 (Cth) (My Health Records Act) in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or
- an event has, or may have, occurred (whether or not involving a contravention of the My Health Records Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
- circumstances have, or may have, arisen (whether or not involving a contravention of the My Health Records Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.
The contravention, event or circumstances must either have directly involved, may have involved or may involve the entity reporting the My Health Record data breach.
Who must report a My Health Record data breach?
The following entities (reporting entities) must report data breaches under the My Health Records Act:
- the My Health Record System Operator, the Australian Digital Health Agency (ADHA)
- registered healthcare provider organisations
- registered repository operators (RROs)
- registered portal operators (RPOs)
- registered contracted service providers.
If you are an individual and you want to:
When must a My Health Record data breach be reported to the OAIC?
All potential or actual breaches of the My Health Record system must be notified as soon as practicable after the reporting entity becomes aware of the data breach.
All reporting entities must report a My Health Record data breach to the System Operator, the ADHA: Report a My Health Record data breach to the ADHA.
Reporting entities that are not a state or territory authority or an instrumentality must also report a My Health Record data breach to the OAIC using the form below.
State and territory bodies may also be required to comply with their local mandatory reporting schemes or choose to voluntarily report data breaches to their local privacy regulator in addition to reporting to the System Operator.
For more information about notification obligations, reporting entities should review the Guide to mandatory data breach notification in the My Health Record system.
The OAIC My Health Record data breach form
To notify the OAIC of a My Health Record data breach, use the My Health Record data breach form.
Providing detailed information about the circumstances of the potential or actual My Health Record data breach will help the OAIC understand and respond to your notification if needed.
For more information about how the OAIC may respond to a My Health Record data breach, please see the Guide to mandatory data breach notification in the My Health Record system.
Data breach requirements in the My Health Record system
My Health Record can make your job as a healthcare provider easier, by making access to information about your patients and clients simpler.
But to protect your patients’ privacy, it’s vital that you understand how to prevent any breach of My Health Record data.
First, understand what a breach is.
A data breach occurs when someone has collected, used or disclosed information without authorisation. Or, something has happened to compromise the security or integrity of the My Health Record system.
Second, reduce the chance of a breach occurring: establish best practice privacy management.
Part of good privacy practice means preparing now for when things go wrong, by having a data breach response plan.
This is like first aid training for data — so you can act quickly, and limit the damage.
All private healthcare providers are also required to comply with the Privacy Act, and must take reasonable steps to protect personal information from misuse, unauthorised access, or disclosure.
Third, know what steps you must take if a breach occurs or is suspected.
If you know or suspect a My Health Record data breach has occurred you must take certain steps.
- Contain the breach
- Evaluate any risks associated with the breach
- Notify the System Operator and/or the Privacy Commissioner’s Office of the breach
- Take steps to prevent/mitigate further breaches.
Please visit our website for further information on these steps and to access My Health Record resources.