A healthcare provider organisation must register to use the My Health Record system.
What information is in a My Health Record?
The My Health Record system contains an online summary of a patient’s health information, it’s not their complete medical history.
A healthcare provider organisation can upload clinical information such as:
- a Shared Health Summary, which includes, for example, allergies, medical history and immunisations (only a medical practitioner, a registered nurse or an Aboriginal or Torres Strait Islander health practitioner can upload a Shared Health Summary to a patient’s My Health Record)
- referral and specialist letters
- an event summary, a clinical document summarising one or more episodes of care
- a discharge summary, a record of a patient’s stay at hospital and any follow up treatment.
When a My Health Record can be accessed
When a My Health Record is created, the default privacy settings (called access controls) automatically let all health service providers involved in a patient’s care access the patient’s My Health Record and the documents it contains. However, the patient can control who has access to their My Health Record and what’s uploaded to it.
A patient can restrict a heathcare provider’s access to specific documents or choose to remove documents from their My Health Record. In certain situations, a healthcare provider can be granted emergency access to a patient’s My Health Record. This access overrides the patient’s access control settings and allows the healthcare provider to view all the patient’s health information, including any restricted documents.
The My Health Record system keeps track of which healthcare providers have accessed a patient’s My Health Record in a record’s access history.
Uploading information to a My Health Record
A healthcare provider organisation must take reasonable steps to make sure that any information they’re uploading is relevant, accurate and up-to-date at the time of uploading.
If a healthcare provider organisation plans to upload clinical documents to a patient’s My Health Record, it is best practice to talk to the patient about the kind of information they will upload.
If a patient asks that a certain document not be uploaded, then a healthcare provider organisation must do as they ask.
In certain situations, a state or territory law will prohibit a healthcare provider organisation from uploading a patient’s record, or including particular information, without their consent. These laws are set out in the My Health Records Regulation 2012 and cover certain notifiable conditions (such as HIV) and other matters (such as information about a cancer diagnosis).
Uploading health information about a third party
A healthcare provider organisation may upload health information about a third party to a patient’s My Health Record if it’s directly relevant to the health care of the patient. This allows a healthcare provider organisation to record and upload a patient’s family, social and medical histories for accurate diagnosis and treatment. The authority to upload third-party information depends on certain state and territory laws, set out in the My Health Record Regulation 2012. Under these laws the third party must consent to their health information being disclosed in particular ways.
Downloading information from a My Health Record
A healthcare provider organisation may download health information from a patient’s My Health Record when giving health care to a patient to their local computer system. They must not download more information than is necessary to treat the patient.
Downloading information onto a healthcare provider’s own IT system is considered a ‘collection’ of information from the My Health Record system, and must be done in a way that follows the My Health Records Act 2012. Once it’s downloaded to a local computer system, most of the rules in My Health Records Act no longer apply to the collection, use or disclosure of this information. Instead, the Privacy Act 1988, local state or territory health information and privacy laws and professional obligations apply, just like other health information that a healthcare provider organisation handles.
Removing documents from a My Health Record
A healthcare provider organisation is only able to remove documents that their organisation has authored and uploaded. A patient may also choose to remove a document from their My Health Record.
If a patient removes a document it will not be available through the My Health Record to any healthcare provider organisation involved in their care, including the author. Any document a patient removes from their My Health Record is not accessible in a medical emergency.
Correcting information in a My Health Record
If a healthcare provider organisation becomes aware that a clinical document they’ve uploaded to a patient’s My Health Record is incorrect, they should remove it and upload a new, correct version of the document.
Rules that apply under the My Health Records Act
Legally binding rules made under the My Health Records Act set out a healthcare provider organisation’s responsibilities in certain situations. This includes the My Health Records Rule 2016.
If a healthcare provider organisation is aware of their responsibilities under these rules, this helps to make sure they have procedures and policies in place to protect patient privacy and that personal information is properly handled.
My Health Records Rule 2016
The My Health Records Rule 2016 supports the secure operation of the My Health Record system. It sets out:
- how certain types of records should be handled
- the access controls that allows a patient to manage their My Health Record.
It also requires a healthcare provider organisation to have a written policy that reasonably addresses a range of matters. This includes how the healthcare provider organisation authorises employees to access the My Health Record system and the physical and information security measures that they must put in place. The policy must also explain how to access and use the My Health Records system, so it’s important that it’s clearly understood by staff members.