Sharing experience & knowledge
My Health Record – key issues for individuals and health provider organisationsSuzette Pullinger Posted 10 August 2018
What is it?
A My Health Record is an electronic summary of a person’s health information stored on a national electronic database, including health information such as medical records, pathology test results, allergies and administered medication.
When will I get one and is there an opt out period?
By the end of 2018, a My Health Record will be set up for every Australian who did not opt out before the opt out deadline. The opt out period is currently 16 July to 15 October 2018, however, the Federal Government has indicated they may consider extending the deadline by one month.
Who can upload your health information to a My Health Record?
You (or your authorised representatives) can upload health information to the My Health Record system, as well as health providers (such as general practitioners, specialists, hospital staff or pharmacists). Further, when you first receive a My Health Record, up to two years of prior Medicare data may be added to your My Health Record by the government.
Can I restrict access to my record?
Yes, but as at the date of this article you cannot delete records entirely after they are uploaded.
If you decide not to set access controls, any healthcare provider involved in your care will be able to access your My Health Record and documents within it. This means that generally health care providers will not need to ask your consent to upload records. However, you can still request that your health care provider not upload certain records.
If you would like any records removed from your My Health Record you can contact the Australian Digital Health Agency (ADHA) to request documents be removed from view, access to be restricted or for your My Health Record to be cancelled. However, any health information uploaded to a My Health Record will be stored on the system for a period of 30 years after death of the individual or if the date of death is unknown, 130 years from the date of birth.
Can I make a complaint if my personal information has been mishandled?
Yes, you can. You can express your concerns or make a complaint to your health care provider that may have mishandled your personal information. If you are not satisfied with their response, you may make a complaint to the ADHA; or subsequently the Office of the Australian Information Commissioner (OAIC) or the privacy regulator in your state or territory (such as the Ombudsman in Tasmania).
FOR HEALTHCARE PROVIDERS:
Does every Healthcare Provider have access to the My Health Record system?
Not automatically. All healthcare provider organisations wishing to participate in the My Health Record system must first be registered with the Healthcare Identifier Service (HI). HI is a national system for uniquely identifying healthcare providers. Once registered, healthcare organisations are issued a unique 16-digit HPI-O number. Further details can be found at the below link:
When can I access or upload health information to a patient’s My Health Record?
Once registered, your organisation may collect, use or disclose personal information so long as it is for providing healthcare to the patient and in accordance with the access controls set by the patient (or the default access controls if no restrictions set). Importantly, if a patient has expressed they do not want you to upload certain records, you must not do so.
Should my organisation have a policy in place for use of the My Health Record system?
Yes. A healthcare provider must have a written policy in place to make sure use of the system is secure, responsible and accountable and ensure that policy is communicated to staff and maintained appropriately.
What are my notification obligations for potential My Health Record data breaches?
If you think personal information from a patient’s My Health Record has been part of an actual or potential data breach, you must notify the ADHA and OAIC, even if you have not yet concluded that serious harm has or is likely to occur to that individual. For example, accidentally providing health information from a My Health Record to the wrong family member or uploading a record a patient has asked you not to, are instances that may require notification to ADHA and OAIC.
Can I get further training on use of the system?
ADHA can provide education and training on using the My Health Record system, data quality, privacy and security. Further details can be found on their website:
If you have any questions regarding the new scheme (such as privacy concerns, potential data breaches or if you require assistance drafting policies) please get in touch with our privacy team to see how we can assist you.
 My Health Record Act 2012 (Cth) (the Act) section 61
 The Act, Schedule 1, section 9
 My Health Records Rule 2016 (Cth) rule 42
 The Act, section 75