The legislation supporting the My Health Record system was developed in consultation with stakeholders. Find out more about this consultation
The My Health Record system operates under the My Health Records Act 2012. The Act establishes:
- the role and functions of the System Operator;
- a registration framework for individuals, and entities such as healthcare provider organisations, to participate in the My Health Record system; and
- a privacy framework (aligned with the Privacy Act 1988) specifying which entities can collect, use and disclose certain information in the system (such as health information contained in a healthcare recipient’s My Health Record), and the penalties that can be imposed on improper collection, use and disclosure of this information.
The Commonwealth Minister for Health can make My Health Records Rules under section 109 of the My Health Records Act, about matters required or permitted by that Act to be dealt with by My Health Records Rules, as set out in the My Health Records Act. The Rules currently in force are:
- My Health Records Rule 2016 – this specifies requirements for registered entities in the system;
- My Health Records (Assisted Registration) Rule 2015 – this specifies requirements for registered healthcare providers that assist individuals to register (through ‘assisted registration’); and
- My Health Records (National Application) Rules 2017 - which provides for the national implementation of the My Health Record system opt-out model under Schedule 1 of the My Health Records Act.
A foundation of the My Health Record system is the Healthcare Identifiers Service, which is established under the Healthcare Identifiers Act 2010. More information about the legislation supporting the Healthcare Identifiers Services is available.
Other legislation supporting the My Health Record system is:
- My Health Records Regulation 2012 – this specifies additional information as identifying information and privacy laws that continue to apply to the disclosure of sensitive information;
- Healthcare Identifiers Regulations 2010 – these provide additional detail and requirements regarding the operation of the Healthcare Identifiers Service; and
- My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016 – these set out the Information Commissioner’s general approach to exercising its enforcement and investigative powers under the My Health Record system.
Changes to legislation
Changes to the legislation supporting the My Health Record system were made in late 2015 and early 2016, primarily as a result of the Review of the Personally Controlled Electronic Health Records and the Healthcare Identifiers Act and Service Review. These changes were developed in consultation with stakeholders.
Information about the key legislative changes in 2015 and 2016
- the name of the system was changed from the personally controlled electronic health record system to the My Health Record system;
- the Minister can make My Health Record Rules to implement the system to automatically create records for individuals unless they choose not to have one, either in trial areas and nationally;
- organisations providing assisted registration no longer need to store individuals’ signed application forms, and may dispose of forms they already hold;
- healthcare provider organisations and other participants no longer need to enter into a participation agreement with the System Operator;
- the unauthorised collection, use or disclosure of information in the My Health Record system, of healthcare identifiers or of other information collected in relation to either the My Health Record system or Healthcare Identifiers Service is subject to civil and criminal penalties;
- if a participant (not including healthcare providers) takes My Health Record system information outside Australia, they may be subject to civil and criminal penalties;
- all participants must notify the System Operator and the Information Commissioner of potential and actual data breaches (State and Territory authorities must notify the System Operator);
- the My Health Record operates without the need to rely on intellectual property licences to avoid infringing copyright – instead an exception applies;
- authorised and nominated representatives of individuals must act in accordance with the will and preferences of the individual they represent;
- healthcare providers whose professional registration (or membership in a professional association if they are not registered with AHPRA) is cancelled, suspended, lapsed or conditional are prohibited from uploading anything to a My Health Record unless they are suspended because their registration (or membership) fees are overdue by less than six months;
- the System Operator can remove (or instruct the removal of) documents from a My Health Record if they are uploaded by a healthcare provider without the necessary professional registration (or membership);
- healthcare provider organisations are expressly authorised to upload information to a My Health Record if it includes relevant information about a third party;
The Australian Digital Health Agency was established in 2016 under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016. Section 14 of the My Health Records Act provides that the System Operator is the Secretary of the Department of Health or a body established by a Commonwealth law that is prescribed under the regulations. Prior to 1 July 2016, the System Operator was the Secretary of the Department of Health. On 1 July 2016 the Australian Digital Health Agency became the System Operator. Regulation 2.1.1 of the My Health Records Regulation 2012, prescribes the Australian Digital Health Agency to be the System Operator.
The Agency is currently governed by a skills-based Board comprised of members with skills, knowledge and experience relevant to business leadership as well as the health sector. The Board is the Agency’s Accountable Authority for the purposes of the Public Governance, Performance and Accountability Act 2013. To assist the Board in carrying out its functions, the following four standing advisory committees have been established under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016:
- the Clinical and Technical Advisory Committee;
- the Jurisdictional Advisory Committee;
- the Consumer Advisory Committee; and
- the Privacy and Security Advisory Committee.
The 2015-16 Budget announcement My Health Record – A New Direction for Electronic Health Records in Australia authorised the establishment of the Australian Digital Health Agency (the Agency) to strengthen digital health governance arrangements.
The Agency was established by the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 (the Rule), which was made by the Commonwealth Minister for Finance under section 87 of the Public Governance, Performance and Accountability Act 2013. Guidance on the establishment of the Agency was provided by a Digital Health Implementation Taskforce Steering Committee (the Steering Committee), which comprised of key digital health industry, consumer and healthcare stakeholders. The Steering Committee was formed in September 2015 to work collaboratively with key health sector stakeholders, all jurisdictions, the Commonwealth Departments of Health and Human Services, and the National E-Health Transition Authority Limited to lead the establishment of the structure, governance and operations of the Agency, and to plan and manage the transition of relevant functions and resources to the Agency.
The Agency was established in law on 30 January 2016, and became fully operational on 1 July 2016. From that date, the Agency became responsible for overseeing the operation and evolution of the national digital health capability.