Start of content

The penalty framework supporting the My Health Record system and the Healthcare Identifiers Service, is set out in the My Health Records Act 2012 and Healthcare Identifiers Act 2010.  

Why are there penalties?

Misuse of a person’s health information is a serious matter. The potential for damage (whether personal damage to an individual or reputational damage to a healthcare provider organisation) is significant and this is reflected in current professional and legal obligations on persons such as healthcare providers to protect patient information.

The My Health Record system and the Healthcare Identifiers Service contain health and other important information so penalties are used, among other measures, to protect this information.

What actions may be subject to penalties?

The misuse of information in either the My Health Record system or Healthcare Identifiers Service, and other activities that relate to the security and integrity of the My Health Record system and Healthcare Identifiers Service, are subject to penalties under the My Health Records Act 2012 and Healthcare Identifiers Act 2010. More information about these penalties is provided in the tables at the end of this document.

Do the penalties apply to accidents?

The serious penalties relating to the misuse of information do not apply to accidental misuse. The unauthorised collection, use or disclosure of information will only incur a penalty if the person knows or is reckless as to whether that action is unauthorised. This means that if a person accidentally collects, uses or discloses this information – for example, if a healthcare provider inadvertently or accidentally accesses an individual’s My Health Record – they are not liable for a civil or criminal penalty (although there may still be an interference with privacy and the Australian Information Commissioner may still be able to investigate).

Actions subject to penalties

Action

Penalty

Unauthorised collection, use or disclosure of health information in a My Health Record - Sections 59 and 60 of the My Health Records Act 2012.

Civil penalty of up to 600 penalty units.
Criminal penalty of up to two years imprisonment and/or 120 penalty units.

Unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service - Section 26 of the of the Healthcare Identifiers Act 2010.

Civil penalty of up to 600 penalty units.
Criminal penalty of up to two years imprisonment and/or 120 penalty units.

If a person accesses the My Health Record system on behalf of a registered healthcare provider organisation and fails to provide enough information to the System Operator to identify that person without seeking more information - Section 74 of the My Health Records Act 2012.

Civil penalty of up to 100 penalty units

Failing to notify an actual or potential data breach in which they were directly involved - Section 75 of the My Health Records Act 2012.

Civil penalty of up to 100 penalty units.

Failing to give written notice within 14 days if the entity ceases to be eligible to be registered - Section 76 of the My Health Records Act 2012.

Civil penalty of up to 80 penalty units.

Holding, taking, processing or handling, records held for the purposes of the My Health Record system outside Australia, or causing someone else to do so - Section 77 of the My Health Records Act 2012.

Civil penalty of up to 600 penalty units
Criminal penalty of up to two years imprisonment and/or 120 penalty units.

Failing to comply with the My Health Records Rules that apply to the entity - Section 78 of the My Health Records Act 2012.

Civil penalty of up to 100 penalty units.

Failure to notify the Healthcare Identifiers Service Operator of changes to their organisation’s information within 20 days - Section 25E of the Healthcare Identifiers Act 2010.

Civil penalty of up to 100 penalty units.

Failure to retain identifying information about a person requesting disclosure of healthcare identifiers (if not provided at the time of disclosure) - Regulation 7 of the of the Healthcare Identifiers Regulations 2010.

Civil penalty of up to 50 penalty units.