Start of content

Misuse of a person’s health information is a serious matter. The potential for damage to an individual or healthcare provider organisation is significant, which is why healthcare providers have professional and legal obligations to protect patient information.

The My Health Record system and the Healthcare Identifiers Service contain health and other important information and are protected by a penalty framework set out in the My Health Records Act 2012 and Healthcare Identifiers Act 2010.  

Strengthened privacy protections

On 26 November 2018, the Australian Parliament passed new laws to further strengthen the privacy and security protections within My Health Record.

The new laws prohibit the release of health information in a person’s My Health Record to law enforcement agencies and government agencies without their express consent or a court order. These laws also prohibit access to a record by anyone for insurance or employment purposes.

There are also increased penalties for misuse of information. Harsher fines and penalties will apply for inappropriate or unauthorised use of information in a My Health Record. Civil fines will increase to a maximum of $315,000, with criminal penalties including up to 5 years’ jail time.

Actions subject to penalties

Action

Penalty

Unauthorised collection, use or disclosure of health information in a My Health Record - Sections 59 and 60 of the My Health Records Act 2012.

Civil penalty of up to 1,500 penalty units.
Criminal penalty of five years imprisonment and/or 300 penalty units.

Unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service - Section 26 of the of the Healthcare Identifiers Act 2010.

Civil penalty of up to 600 penalty units.
Criminal penalty of up to two years imprisonment and/or 120 penalty units.

If a person accesses the My Health Record system on behalf of a registered healthcare provider organisation and fails to provide enough information to the System Operator to identify that person without seeking more information - Section 74 of the My Health Records Act 2012.

Civil penalty of up to 100 penalty units.

Failing to notify an actual or potential data breach in which they were directly involved - Section 75 of the My Health Records Act 2012.

Civil penalty of up to 1,500 penalty units.

Failing to give written notice within 14 days if the entity ceases to be eligible to be registered - Section 76 of the My Health Records Act 2012.

Civil penalty of up to 1,500 penalty units.

Holding, taking, processing or handling, records held for the purposes of the My Health Record system outside Australia, or causing someone else to do so - Section 77 of the My Health Records Act 2012.

Civil penalty of up to 1,500 penalty units.
Criminal penalty of up to five years imprisonment and/or 300 penalty units.

Failing to comply with the My Health Records Rules that apply to the entity - Section 78 of the My Health Records Act 2012.

Civil penalty of up to 100 penalty units.

Failure to notify the Healthcare Identifiers Service Operator of changes to their organisation’s information within 20 days - Section 25E of the Healthcare Identifiers Act 2010.

Civil penalty of up to 100 penalty units.

Failure to retain identifying information about a person requesting disclosure of healthcare identifiers (if not provided at the time of disclosure) - Regulation 7 of the of the Healthcare Identifiers Regulations 2010.

Civil penalty of up to 50 penalty units.

Penalty units are used to calculate the dollar value of Commonwealth fines and penalties. The fine or penalty is calculated by multiplying the value of one penalty unit by the number of penalty units prescribed for the offence.

The value of the Commonwealth penalty unit is $210, effective from 1 July 2017. The unit value will automatically increase in line with the CPI (consumer price index) from 1 July 2020, and every three years after.

Crimes Amendment (Penalty Unit) Bill 2017

My Health Records Amendment (Strengthening Privacy) Bill 2018