Start of content

Misuse of a person’s health information is a serious matter. The potential for damage to an individual or healthcare provider organisation is significant, which is why healthcare providers have professional and legal obligations to protect patient information.

The My Health Record system and the Healthcare Identifiers Service contain health and other important information and are protected by a penalty framework set out in the My Health Records Act 2012 and Healthcare Identifiers Act 2010.  

Strengthened privacy protections

On 26 November 2018, the Australian Parliament passed laws to further strengthen the privacy and security protections within My Health Record.

The laws prohibit the release of health information in a person’s My Health Record to law enforcement agencies and government agencies without their express consent or a court order. These laws also prohibit access to a record by anyone for insurance or employment purposes.

There are also increased penalties for misuse of information. Harsher fines and penalties will now apply for inappropriate or unauthorised use of information in a My Health Record. Civil fines have increased to a maximum of $333,000, with criminal penalties including up to 5 years’ jail time.

Actions subject to penalties

Action

Penalty

Unauthorised collection, use or disclosure of health information in a My Health Record – sections 59 and 60 of the My Health Records Act 2012

Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)
Criminal penalty of five years imprisonment and/or 300 penalty units (up to 1,500 penalty units for bodies corporate)
Unauthorised use of health information in a My Health Record for prohibited purposes – section 59A of the My Health Records Act 2012 Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)

Unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service – section 26 of the of the Healthcare Identifiers Act 2010

Civil penalty of up to 600 penalty units (up to 3,000 penalty units for bodies corporate)
Criminal penalty of up to two years imprisonment and/or 120 penalty units (up to 600 penalty units for bodies corporate)
If a person uses health information that was derived from a My Health Record for prohibited purposes – sections 71A and 71B of the My Health Records Act 2012 Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)
Criminal penalty of five years imprisonment and/or 300 penalty units (up to 1,500 penalty units for bodies corporate)

If a person accesses the My Health Record system on behalf of a registered healthcare provider organisation and fails to provide enough information to the System Operator to identify that person without seeking more information – section 74 of the My Health Records Act 2012

Civil penalty of up to 100 penalty units (up to 500 penalty units for bodies corporate)

Failing to notify an actual or potential data breach in which they were directly involved – section 75 of the My Health Records Act 2012

Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)

Failing to give written notice within 14 days if the entity ceases to be eligible to be registered – section 76 of the My Health Records Act 2012

Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)

Holding, taking, processing or handling, records held for the purposes of the My Health Record system outside Australia, or causing someone else to do so – section 77 of the My Health Records Act 2012

Civil penalty of up to 1,500 penalty units (up to 7,500 penalty units for bodies corporate)
Criminal penalty of up to five years imprisonment and/or 300 penalty units (up to 1,500 penalty units for bodies corporate)

Failing to comply with the My Health Records Rules that apply to the entity – section 78 of the My Health Records Act 2012

Civil penalty of up to 100 penalty units (up to 500 penalty units for bodies corporate)

Failure to notify the Healthcare Identifiers Service Operator of changes to their organisation’s information within 20 days – section 25E of the Healthcare Identifiers Act 2010

Civil penalty of up to 100 penalty units (up to 500 penalty units for bodies corporate)

Failure to retain identifying information about a person requesting disclosure of healthcare identifiers (if not provided at the time of disclosure) – regulation 7 of the of the Healthcare Identifiers Regulations 2010

Civil penalty of up to 50 penalty units (up to 250 penalty units for bodies corporate)

Penalty units are used to calculate the dollar value of Commonwealth fines and penalties. The fine or penalty is calculated by multiplying the value of one penalty unit by the number of penalty units prescribed for the offence.

The value of the Commonwealth penalty unit is $222, effective from 1 July 2020. The unit value automatically increases in line with the CPI (consumer price index) every three years.