Start of content

Introduction

This privacy policy explains how the Australian Digital Health Agency (the Agency), as System Operator under the My Health Records Act 2012 (Cth), collects, uses and discloses personal information to operate and manage the My Health Record system. This information is handled subject to the My Health Records Act, Healthcare Identifiers Act 2010 (Cth) and the Privacy Act 1988 (Cth). This policy is published in accordance with Australian Privacy Principles in the Privacy Act.

For information about how the Agency handles personal information for other purposes, see our Agency Privacy Policy.

 

 

When we refer to “System Operator”, “our”, “we” or “us” in this policy, this may include our delegates in the Department of Health or the Chief Executive Medicare and contractors who assist us to carry out our functions.

When we refer to “you” or “your” in this policy, we may be referring to you in your capacity as a healthcare recipient with a My Health Record, or to another person who is a representative authorised to manage your My Health Record under the My Health Records Act. We may also be referring to a healthcare provider or other authorised staff of a registered healthcare provider organisation. It should be clear from the context of the policy what we mean.

References to personal information in this policy may also include health information. Health information is a type of personal information that is about your health or disability. Health information is considered sensitive information and generally has a higher level of privacy protection than other types of personal information.

This policy uses some technical terms, such as “System Operator”, which are explained in our glossary. If you have any questions about the terms used in this policy, please contact us using the contact details at the end of this policy.

If you would like to access this privacy policy in an alternative format or language, for example if you have a disability or are from a non-English speaking background, please contact us using the contact details at the end of this page. We will take reasonable steps to provide you with alternative access.

Overview

We only collect, use and disclose personal information where this is permitted by the My Health Records Act, the Healthcare Identifiers Act and the Privacy Act to fulfil our functions as the System Operator. We may disclose personal information to:

  • you or your authorised representatives or nominated representatives for the purposes of managing your My Health Record
  • authorised individuals from registered healthcare provider organisations to provide you with healthcare
  • registered healthcare provider organisations and individuals who work for them if we reasonably believe it is necessary to lessen or prevent a serious threat to your life, health or safety. We may also collect, use and disclose personal information where we reasonably believe it is necessary to lessen or prevent a serious threat to public health or public safety 
  • registered contracted service providers who provide information technology or health information management services to registered healthcare provider organisations in relation to the My Health Record system
  • our contractors and delegates who assist in operating the My Health Record system and carrying out the System Operator functions
  • registered repository operators for the purpose of storing, indexing and calling for documents about you which form part of your My Health Record
  • other participants in the My Health Record system for the purposes of the My Health Record system, including if we need to investigate or resolve technical or other issues that may have an impact on the accuracy, security or privacy of information in your My Health Record
  • other persons for the management and operation of the My Health Record system where you, as a healthcare recipient, would reasonably expect us to do so
  • other persons, in other situations where you have provided consent and in accordance with all relevant laws.

Specific information about the personal information we collect, use and disclose to carry out specific activities is outlined below.

If you don’t want a My Health Record

You can choose not to have a My Health Record, for example when enrolling in Medicare for the first time. You may also have chosen to not have a My Health Record automatically created for you during opt-out periods. When this occurs, we collect and use personal information you provide to ensure that your decision is recorded and you do not receive a My Health Record, unless you choose to register later. 

You can also choose to cancel your registration for a My Health Record. To process this request we will collect some personal information to verify your identity. Once your request is processed, the personal information in your My Health Record will be handled as detailed in the “Cancellation of My Health Record registration” section in this policy. 

If you want a My Health Record

If you do not have a My Health Record you can apply to us to register for one. To do this we will need to collect some personal information to verify your identity. We also collect your personal information from a registered healthcare provider organisation, if they are helping you register for a My Health Record. We may need to check personal information you provide to us with third parties to verify your identity, which we are required to do before we can register you. This includes Services Australia (which operates Medicare) and the Healthcare Identifiers (HI) Service Operator, which is currently the Chief Executive Medicare. 

If you are registering for a My Health Record on behalf of someone else as their authorised representative, we will also need to collect evidence of your authority to act for them. The information required will depend on the circumstances. For example, if you are seeking to create a My Health Record on behalf of your child who is under 14, we may collect details of your Medicare card that shows your name and your child’s name. 

Register for a My Health Record

To register and create a My Health Record for someone, we need some personal information. This includes the person’s name, sex, Medicare or Department of Veterans’ Affairs (DVA) number and date of birth. We may also collect evidence of identity information or documentation from you as part of this process.

There are a few different ways we collect this information. If you have asked to be registered for a My Health Record, we will collect this personal information directly from you. We may also collect this information from a registered healthcare provider organisation, if you have provided your consent for the organisation to help you register for a My Health Record. If you are registering for a My Health Record on behalf of someone else as their authorised representative, we may also need to collect evidence of your authority to act on their behalf.

We use the personal information we collect to verify your identity by comparing it against information held by Services Australia and collect your Individual Healthcare Identifier (IHI) and status from the HI Service Operator. This information is then used to register you (or someone you represent) for a My Health Record, and to match health information to the correct My Health Record. 

A My Health Record may have been automatically created for individuals who did not opt out of having one during an opt-out period, or when enrolling for Medicare – for example at birth. To create a My Health Record in these circumstances, we collected and used your information in the same ways as described above. If you believe that a My Health Record has been incorrectly created for you, you can cancel your My Health Record registration. See Cancel a My Health Record for more information.

You can choose to tell us during the registration process that you are of Aboriginal or Torres Strait Islander origin and adjust this setting at any time using the “Profile and Settings” section in your My Health Record. If you choose to provide us with this information, it will be made available to your healthcare providers to inform their decision-making. 

Adding information to a My Health Record

In the My Health Record system, personal information is either retrieved from the National Repositories Service (NRS), which is operated by us, or obtained from a participating registered repository operator. We collect, use and disclose the following personal information to populate a My Health Record:

Information collected directly from you

We may collect personal information that you have provided. This could include information such as your personal health summary or personal health notes you have chosen to include in your My Health Record. Learn more about adding personal health information.

Information collected from a healthcare provider organisation

We will collect personal information when a registered healthcare provider organisation uploads this information to a My Health Record. Personal information may be contained in records such as a shared health summary, a discharge summary, diagnostic imaging or pathology results, or prescribing and dispensing information. These records may also contain personal or health-related information about third parties. For example, if a healthcare provider organisation uploads details about your family medical history, this may include information about your relatives as well. 

You can advise your healthcare provider not to upload certain records to your My Health Record. Your healthcare provider must comply with this request. You can also choose to manage which healthcare provider organisations can access your My Health Record by setting access controls. See the “Managing a My Health Record” section in this policy for more information about how to do this.

Information collected from registered repository operators

A My Health Record is not a single document stored in a single database. It is made up of a collection of documents stored in the NRS or obtained from participating registered repository operators. We index information held in each registered repository that registered repository operators maintain and display as a list of available information in your My Health Record.

For example, if a registered healthcare provider wishes to access a document held in a registered repository to provide healthcare to you, we will collect the document from the registered repository and disclose it through the My Health Record system to that healthcare provider.

The descriptions below explain how we collect, use and disclose personal information held in registered repositories as part of operating the My Health Record system. At this stage Medicare is the only registered repository operating in the My Health Record system.

Medicare Repository

We collect personal information held by Services Australia, which operates Medicare, when this information is uploaded to a My Health Record. Medicare information that we may collect and include in a My Health Record includes:

  • details of the last two years and any future Medicare Benefits Schedule (MBS) claims (including claims that are processed by Services Australia on behalf of DVA)
  • details of the last two years and any future Pharmaceutical Benefits Scheme (PBS) claims (including DVA claims under the Repatriation Pharmaceutical Benefits Scheme (RPBS) that are processed by Services Australia)
  • organ and/or tissue donation decisions recorded in the Australian Organ Donor Register (AODR)
  • immunisations administered to the individual, recorded in the Australian Immunisation Register (AIR).

Information we collect from Medicare may include details of the types of healthcare services that you have received and the types of medications that you have been prescribed. Some of this information may indicate diagnosed conditions or illnesses, symptoms, or tests.

Unless you have told us otherwise, AIR information is automatically uploaded to your My Health Record. The remaining Medicare information will be uploaded to your My Health Record the first time one of the following events occurs:

  • you access your My Health Record and set Medicare information preferences to “Yes”
  • a registered healthcare provider organisation accesses your My Health Record
  • certain documents, such as a shared health summary, are uploaded to your My Health Record.

You can decide which of the above Medicare information is to be included in your My Health Record, or stop or restart the flow of that information at any time through the settings in your My Health Record. MBS and PBS information uploaded to your My Health Record before you change these settings will remain visible on your My Health Record to everyone who accesses your record, unless you remove the information from view, or restrict who has access to it.

Information collected from your authorised representatives or nominated representatives

If your My Health Record is being managed on your behalf, we may collect personal information about you that your representative has provided to us.

Managing a My Health Record

Linking to myGov

If you wish to access your My Health Record online, you will need to link your My Health Record to your myGov account. If you are someone’s representative, you will need to link your own myGov account to their My Health Record to access it.

We will need to verify your identity to link your myGov account to a My Health Record. To verify your identity online, we will work with Services Australia to ask you a series of identity questions, such as information relating to your Medicare or DVA claims history. We do not retain the personal information we collect to verify your identity online, and we do not disclose this information to anyone other than Services Australia.

If you are unable to verify your identity online, you can contact us for assistance. We will verify your identity in the same way as the online process or ask for additional identification documentation. We retain and securely store any identification documentation you send us. Once your identity is verified we will provide you with a unique Identity Verification Code (IVC) that you can use to link your myGov account to a My Health Record.

We will use personal information such as your name and address to notify you when a new myGov account has been linked to your My Health Record. We do this to confirm that the My Health Record and the myGov account have been correctly linked.

Access controls

Only authorised individuals from registered healthcare provider organisations who are involved in your care are allowed by law to access your My Health Record. You can see which healthcare provider organisations have accessed your record and when in the Access History part of your My Health Record.

You can choose to manage access to your My Health Record by setting access controls. You can restrict registered healthcare provider organisations from accessing your My Health Record, seeing whether you have a My Health Record or viewing certain records in your My Health Record. You can also remove documents from view in your My Health Record. To give effect to these controls, we may need to collect and use personal information about individuals you have allowed to access your My Health Record. Find out more about how to manage access to documents or restrict access to your My Health Record.  

You cannot manage access on some types of documents. These include your shared health summary, advanced care planning information, or personal health summary. However, you can still control access to these documents by removing them from view, or by restricting access to your My Health Record.

Emergency access

Registered healthcare providers (and other participants in the My Health Record system) can collect, use and disclose information and documents in your My Health Record if they reasonably believe that is necessary to lessen or prevent a serious threat to your life, health or safety. This includes information and documents that are restricted with an access code but not documents that have been effectively removed, personal health notes or personal achievements. 

Any participant in the My Health Record system can also collect, use and disclose information and documents in a My Health Record if they reasonably believe it is necessary to lessen or prevent a serious threat to public health or public safety. The limited circumstances where this sort of “emergency access” applies is outlined in section 64 of the My Health Records Act. You can learn more about emergency access here

Help to manage your record

If you contact us to help manage your My Health Record, we will need to collect some personal information from you. This may include your name, sex, Medicare or DVA number and date of birth. We may also collect evidence of identity information or documentation from you as part of this process. We will use this information to verify your identity with the information that Services Australia holds about you.

Mobile applications

You may choose to view your My Health Record information by using a mobile application (mobile app) of an entity that has registered to be a portal operator in the My Health Record system (registered portal operator). 

Mobile apps are required to use the My Health Record mobile gateway. Registered portal operators are not able to access or view or store your health information when providing this service. 

When you use mobile apps of registered portal operators to access your My Health Record, we will collect:

  • data that you are using a mobile app to access your My Health Record, and
  • information about the specific mobile app that you are using.

Registered portal operators must comply with the My Health Records Act, including having central management and control of the portal operator located in Australia and not transferring My Health Record system records outside Australia.

Notifications

You can choose to be notified when certain events occur on your My Health Record. For example, when your My Health Record has been accessed by a new registered healthcare provider organisation. So that we can notify you, we need to collect and use your email address or mobile phone number. Find out more about how to turn notifications on

Representatives

You can manage a My Health Record on behalf of someone else as an authorised representative or as a nominated representative if you are eligible to be a representative under the My Health Records Act. To find out more about what these terms mean, consult our glossary.

If you are managing a My Health Record on behalf of someone as a “read only” nominated representative, we may collect and use your full name or any other personal information that the individual has provided to us to include you as a nominated representative for their My Health Record.

If you are managing a My Health Record on behalf of someone else as an authorised representative or a “full access” nominated representative, we will collect your name, date of birth, contact details, sex, and your Medicare or DVA number. We will use and disclose this information to the HI Service Operator or Services Australia to verify your identity, to collect or confirm your IHI and its status, and to allow secure access for you to the My Health Record system.

To verify your identity, we may also collect evidence of identity information or documentation from you. We will use the information we collect to verify your identity by comparing it against information held by Services Australia. 

If you are seeking to manage someone’s My Health Record as an authorised representative, we will also need to collect evidence of your authority to act of their behalf. The information required will depend on the circumstances. For example, if you are seeking to create a My Health Record on behalf of your child who is under 14, we may collect details of your Medicare card that shows both your name and your child’s name. We may also need to check the information provided with third parties, such as Services Australia.

We will record your use of a My Health Record as a representative and disclose your personal information in the My Health Record’s access history. The access history is an access log that summarises the flows of information in relation to an individual’s My Health Record. Access logs will also include your name, unless a pseudonym has been used. Other representatives will also be able to see these details.

Where a child under 14 has been removed from their parent’s or guardian’s care – for example when parental responsibility has been granted to a care agency – the person legally responsible for the child may access and manage the child’s My Health Record. Where a care agency has legal responsibility, information about representatives of the child may also be disclosed to staff of the care agency through this process.

Updating details

You can add or update some details in your My Health Record. This includes your:

  • Aboriginal or Torres Strait Islander status and Veteran and Australian Defence Force status. This is used to assist in the planning and provision of appropriate and improved healthcare and services
  • emergency contact details which will be made available to your healthcare providers and representatives
  • contact phone number that we will use to contact you, and
  • email address and mobile phone number to send you notifications when certain events occur on your My Health Record.

To update demographic details such as your name, sex and address you will need to update your details with Medicare. We automatically collect these updated details from Medicare to keep the information in your My Health Record current. 

We do not collect phone numbers and email addresses you have stored with Medicare. Any changes to these details in Medicare will not be included in your My Health Record.   

My Health Record data used for research and other purposes

Part 7 of the My Health Records Act established the role of the Data Governance Board (the Board). The Board oversees the operation of the secondary use governance framework as outlined in the Framework to guide the Secondary Use of My Health Record system data. The Board’s role also includes guiding and directing us to prepare and provide de-identified data for research or public health purposes and, with consent of the healthcare recipient, health information for the same purposes. 

De-identified data is data that has had information that could reasonably identify any person removed. For example, when your name, date of birth, address or other identifying information is removed. De-identified data may include your Aboriginal or Torres Strait Islander status, if you have chosen to provide it.

If you are happy for your de-identified data to be used for research or public health purposes, you don’t need to do anything. If you don’t want to have your data used for this purpose, you can choose not to participate by recording this in the “Profile and Settings” part of your My Health Record. Find out more about how to control these settings.

The secondary use governance framework does not apply to other authorisations we have under the My Health Records Act to handle personal information or de-identified data. These authorisations may include handling My Health Record information so we can effectively administer the My Health Record system and carry out our other functions under the My Health Records Act. For example, we may use and disclose My Health Record information to perform activities such as handling complaints, resolving incidents or to ensure that the system is operating in a safe and secure manner. We may also handle My Health Record information to report on system performance and establish new ways of reporting on system performance, or to measure the benefits of the system. 

We may also use and disclose de-identified aggregated My Health Record information to educate healthcare provider organisations and the public about the use and performance of the My Health Record system.

Disclosures that are required under the My Health Records Act

We will disclose personal information included in a My Health Record if it is required under the My Health Records Act. This does not include your personal health notes. The limited circumstances where your personal information is required to be disclosed include when it is:

  • to courts and tribunals under an order or direction (and only where the order or direction relates to a limited type of proceedings)
  • under a coroner’s direction or order, or
  • to limited Commonwealth, state or territory authorities who are not courts, tribunals or coroners, who have particular powers specified in the My Health Records Act, and only where they have obtained an order from a judicial officer.

Collection, use and disclosures that are authorised under the My Health Records Act

We may collect, use or disclose personal information included in a My Health Record if that is authorised under the My Health Records Act. The limited circumstances where your personal information is authorised to be disclosed include when it is:

  • to you (including your authorised representatives and nominated representatives)
  • to provide healthcare, in accordance with any access controls set by you
  • with your consent
  • for the management or operation of the My Health Record system – if you would reasonably expect this to occur. For example, it may be to resolve any technical or other issues that may have an impact upon the accuracy, security or privacy of information in your My Health Record
  • for emergency access purposes as outlined in this policy
  • authorised by the Auditor‑General Act 1997 (Cth) or the Ombudsman Act 1976 (Cth) 
  • under any other law to the extent where it requires the handling of the health information so that the Australian Information Commissioner can perform its functions
  • for a purpose relating to the provision of indemnity cover for a healthcare provider, or
  • if we suspect unlawful activity relating to our functions has occurred or may be occurring. Should this occur, we will handle health information if we reasonably believe that it is necessary to investigate the matter or report our concerns to the relevant person or authority. However, we are only authorised to disclose the minimal amount of personal information necessary for the relevant person or authority to identify the matter sufficiently, to consider it and to apply a judicial order in relation to the matter. 

Some authorisations listed above do not include handling your personal health notes.

Cancellation of a My Health Record

You can cancel your registration for a My Health Record at any time through the “Profile and Settings” part of your My Health Record, or by contacting us. To process your request, we will need to collect some personal information and check it with information held by Services Australia.

Once we cancel your registration, we will permanently delete your My Health Record. We must delete any record containing health information in your My Health Record. We will also delete any copy of the record containing health information in your My Health Record, any previous version of that record and backup version of that record. We will keep some information about you, including:

  • your name and IHI
  • the name and IHI of the person who requested the cancellation, if the request came from someone other than yourself
  • the cancellation date of the registration.

We will only use this information to fulfil our functions as System Operator. For example, if you ask us for confirmation that your My Health Record has been cancelled, we will use this information to respond to your enquiry.

If you have a My Health Record at the time of your death, the following will occur:

  • we will retain all documents in your My Health Record for a period of 30 years after your death or, if we do not know the date of death, a period of 130 years after your date of birth
  • healthcare providers will not be able to upload documents to your My Health Record 
  • your nominated or authorised representatives will not be able to access your My Health Record
  • information kept in your My Health Record may still be accessed by us and our contractors for the purposes of the My Health Record system. We will not use or disclose information in that My Health Record unless required or authorised by law.

Healthcare providers

Responsible officers and organisation maintenance officers

If you are a responsible officer or an organisation maintenance officer for a registered healthcare provider organisation, we will collect, use and disclose your personal information for the purposes of the My Health Record system. Find out more about the different healthcare provider roles assigned in the My Health Record system

Information collected, used and disclosed when using the My Health Record system

If you are an individual healthcare provider, your healthcare provider organisation can authorise you to interact with the My Health Record system on its behalf. This involves your organisation linking your Individual Healthcare Provider Identifier (HPI-I), to the organisation’s Healthcare Provider Identifier (HPI-O). 

If you use a clinical information system of a registered healthcare provider organisation, your personal information may automatically be provided to us when you interact with the My Health Record system, for example when you view an individual’s My Health Record. We collect, use and disclose this information for the purposes of the My Health Record system. To find out more about how your personal information is managed by your organisation’s clinical information system, please contact the responsible officer at your healthcare provider organisation.

Individual healthcare providers authorised by their organisation may also access My Health Record information through the view-only National Provider Portal (NPP). To do this you will need to link your Services Australia Provider Digital Access (PRODA) account to the My Health Record system. When you use the NPP we will collect, use and disclose the personal information linked to your PRODA account for the purposes of the My Health Record system.

We also collect, use and disclose your personal information if it’s included in any documents or information that you or another individual healthcare provider has uploaded to a My Health Record. For example, this information may be disclosed to the healthcare recipient, their representatives and other healthcare providers when they access the uploaded document from the My Health Record system.

Personal information from training modules

If you use our training modules to educate yourself about the My Health Record system, you may need to provide personal information including your name, email address and linked healthcare provider organisation details. We collect this information and use it to allow you to use the module at any time and continue your training. We will not disclose this information to anyone else, except as provided for in this policy.

Healthcare Identifiers and personal information 

We may disclose your Healthcare Identifier and personal information and collect and use information about you disclosed to us by the HI Service Operator. This is only for the purposes of the My Health Record system. We may also handle this information to correctly identify you in the Healthcare Provider Directory and to help keep the directory current, subject to the requirements of the Healthcare Identifiers Act.

Overseas disclosure

My Health Record information is stored in Australia. We will not disclose My Health Record information overseas, unless you or your registered healthcare provider organisations access your My Health Record while overseas. 

Storage and security

The protection of your personal information is something we take very seriously, and we are committed to keeping it secure. We take significant precautions to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure.

A range of measures are in place to protect information in the My Health Record system, including:

  • robust multi-tiered technical security controls, which protect the integrity, confidentiality and availability of health information
  • comprehensive monitoring of access to the My Health Record system, to identify and investigate suspicious or inappropriate behaviour
  • strong authentication processes to provide access to authorised users only
  • use of encryption protocols and algorithms that comply with standards set by the Australian Signals Directorate, to ensure that all data is encrypted in transit and at rest
  • certification and accreditation of the My Health Record system to the Protected level, under the Australian Government Information Security Manual
  • regular detailed security assessments, undertaken under the Australian Government InfoSec Registered Assessors Program (IRAP), to maintain accreditation of the system
  • rigorous security assurance processes, including penetration testing, regular threat and risk assessments, and pre-release testing prior to implementation of new system functionality
  • educating our employees, contractors and delegates on their obligations when handling personal information, including compliance with security clearance and authentication requirements
  • a requirement that participants in the My Health Record system such as registered healthcare providers, registered contracted service providers, registered portal operators and registered repository operators must comply with security obligations outlined in the My Health Records Act and the My Health Records Rule 2016 to maintain eligibility for registration
  • provision of an access history in each individual My Health Record, to enable you to monitor access to your record
  • in cases where we are satisfied that an individual or participant may compromise the security or integrity of the My Health Record system, we may refuse to register that individual or participant in the My Health Record system or suspend or cancel their registration
  • a mandatory data breach reporting framework under section 75 of the My Health Records Act which:
    • requires participants in the My Health Record system to report actual or potential contraventions of the My Health Records Act that have or may have involved them. It also includes occurrences or circumstances that may compromise the security or integrity of the My Health Record system. This includes any unauthorised collection, use or disclosure of health information in a My Health Record, and
    • requires participants in the My Health Record system with these reporting obligations to contain the actual or potential contravention, event or circumstances. This includes evaluating the risks arising from them as soon as practicable after becoming aware of the relevant contravention, event or circumstance.

Website

We will collect your personal information if you provide it when using the My Health Record website. We will use and disclose this information for the purpose for which you provided it. Your first name and the content of your email, and any additional information you choose to provide, may also be used for reporting and feedback purposes.

Website analytics and cookies

The My Health Record website primarily uses Google Analytics to help us continually improve the user experience.

Google Analytics is hosted by a third party. We use Google Analytics to collect data about your interaction with our website. The type of data that we may collect using this tool includes your device’s IP address, type of device and browser used to visit the website, geographic location, search terms and pages visited, as well as date and time when website pages were accessed. 

Google Analytics collects information using cookies. Cookies are small data files transferred onto computers or devices by websites. We use cookies on our website for record-keeping purposes and to enhance the website’s functionalities. The Agency collects other information about user interaction through cookies associated with Google Fonts, New Relic and SolarWinds Pingdom. We use cookie data for the sole purpose of improving your experience when using our website.

Most browsers allow you to choose whether or not to accept cookies. You can find further information on how to manage or disable cookies in common browsers below:

If you disable all cookies in your browser, you may find that certain sections of our website may not work.

Pseudonyms and anonymity

You may be eligible to have a My Health Record under a pseudonym. For information, including to see if you are eligible, please contact us.

If you contact us with a general question, we will not ask for your name unless we need it to adequately handle your question.

In other limited circumstances, we will allow you to interact with us anonymously or using a pseudonym. However, we usually need your name, contact information and enough information about your matter to enable us to fairly and efficiently handle your enquiry, request or complaint.

Access and correction

Under the Privacy Act, you have a right to access the personal information we hold about you. If you cannot find the personal information you are looking for directly through your My Health Record, please contact us for assistance.

You can also view which healthcare provider organisations and nominated or authorised representatives have accessed or updated your My Health Record at any time through your access history. You can find out more about how to view your access history here. If you are concerned about something in your access history, or a notification that you have received, please contact us. We investigate all issues reported to us.

If you consider that the personal information we hold about you is not accurate, complete, or up to date, please contact us as soon as possible for assistance. Find out how incorrect or missing information can be corrected or added in your My Health Record

Our contact details are at the end of this policy.

Complaints

If you have a complaint in relation to the handling of your personal information, you should first complain to the entity you think is at fault. If you are not satisfied with their response, please contact us, as we may be able to assist. Depending on the circumstances, we may need to refer you to the Office of the Australian Information Commissioner, or a state or territory privacy regulator.

You may complain directly to us if you think we have mishandled your personal information. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner.

Contact details

You can contact us by calling 1800 723 471. Visit our website for other ways to contact us.

Changes to this privacy policy

We review this policy from time to time to keep it up to date. Please review this policy periodically for changes. Any revised policy will be placed on our website.