Skip to main content
MHR Logo

My Health Record

Information for healthcare providers and organisations

Overview

My Health Record is a secure online summary of key patient health information. Healthcare providers can access the system to view and add information.

Healthcare provider benefits

  • provides immediate access to key health information
  • facilitates the validation and verification of clinical information
  • avoid adverse medication events, provides access to allergy information
  • avoids duplication of tests and diagnostic imaging
  • provides immunisation details
  • improves continuity of care, informs end of life care

Patient benefits

  • prompt access to key health information in an emergency
  • secure, convenient access to health information
  • safer, faster more efficient care
  • less need to remember key aspects of their medical history and medications
  • improved management of health information
  • informed self-management of health conditions

What's in a record

Records contain key health information like immunisations, pathology and diagnostic imaging reports, prescription and dispensing information, hospital discharge summaries and more, all in one place.

Views and overviews

A quick, easy way to find information in a patient's record

These documents are system generated and consolidate the information in a person’s record. In an emergency department (ED) setting, they can help clinicians find information quickly.

Immunisation Consolidated View

This view displays details of a patient's immunisations recorded in the Australian Immunisation Register (AIR) and in any shared health summaries or event summaries, in their record.

The view shows immunisation history including date, dose number, brand of administered vaccination and disease/indication. It also provides links to relevant source documents.

Medicare Overview

Medicare information may include:

PBS/RPBS claims information

Prescription information from Pharmaceutical Benefits Scheme (PBS) and Repatriation Schedule of Pharmaceutical Benefits (RPBS).

Australian Organ Donor Register status

The patient’s organ and/or tissue donor decisions are sourced from the Australian Organ Donor Register.

Australian Immunisation Register

Details of patient's immunisations as recorded in the Australian Immunisation Register (AIR).

MBS/DVA claims information

Medicare Benefits Schedule (MBS) and Department of Veterans’ Affairs (DVA) claims information.

Medicines View

This view brings together medicines-related information, including allergies and adverse reactions, from documents held in a patient’s record. Information is gathered from:

  • the patient's most recent (up to 2 years) prescription and dispense records and other PBS claims information
  • the patient's most recent shared health summary and discharge summary
  • available event summaries, specialist letters, e-Referral notes and pharmacist shared medicines list uploaded to the patient's record since their latest shared health summary
  • the patient's personal health summary, which may include any allergies or adverse reactions and other key information

MyMedicare information

If a patient has registered for MyMedicare, their MyMedicare information is included:

  • in the patient’s My Health Record document list for conformant clinical information systems (include Medicare documents in the list)
  • at the top of their My Health Record overview page, in the National Provider Portal or the Healthcare Information Provider Service (HIPS).

Pathology and Diagnostic Imaging Reports Overview

This overview allows healthcare providers to streamline their viewing of pathology and diagnostic imaging reports. These overviews sort available tests within a specific date range or test name in order to display the test results in a single view.

Residential Care Transfer Overview

This is a consolidated view of clinical documents uploaded by aged care residential services, such as reason for transfer, medication chart, and health summary. It includes links to other key documents available in the patient’s My Health Record, including advance care planning information, discharge summaries, shared health summaries and immunisations.

Healthcare provider uploads

Clinical documents uploaded by doctors, pharmacists and other clinicians

Shared health summary

This is a summary of a patient’s health status at a point in time, which can include medical conditions, medicines, allergies and adverse reactions, and immunisations. A shared health summary is created by an individual’s nominated healthcare provider, as defined in the My Health Records Act, with the information extracted from their local clinical information system.

A nominated healthcare provider may be: 

  • a registered medical practitioner
  • a registered nurse
  • an Aboriginal and Torres Strait Islander health practitioner with a Cert IV in Aboriginal and/or Torres Strait Islander Primary Health Care

The nominated healthcare provider is generally the patient's usual healthcare provider who is delivering coordinated and comprehensive care to the patient (for example their regular GP).

Note: an enrolled nurse is not permitted by the My Health Records Act to author/create a shared health summary. An enrolled nurse can create an event summary to share information about a significant clinical event, provided the enrolled nurse is providing healthcare to the patient. 

Examples of when to create a shared health summary include: 

  • when completing a patient health assessment (for example a GP Management Plan, 75+ Assessment, or child health check) 
  • when there are significant changes to a patient’s health status in any of the four key areas: patient’s medical conditions, medicines, allergies/adverse reactions or immunisations

The shared health summary should be created in consultation with the patient. A patient has only one current shared health summary at a time.

View an example

Discharge summaries

Discharge summaries provide the details of the patient's hospital stay and recommendations for care after discharge.

When a discharge summary is created, it is sent directly to the intended recipient, in accordance with current practices. When a hospital is connected to the system, a copy of the discharge summary can also be uploaded to the patient's record.

Prescription and dispense records

Prescription and dispense records contain information about medicines that have been prescribed and dispensed, and details about both the healthcare provider that prescribed or dispensed the medicine/s and the healthcare organisation.

Pathology reports

Pathology reports can be uploaded by registered pathology laboratories.

The reports are immediately available to all members of the patient’s healthcare team, subject to any access controls the patient may have set. Patients will need to wait 7 days before they can view the reports in their record, with some exceptions. The following reports are available as soon as they are uploaded:

  • international normalised ratio (INR) 
  • HbA1c
  • COVID-19
  • respiratory infection tests (such as flu)

Learn more about pathology reports.

See which pathology labs are connected.

Diagnostic imaging reports

Diagnostic imaging reports can be uploaded by registered diagnostic imaging services.

The reports will be immediately available to all members of the patient’s healthcare team, subject to any access controls the patient may have set. Patients will need to wait seven days before being able to view them in their record (with some exceptions). 

Learn more about diagnostic imaging reports.

See which diagnostic imaging services are connected.

Specialist letters

Specialist letters are used by a treating specialist to respond to a referrer (for example a GP) about a referred patient. When a specialist writes back to the referrer, the letter may also be uploaded to the patient's record.

Event summaries

Event summaries capture health information about a significant healthcare event that is relevant to the ongoing care of an individual. It may be used to indicate a clinical intervention, improvement in a condition or that a treatment has been started or completed.

An event summary may contain: 

  • allergies and adverse reactions
  • medicines
  • diagnoses
  • interventions
  • immunisations
  • diagnostic investigations

Event summaries are intended for healthcare providers who are not the patient’s regular provider / nominated healthcare provider. 

They can be created and uploaded by any healthcare provider with a Healthcare Provider Identifier–Individual (HPI-I) who is working at a participating healthcare organisation and involved in the patient’s care with conformant software. 

Examples of when to create an Event Summary include:  

  • Patients visiting an after-hours medical service 
  • Holidaying patients 
  • Patients visiting from another area 
  • Patients receiving an immunisation or flu vaccine. 

Generally, an event summary is used when it is not appropriate for the healthcare provider to create and upload a shared health summary, discharge summary or specialist letter. 

Goals of care

A goals of care document is created by a healthcare provider through a shared decision-making process with the person in their care and family/carer. This is done to capture medical and non-medical goals of care in the context of end-of-life care.

eReferrals

When a healthcare provider creates an eReferral, it will be sent directly to the intended recipient, as per current practices. A copy may also be sent to the patient's record.

Pharmacist shared medicines list

The pharmacist shared medicines list is a list of medicines a person is known to be taking including prescribed, over the counter, and complementary medicines. This document can only be authored by a pharmacist, but can be viewed by other healthcare providers.

Pharmacist shared medicines lists

Aged care transfer information

This may include information such as reason for transfer, residential care medication chart and residential care health summary.

Consumer uploads

Information added by the record holder that they think is important

Personal health summary

Individuals can enter free text information about allergies and adverse reactions as well as current medications, including over the counter or complementary medicines. This will appear as "patient-entered" information in the Medicines Overview. 

Personal health notes

Individuals can enter information to help them keep track of their health and key health events. The system dates each note, which includes an entered title and the entered text. These notes are not visible to healthcare providers.

Advance care planning information

Advance care planning information can be uploaded to a patient's record and can contain their wishes for future health and care. The individual can also enter details of their Advance Care Document Custodian who holds a copy of their advance care planning document. This could be an individual or organisation. 

Emergency contact details

Individuals can list their emergency contacts and healthcare providers can view these via the National Provider Portal (NPP)

Child development information

Parents or guardians can record results of their child's scheduled health checks, development, and other useful information.

Register and set up access

Discover how to establish policies, register your organisation, and access the system via conformant clinical software, the National Provider Portal (NPP) or hospital applications:

Implementing My Health Record in your healthcare organisation

Education and training

Find resources to help you feel confident using the system. Detailed information, software summary sheets, training and support are all available here.

Your area of practice

Access eLearning modules, summary sheets, webinars, resources

Aboriginal and Torres Strait Islander health

Aged care

Allied health

Community pharmacy

eLearning Modules
Clinical software summary sheets

Scroll down to find summary sheets for these and other software products:

  • Aquarius
  • Corum LOTS
  • Dispense Works
  • Fred, Minfos
  • Z Dispense
  • National Provider Portal
Webinar recordings
Resources
On demand training environment
  • Fred Dispense - see "Training simulators" section below.
Training

General practitioners

eLearning Modules
Fact sheets
Clinical software summary sheets

Scroll to the next section to find step-by-step guides to performing tasks within the system, for general practice.

  • Best Practice Premier
  • Communicare
  • Genie
  • MedicalDirector
  • Medtech32
  • Naitonal Provider Portal
  • Zedmed
Videos
Webinar recordings
Training

Also see RACGP Resources about My Health Record.

Hospitals

Nursing and midwifery

Pathology services

Please refer to the software guides used in your laboratory or radiology information systems to learn more about viewing and uploading information to My Health Record in your organisation. 

Staff in the pathology laboratory or diagnostic imaging practice need to be aware of how to action a request to ‘Do not send’. Further information can also be found in the eLearning modules below.  

eLearning Modules

In practice

Training

Diagnostic imaging services

Please refer to the software guides used in your laboratory or radiology information systems to learn more about viewing and uploading information to My Health Record in your organisation. 

Staff in the pathology laboratory or diagnostic imaging practice need to be aware of how to action a request to ‘Do not send’. Further information can also be found in the eLearning modules below.  

eLearning Modules

In practice

Training

Practice management

Specialists

eLearning Modules

Clinical software summary sheets

Scroll down to find summary sheets for these and other software products:

  • Bp VIPnet
  • Clinic to Cloud
  • Genie
  • Gentu
  • Shexie
  • National Provider Portal
Webinar recordings
Training
Further resources

RACP digital health resources

Clinical software summary sheets

Step-by-step guides to performing tasks within the system

Aquarius

Audit4

Best Practice Premier

Bp VIPnet

Communicare

Clinic to Cloud

Corum LOTS

Dispense Works

Fred Dispense

Genie

Gentu

MedicalDirector

Medtech32

Minfos

MMEx

National Provider Portal (NPP)

Shexie

Z Dispense

Zedmed

Training simulators

Self-paced learning with demonstrations and simulators of the system

Healthcare professionals and consumers can now simulate the use of My Health Record functionality in clinical software products.

The simulations have been developed to support demonstration, training, and self-paced learning of the functionality and benefits of the My Health Record system and contains fictional patients and medical information.

To access a simulation, select one of the environments below then enter the following username and case sensitive password to log in:

  • Username: OnDemandTrainingUser
  • Password: TrainMe

General practice

Best PracticeCommunicareGenieMedical DirectorZedmed

Pharmacy

Fred Dispense

Hospitals, Pathology and Diagnostic Imaging

HIPS UI & HIPS Mobile

The simulation environment uses the latest released versions of each clinical information system software.

To demonstrate the use of My Health Record functionality, best endeavours have been made to provide clinically validated data and scenarios that are relevant and demographically diverse for use in the software simulations.

Please note: Test patients and clinical records used in the software simulations are provided for training purposes only.

If you would prefer to attend a CPD accredited training session led by one of our instructors, please register for "On Demand Training" sessions.

Support

The environment is available 24 hours 7 days a week. Support is provided by the Australian Digital Health Agency during business hours only (8am - 5pm (AEST/AEDT), Monday - Friday). For any assistance or enquiries that you may have with the environment, please contact us on [email protected] or phone: 1300 901 001.

Frequently asked questions

Why is my software not listed?

The software simulators are regularly updated as new features become available.

Not all clinical software is conformant to the national digital health specifications and standards. There are necessary steps required to ensure the software integrated to My Health Record is conformant. Software developers that have declared conformance are included in the agency’s Conformance Register.

If you would like to see a particular digital health feature or software product demonstration and it is not included here, please email [email protected].

What My Health Record functionality can be simulated?

My Health Record functionality that can be simulated in the Clinical information systems (Best Practice, Medical Director, Zedmed and Genie)

  • View My Health Record – accessing clinical documents and views
  • Practice creating and uploading a shared health summary document for a patient
  • Practice creating and uploading an event summary document for a patient
  • View My Health Record with access code restrictions in place.

Additional My Health Record functionality that can be simulated in the pharmacy system (Fred Dispense):

  • Upload a dispense record to My Health Record and consent
  • Upload an event summary to My Health Record containing allergies/conditions
  • Adding a new patient and validating IHI to connect to My Health Record
  • Adding a new pharmacist and retrieving /validating a HPI-I
  • Enable pharmacist access to My Health Record within Fred Dispense.

My Health Record functionality that can be simulated in the portals:

Provider Portal

  • Access to My Health Record system without using conformant clinical software

Consumer Portal

  • Access to a child’s My Health Record as an authorised representative
  • Access to clinical documents and Medicare information in My Health Record
  • Adding a personal health summary and a personal health note into My Health Record
  • Management of advance care documents and custodian details for My Health Record
  • Manage document access settings and provider access in My Health Record
  • Manage notification settings and view the list of who has accessed My Health Record
  • Remove Document from my Health Record

What screen resolution do I need?

Recommended screen resolution is 1280x1024.

Some software products mandate minimum display settings. Setting below the recommended settings may impact on users' ability to access the software.

Why can’t I connect?

The following are possible reasons you may not be able to connect.

  • The latest version Firefox/Chrome/Internet Explorer may not be downloaded
  • Port 8443 on the user’s network may be closed. This is used for authentication by VMware Horizon
  • Wrong username/password may have been entered
  • IP address is outside of Australia.

While the Agency will try to notify visitors to this page of any known outages or degradations, this will not always be possible. If the simulation is not performing as expected, please contact the Help Centre.

For further assistance please go to our Contact us page in the healthcare providers section, or call Support during business hours on 1300 901 001.

Privacy and access

Under the My Health Records Act, staff members authorised by a healthcare organisation can access and view a patient’s record for the purpose of providing that patient with healthcare, and provided it is in accordance with any access controls. In addition to clinicians, a healthcare organisation may authorise other staff to access the system as part of their role in healthcare delivery.

Who can access My Health Record in a healthcare organisation?

Subject to any access controls the patient may have set, a registered healthcare provider organisation’s staff can access My Health Record if: 

  • they are providing healthcare or undertaking activities to support the provision of healthcare to the patient, and 
  • the organisation authorises them to do so.

Access to My Health Record is not limited to healthcare professionals, such as medical practitioners or nurses. It may extend to others, such as practice managers, clerical/administrative staff, and receptionists.

A staff member is considered to access My Health Record when they view and/or upload clinical information to a record, including when they manually prepare and upload information and when information is uploaded automatically by their clinical information system. 

The My Health Records Rule 2016 requires registered healthcare provider organisations to:

  • have a My Health Record policy that addresses, among other matters, how staff are trained and authorised to access My Health Record (rule 42), and
  • employ reasonable user account management practices and mechanisms (rule 44).​​​​​

When to access My Health Record

How and when a registered healthcare provider organisation’s staff access My Health Record should be guided by their need for information to support their healthcare provision. Staff are under no legal obligation to access the system with every interaction. However, an organisation may choose to implement a policy around when staff access the system.

An authorised staff member can access a patient’s My Health Record before, during, or post consultation for the purpose of providing healthcare to that patient, as authorised under section 61 of the My Health Records Act 2012.

For example:

  • A GP accesses a new patient’s My Health Record to view their shared health summary before their initial consultation to understand of their health status.
  • A practice receptionist accesses a patient’s My Health Record, prints out their shared health summary, and provides it for review while they wait for a consultation with the GP. The patient reviews the shared health summary, identifies any updates, and raises them with the GP. This action ensures the GP and other healthcare providers involved in the patient’s care, have access to current information to inform their clinical decision-making.
  • Following a consultation, a specialist accesses results of the pathology and diagnostic imaging tests they ordered, to identify what action is needed to support the health of the patient.

If a staff member deliberately accesses an individual’s My Health Record for a purpose other than providing healthcare to that patient, or another purpose authorised by law, penalties could apply, including:

  • civil penalty of up to $469,500 (up to $2,347,500 for bodies corporate), 
  • criminal penalty of five years imprisonment and/or $93,900 (up to $469,500 for bodies corporate). 

Who can author clinical information to upload to My Health Record?

Staff can only author clinical information to upload to My Health Record if: 

This ensures that all clinical information uploaded to the system is of the required quality and standard (i.e., a person with valid clinical expertise has authored them).

 *For example, a GP’s registration by the Medical Board may face suspension pending investigation for professional misconduct; or a dietitian’s professional membership in the Dietitians Association of Australia has lapsed because they haven’t paid their membership fees for more than six months. Staff registered with the Australian Health Practitioner Regulation Agency (Ahpra) will have been assigned an HPI-I through that registration. Those who have not can register for an HPI-I through the Healthcare Identifiers Service, subject to eligibility.

Note: Additional requirements apply to preparing and uploading shared health summaries.

When to upload to My Health Record

When and what a registered healthcare provider organisation uploads to My Health Record should be guided by whether that information benefits other healthcare providers, the patient, and those involved in their shared care, such as any representatives they may have. 

Healthcare provider organisations are under no legal obligation to upload clinical information to My Health Record with every interaction. However, an organisation may impose a policy around when staff upload to the system.

The healthcare provider organisation must comply if a patient requests that information not be uploaded to their My Health Record. If a patient requests this, the healthcare provider organisation should inform the patient that Medicare information relating to the clinical encounter may be visible in their My Health Record, so the patient will have to remove or manage access to that information themselves through the National Consumer Portal. This is particularly relevant where the information may be regarded as sensitive.

Generally, there is no need to obtain a patient’s consent to upload information to their My Health Record. However, ACT, NSW, and Qld have laws that require a patient’s consent to upload specific health information to their My Health Record. These laws are specified by the My Health Records Regulation 2012 and generally prohibit the disclosure of information relating to HIV (ACT, NSW, Qld), notifiable conditions (ACT, Qld), contagious conditions (Qld), environmental health events (Qld), and perinatal history (Qld). This information can only be disclosed with consent.

Staff must ensure they are familiar with the process for preventing an upload of information to My Health Record, should the patient request that it not be uploaded or if there is a State or Territory law requiring consent that and consent has not been obtained.

Access controls

Individuals can decide which of their healthcare provider organisations can view their health information by restricting access to their entire record, or to specific documents within it. Restricted information is not generally visible to healthcare provider organisations unless access has been granted by the individual.

The healthcare recipient can revoke a healthcare provider organisation’s access to restricted information at any time via the Manage Access screen within their My Health Record.

Note: It is important that any access codes provided by the individual (see below) are not retained by the healthcare provider organisation and are destroyed following their use.

Record Access Codes 

Individuals can decide which healthcare provider organisations can view their record by setting a Record Access Code (RAC).  

Where a RAC has been set, the healthcare recipient can choose to share this code with you, so that you can access their record. Once the patient has shared their RAC with you, you will be listed on their provider access list. Healthcare provider organisations that are listed on a patient’s provider access list won’t need the patient’s RAC to continue accessing their record.  

Limited Document Access Codes 

Where an individual has restricted access to specific documents, they can set a  limited document access code (LDAC). The healthcare recipient (or their representative(s)) can choose to provide healthcare provider organisation(s) with the LDAC. Once a healthcare provider enters the LDAC into their clinical information system, or the National Provider Portal, they will be able to access the restricted document(s). Healthcare providers can still view restricted documents in an emergency.

Access history

An individual or their nominated or authorised representative can view a list of access to their record at any time. This is known as the access history.

An individual can also choose to be notified by SMS or email when someone accesses their record or when certain changes are made.

When an individual can choose to be notified:

  • a change is made to the immunisation information in their record
  • a healthcare provider organisation accesses their record for the first time
  • a new myGov account has been linked to their record
  • a new shared health summary is added
  • a nominated representative accesses their record
  • an advance care document is added, removed or reinstated
  • the emergency access function is used by a healthcare provider organisation

Audit trails

The System Operator maintains audit trails of all activity in the My Health Record system. These may be used for the purpose of management or operation of the system, or to support audits and investigations. 

Emergency access

Healthcare providers can access information within the system for the purpose of lessening or preventing a serious threat.

By default, documents in an individual’s record are set to general access for registered healthcare provider organisations. This means a treating healthcare provider can view all documents within an individual’s record, except for information that has been entered in the personal health notes section of the record, and any documents that have been removed or hidden by the healthcare recipient (or their representative(s)).

Healthcare recipients (or their representative(s)) can choose to restrict access to their record (using a record access code) or to restrict access to specific documents (which they can share with selected organisations, using a limited document access code):

  • Where a record access code has been set, a treating healthcare provider will be prompted by their clinical information system, or the My Health Record National Provider Portal, if a record access code is required. When this occurs, the healthcare provider can ask the healthcare recipient to share the record access code.
  • Where a limited document access code has been set, the healthcare recipient (or their representative(s)) can choose to provide the treating healthcare provider with the limited document access code. The healthcare provider will need to enter the limited document access code into their clinical information system, or the My Health Record National Provider Portal, to gain access to the restricted document(s).

There are certain urgent situations, defined in Section 64 of the My Health Records Act, where it may be permissible for treating healthcare providers to access information in a person’s record without entering the relevant access code(s) using a function known as Emergency Access. This is sometimes referred to as a ‘break glass’ function. It is important to understand when this function can lawfully be used.

Appropriate use of emergency access

It is expected that the need to use Emergency Access will be rare, as Emergency Access to a healthcare recipient's record (or a restricted document within it) is only authorised under the My Health Records Act if the healthcare organisation reasonably believes that:

  1. the access is necessary to lessen or prevent a serious threat to an individual’s life, health or safety and the healthcare recipient's consent cannot reasonably be obtained. For example, due to being unconscious; or
  2. the access to the healthcare recipient’s My Heath Record is necessary to lessen or prevent a serious threat to public health or safety. For example, to identify the source of a serious infection and prevent its spread.

In addition, the majority of people have not set any access controls, which means information in their record is not restricted. In most cases, therefore, you will be able to see all available health information, for the purpose of providing healthcare, without needing to use Emergency Access.

When not to use emergency access

The emergency access function is not designed to be used for the following:

  • to view their own record or a family member's record - people can access their own record via myGov or a mobile app
  • to demonstrate how to use the Emergency Access function. Training resources are available for this purpose
  • to check whether any restricted documents exist (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lessen or prevent a serious threat to the individual’s life, health or safety and it is unreasonable or impracticable to provide consent; or to lessen or prevent a serious threat to public health or safety).
  • when an individual has forgotten the access code they have set (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lesson or prevent a serious threat to the person’s life, health or safety; or to lessen or prevent a serious threat to public health or safety) – a person can reset their access code by logging into their record, or telephoning the My Health Record Helpline 1800 723 471.

Use of the Emergency Access function that is not authorised by section 64 of the My Health Records Act is subject to civil and/or criminal penalties under the My Health Records Act.

Additional Information

Once granted, emergency access to a record is available for a maximum of five days. When this period ends, the record reverts to the previous settings. If the emergency situation continues beyond the initial five-day period, you will need to request Emergency Access again.

Use of the Emergency Access function is recorded in the access history of the record, which can be viewed by the healthcare recipient and their authorised or nominated representative(s). In addition, healthcare recipients can choose to receive an SMS or email notification each time the Emergency Access function is used to view their record.

With Emergency Access, any access controls that the individual has set will be overridden. This means the treating healthcare provider who uses the Emergency Access function will have full access to the healthcare recipient’s record, except for information that has been entered in the personal health notes section of the record, and any documents that healthcare recipient (or its authorised representative(s) has previously removed or hidden.

Notification provisions under section 75 of the Act

It is important to note that registered healthcare provider organisations are subject to reporting obligations under section 75 of the My Health Records Act. Consequently, unauthorised use of the Emergency Access function may be reportable to the Office of the Australian Information Commissioner (OAIC) and the Agency (as System Operator).

Note

This information is general in nature, and you should obtain your own professional legal advice relevant to your circumstances.

More information

You can find out more about the My Health Record Emergency Access function by listening to the Emergency Access Podcast.

In addition, from the OAIC provides a number of resources, including:

Penalties

There are significant fines and penalties for inappropriate or unauthorised use of information. 

Actions subject to penalties include, for example:  

  • unauthorised collection, use or disclosure of health information in a record 
  • use of health information in a record for prohibited purposes 
  • unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service 
  • failure to give written notice within 14 days if the healthcare provider or organisation ceases to be eligible to be registered - please notify the Agency if you or your organisation ceases to be registered
  • failure to notify an actual or potential data breach in which the healthcare provider or organisation were directly involved 
  • holding, taking, processing or handling, records held for the purposes of the system outside Australia, or causing someone else to do so

System security

Security is a key design element of the system, which adheres to Australian Government security requirements.

System security

The system is managed in line with the Australian Government Protective Security Policy Framework. Data is stored in Australia, and is protected by high grade security protocols to detect and mitigate against external threats. The system is tested frequently to ensure these mechanisms are robust and working as designed.

Design features include many safeguards to protect the information stored within the system, including audit trails, technology and data management controls, as well as appropriate security measures to minimise the likelihood of unauthorised access to information in a patient’s record. In addition to these measures, the My Health Record system is protected by legislation which governs the way the system is accessed, managed and used.

In addition, healthcare providers have obligations to protect personal and health information. 

Information security advice for your business

Your business is responsible for ensuring that the systems you use to access the system are secure. Find five simple steps to protect health, personal and financial information in the guide: Information Security for small healthcare businesses

The Australian Government strongly encourages individuals, business and organisations to take steps to ensure they provide safe and secure digital health services. For online security advice and tips visit the Australian Cyber Security Centre.

Participation obligations

Healthcare provider organisations participating in the system are required to understand and comply with a range of legislative obligations, including the legislation listed at the top of this page.

These obligations include:

  • Prior to registration, establishing a security and access policy
  • Once registered, complying with a range of ongoing participation obligations.

Participation obligations

Incident management

Clinical incidents

All healthcare systems, including the My Health Record system and other digital health products, require careful monitoring to ensure that potential clinical incidents are identified and addressed.

How to manage clinical incidents

Data breaches

Healthcare provider organisations must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system. 

How to manage data breaches

Help your patients to register

Most people in Australia already have a My Health Record. However, if you have a patient who would like assistance with registering for the first time, your organisation may be able to assist them to register for a My Health Record.

Help your patients to register

Resources

Webinars for healthcare providers

Webinars for healthcare providers

Statistics

Statistics

Frequently asked questions

Frequently asked questions