Under the My Health Records Act 2012, healthcare provider organisations are authorised to upload information to the My Health Record System, and view information in the system.
Generally, this means that healthcare providers do not need to obtain consent prior to uploading information to a My Health Record when providing services to a healthcare consumer. However, consumers can request that a particular document is not uploaded to their record, and healthcare providers must comply with such requests. Other situations where documents should not be uploaded is discussed below. In addition, consumers can restrict access to or remove information contained in their record.
Authority to upload information to a My Health Record
Under the My Health Records Act 2012, healthcare provider organisations are authorised to upload information to the My Health Record System. This means that, subject to the situations described below, there is no requirement for a healthcare provider to obtain consent on each occasion prior to uploading clinical information. There is also no requirement for a healthcare consumer to review clinical information prior to it being uploaded.
It may be considered good clinical practice to advise a patient that you will be uploading information to their My Health Record, particularly if this information might be considered sensitive. This approach is recommended by the Australian Medical Association in its guide to using the My Health Record system (section 4.5).
Situations where documents should not be uploaded
If a healthcare consumer specifically asks a healthcare provider organisation not to upload particular documents or information to their My Health Record, the healthcare provider organisation must comply with the person’s request. This is a condition of your organisation’s registration with the My Health Record system. You can advise the patient about the potential risks of excluding information from their My Health Record and explain the benefits of ensuring all information is included. However, you must comply with their final decision, and not upload the information, if this is requested.
The My Health Records Act recognises that under some state and territory laws consent must be given expressly, or in a particular way, before information related to specific areas of health is disclosed.
The state and territory laws which have specific consent requirements regarding the disclosure of health information are listed in clause 3.1.1 of the My Health Records Regulation 2012. If a state or territory law is listed in this clause, then the consent requirements of those laws overrule the provisions of the My Health Records Act.
Viewing a My Health Record
Any person who is authorised by a healthcare organisation can access and view an individual’s My Health Record, for the purpose of providing healthcare services. In addition to clinicians, a healthcare organisation may authorise other staff to access the My Health Record system as part of their role in healthcare delivery.
Healthcare providers are also authorised to:
- disclose the health information to the individual, or their authorised or nominated representative
- collect, use or disclose the health information for any purpose with the consent of the individual
- collect, use or disclose the health information for purposes relating to the provision of indemnity cover for a health care provider.
Healthcare provider organisations can access and view information in a My Health Record during a consultation. They could also access the record without the individual being present, provided that access is for the purpose of providing healthcare to the individual. For example, a specialist may choose to review clinical documents in an individual's My Health Record prior to a consultation.
By default, documents in My Health Record are set to general access for healthcare providers. This means you can view all documents within an individual’s record, except for information that has been entered in the consumer-only notes section of the record, and any documents that the person has previously removed. Healthcare consumers can choose to add additional access controls to their record to restrict access to specific documents (using a limited document access code), or to their whole record (using a record access code). A provider will be prompted by their clinical software if an access code is required.
In certain emergency circumstances, healthcare provider organisations can access information in a My Health Record using the emergency access function, which overrides consumer access controls. All use of the emergency access function is monitored.
If a healthcare provider accesses an individual’s My Health Record by mistake, they will not be liable for any penalties, provided there has not been a breach of privacy.
Consent and ePrescriptions
If a healthcare consumer requests that specific prescription information is not uploaded to their My Health Record, the dispensing system defaults to apply the same consent decision to the corresponding dispense record. This prevents the prescription or dispense record from being uploaded to the My Health Record system, where a consumer has requested not to send their prescription record to the My Health Record system. However, these defaults can be overruled by the individual and dispensing healthcare provider at the point of care.
Consent and Secure Message Delivery
Just as a provider is not required to seek consent to send clinical information via existing point to point channels, such as fax, a healthcare provider does not need patient consent to send clinical information using Secure Message Delivery.