Start of content

This page contains answers to frequently asked questions about My Health Record. Check back for regular updates.

What are the extended dates for the opt-out period? 

On 10 August 2018, Health Minister Greg Hunt announced that the opt-out period would be extended until 15 November 2018.

This is to ensure all Australians have an opportunity to make an informed decision as the government strengthens the 2012 My Health Record legislation.

What does the Minister for Health’s announcement about legislation changes mean for me?

The Minister has announced that the government will change the My Health Record legislation to:

  1. Require by law that a court order is required to access a person’s My Health Record – in practice this was already the policy of the System Operator, and no record has ever been released in the past and no government agencies other than the System Operator have access to the system.
  2. Permit the complete deletion of a person's My Health Record if they choose to cancel it – under the current law, the Agency cancels a record and archives the record for 30 years after the death of the record holder. Under this practice only the System Operator can access this archive and it is not visible to any healthcare providers or the individual.

Access to My Health Record

What is Section 98 of the My Health Records Act 2012

Section 98 of the My Health Records Act 2012 is a very common statutory provision in the vast majority of Commonwealth and State and Territory legislation.

It allows the Australian Digital Health Agency, who is the System Operator of the My Health Record, to delegate some of its functions and or powers for the efficient, secure and effective administration of the My Health Record system.

This delegation is used for administrative and procedural matters - for example, to enable the Department of Health to provide education on the My Health Record system. This does not and cannot provide access to individuals’ personal records or any other health information in My Health Record.

The Agency’s number one priority is to protect the privacy and security of health information in the My Health Record system.

The Federal Minister for Health has made it clear that the legislation will be amended to reflect the current Australian Digital Health Agency operating policy which is that My Health Record information cannot be released to police or government agencies (such as the Australian Tax Office or Border Force) without a court  order.

Can anyone access my health information?

The My Health Record System was designed at its core to have the highest level of security and privacy to protect your health information.

Only registered healthcare providers involved in your care and who are registered with the My Health Record System Operator are allowed by law to access to My Health Records.

My Health Record data cannot be accessed by insurance companies and patients’ data cannot be sold.

How will I know my record has been accessed?

The Agency Monitors your health record around the clock to protect you records security and privacy.

There are steps you can also take to apply additional privacy and security controls to your record.

You can also see which healthcare provider organisation has accessed your record in the access log in your My Health Record. This allows you to have complete visibility of who is accessing your record.

You, as the record owner, can set up automatic notifications to receive an email or SMS alert when a new healthcare organisation accesses your My Health Record for the first time, or in an emergency

You can also apply a record access code to your entire My Health Record so that only those healthcare providers with that code are able to access your record.

Who can access my private health information?

There are thousands of registered organisations who can access My Health Record. However, only healthcare provider organisations involved in your care, who are registered with the My Health Record System Operator are allowed by law to access your My Health Record.

This may include healthcare providers such as GPs, pharmacies, pathology labs, hospitals, specialists, and allied health professionals. Organisations require compliant software to access the My Health Record system.

You can allow others, such as a partner, child, parent or carer to access your Record by making them an authorised representative, or a nominated representative.

No government departments can directly access the My Health Record system.

The Australian Digital Health Agency will only consider a request from a law enforcement agency to access a My Health Record where there is a requirement by law, such as a court order or other enforceable legal instrument.

Every time your My Health Record is accessed, it is recorded in an audit log which you can view by logging into your My Health Record. The System Operator cyber security team constantly monitors system access. There are strict penalties for unlawful access.

If you have concerns about who has accessed your My Health Record, contact us immediately on 1800 723 471.

How do healthcare providers get access to the My Health Record system?

For a healthcare provider, such as a doctor or pharmacist to gain access to the My Health Record system they must:

  • be a registered health care professional with a national registration board, such as AHPRA
  • have registered with the My Health Record System Operator
  • Work for an organisation which is a registered with the My Health Record System Operator
  • Use conformant software containing an authenticated digital certificate.

To upload any information to your My Health Record, your healthcare provider must use compliant clinical software.

If the healthcare provider downloads a patient’s information to their clinical information system, this is subject to the Australian privacy, security and jurisdictional laws that currently govern the healthcare system in Australia.

Will everyone in my doctor’s office know my private health information, including the medical receptionist?

Administration staff within your doctor’s office must be authorised by the medical practice to access the My Health Record system for the purposes of providing healthcare to you.

In the current health system, paper and digital records about you may be held in various health locations. There is no way you can currently track who has viewed, photocopied, faxed, shared or filed your medical information.

The addition of My Health Record to your doctor’s practice and process of care does not change the privacy and confidentiality obligations that practice staff are already subject to under Australian law.

If you have concerns about who has accessed your My Health Record, contact us immediately on 1800 723 471.

Past and sensitive clinical information

Will my past medical history be added into my record?

Your previous medical history such as older tests and medical reports will not be available within your new My Health Record.

Medicare data can be added to your record.

This includes:

  • Medicare and Pharmaceutical Benefits Scheme (PBS) information stored by the Department of Human Services
  • Medicare and Repatriation Schedule of Pharmaceutical Benefits (RPBS) information stored by the Department of Veterans’ Affairs
  • organ donation decisions
  • immunisations that are included in the Australian Immunisation Register

You can ask your doctor to add a shared health summary to summarise your medical history, or add your own personal health summary.

You can log into your record at any time to change your settings, see who has accessed your record, hide documents, remove Medicare or PBS data or add emergency contacts and any allergies you may have.

Will my doctor be able to find out about past or current medical issues that I consider sensitive?

It’s your choice what information is in your My Health Record, and who you share it with.

You can advise your doctor not to upload any information about sensitive clinical conditions. You can also choose to hide, or restrict access to clinical documents by logging into your My Health Record and setting privacy controls.

Your medical history, such as older tests and scan reports, will not be automatically uploaded to your My Health Record. 

I’ve seen a new tick box on pathology reports that says "Do not send to My Health Record". Are records uploaded by default and you must withdraw consent? Who sets whether it is opt out or opt in to each upload?

The ‘Do not send to My Health Record’ tick box on the new pathology form is an opportunity for the patient and their GP to discuss if they would like their results uploaded to their record (if they have one) before the patient takes the test.

For people who don’t want a report added to their My Health Record, providers can tick the ‘do not send to My Health Record’ box on the request form. People can also instruct their doctor or the pathology or diagnostic imaging service not to upload the report.

In addition, individuals can set document access controls within their My Health Record, and remove pathology and diagnostic imaging reports from their record.

In some circumstances, certain pathology reports may not appear in an individual’s My Health Record, even if they have not withdrawn consent for upload, in accordance with legislation. For example, reports may not be uploaded on a person’s AIDS or HIV status if there are disclosure restrictions set by state or territory legislation.

Are genetic / DNA reports uploaded to My Health Record?

  • There are a number of genetic tests used by clinicians every day to provide health care.
  • Conditions like cystic fibrosis, types of anaemia and iron storage disorders have been diagnosed in general practice with genetic tests for many years.
  • Doctors also depend on genetic testing to routinely screen for neural tube and other issues in early pregnancy as a standard practice for all Australian women as part of routine antenatal care. Genetic screening plays an important role in the early diagnosis and screening for cancers like breast cancer and ovarian cancer, and plays a vital role in tailoring specific treatments for people with many different types of cancers.’
  • These tests are vital in ensuring the best and most appropriate treatment by your healthcare team.
  • My Health Record cannot store Genomic or Genetic Data, but it can support the uploading of reports so that your authorised healthcare providers and you can view them.
  • In an emergency, clinicians knowing about your healthcare conditions is important information that could be lifesaving.
  • My Health Record is a secure patient-controlled electronic health summary record. Only health care providers involved in your care can access the system.
  • Like any other pathology test, you can ask your doctor at any time for a specific test not to be uploaded into your My Health Record.
  • You can also remove a document from your record or apply a Limited Document Access Code restricting access to that document for only those who you give the code to.
  • Ultimately, the choice is yours if you want a genetic test report uploaded into your My Health Record. It’s best to speak with your doctor to decide what’s best for your individual care needs.

Cybersecurity

Can My Health Record easily be hacked?

The My Health Record system has the highest level of security and meets the strictest cyber security standards. It has robust multi-tiered security controls to protect the system from malicious attack.

The system has been built and tested to Australian Government standards to protect the confidentiality, integrity, and availability of information within an individual’s My Health Record.

The Australian Digital Health Agency actively monitors and respond to threats and risks within the cyber security environment, and have a program of continuous improvement using the internationally recognised management framework, Information Technology Infrastructure Library (ITIL).

The System is monitored around the clock by the Australian Digital Health Agency Cyber Security Centre and has been tested by the Defence Departments Australian Signals Directorate.

If a person deliberately accessed an individual’s My Health Record without authorisation, criminal penalties may apply. These may include up to two years in jail and up to $126,000 in fines.

Will my records be available on the open internet? (for example, via Google search)

My Health Record cannot be accessed on the open internet. Healthcare provider organisations must be authorised to connect to the system and use conformant clinical information software.

Who can access a My Health Record?

Will the police, Centrelink and ATO have access to my medical records?

As System Operator of the My Health Record system the Agency takes its role as custodian of Australian’s health information seriously.  Protecting the integrity of the My Health Record system and maintaining public confidence and trust in the system is paramount. 

We consider any formal request on a case by case basis. However, our operating policy is to release information only where we are legally compelled to do so, including in the instance of receiving a court order.

The Agency would not permit access to a My Health Record in a scenario where a request to access the My Health Record system was for protecting public revenue.

Can my employers access a My Health Record?

Employers cannot access a My Health Record and would need to apply to the Agency for such access.

The Agency will not approve the release of an individual's personal or health information to a third party except where it is related to the provision of healthcare or is otherwise authorised or required by law. 

The Agency does not consider that an employment check is healthcare and therefore use of the My Health Record would not be permitted.

Can insurance companies and other third parties access my data? Can it be sold on?

My Health Record data cannot be accessed by insurance companies and your data cannot be sold. 

The use of My Health Record data solely for commercial and non-health related purposes is not permitted.

Some secondary uses of My Health Record system data may be possible for research and public health purposes from 2020. Learn more about this here.

You can choose not to have your data used for secondary use purposes by selecting the ‘withdraw participation’ function in your record.  

Children and My Health Record

How do parents currently decide whether to register newborns for a My Health Record

Currently, parents can choose whether to register a child for My Health Record as part of the Newborn Child Declaration form in the Parent Pack. This allows parents to manage and view their child’s record on their behalf. Find out more.

How can parents decide whether they want their children to have a My Health Record after the opt-out period?  

After the opt-out period, parents of newborn children can opt out of My Health Record for their child as part of their Medicare registration.

How do I opt out my child?

If you have parental responsibility for children under the age of 18, and they are listed on your Medicare card, you can opt out of My Health Record on their behalf online. Find out more

Why do I already have a My Health Record? I don’t remember signing up for one

5.9 million Australians currently have a My Health Record. Most people have registered themselves or their children for a My Health Record in one of the following ways:

  • via a myGov account
  • Medicare enrolment form (for a newborn)
  • at a Medicare Service Centre
  • by calling the Help line on 1800 723 471
  • you were a resident in a participation trial area in 2016.

If you already have a My Health Record, and decide you don’t want one anymore, you can cancel it at any time.

Find out more about why you may already have a record.

Cancel a My Health Record

How can I cancel a My Health Record?

If you already have a My Health Record, and decide you don’t want one anymore, you can cancel it at any time. Follow the instructions here to cancel your record

You can also contact the Help line on 1800 723 471 for assistance to cancel a record. Please check wait times here before you call us.

If I get a My Health Record and then cancel it, will my record be viewable?

When you cancel a record, your data can no longer be accessed by your healthcare providers, or by you.

For medico-legal reasons, the System Operator is required to retain cancelled records for a period of time as outlined in the My Health Records Act 2012.

I have cancelled my record, but now I want it deleted. Can you do this?

The government’s decision will need to be enacted into legislation. The System Operator will implement this decision once legislated. Until this time, if you have a My Health Record you can cancel it. If you do not have a My Health Record, and don’t want one, you can opt out.

Under the current law, the Agency cancels a record and archives the record for 30 years after the death of the record holder. Under this practice only the System Operator can access this archive and it is not visible to any health care providers or the individual.

Opting out of My Health Record

Why do I need to provide my personal details to opt out? What do you do with my information?

Basic demographic information including (but not limited to) your name, address, date of birth and Medicare details is needed to ensure the system can identify you, and record your choice to opt out of having a My Health Record created for you at the end of the opt-out period. This information is not used for any other purpose. 

Will I lose access to Medicare services if I opt out?

If you are eligible to get Medicare services, you will continue to get these services, even if you decide to opt out.

Who is the System Operator of the My Health Record system?

The Australian Digital Health Agency (the Agency) is the System Operator of the My Health Record system.