On 26 November 2018, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Bill 2018.
The measures allow Australians to opt in or opt out of having a My Health Record at any time during their life. Records will be created for every Australian who wants one after 31 January 2019. After this date, a person can delete their record permanently at any time.
These changes are in response to the Australian community’s calls for even stronger privacy and security protections for people using My Health Record.
These changes are summarised on this page.
Use of My Health Record information by employers and insurers
The Australian Digital Health Agency will not approve the release of an individual's personal or health information to a third party except where it is related to the provision of healthcare or is otherwise authorised or required by law.
The new measures ensure that insurers and employers are prohibited from using information within your My Health Record, or asking you to disclose your information, for insurance or employment purposes.
The primary purpose of My Health Record is to improve your care, and the use of your information for insurance and employment purposes is not healthcare.
Access by law enforcement and government agencies
Under the Agency’s official operating policy, no information within My Health Record can be released without an order from a judicial officer. To date, the Agency has never received such a request and has never released information.
Under these measures, the Agency’s policy will be protected in law and will give Australians the assurance that no information can ever be released without oversight from a judicial officer.
Permanent deletion of a cancelled My Health Record
You will be able to permanently delete a My Health Record at any time, if you decide you would no longer like one. No archived copy or back up will be kept and deleted information won’t be able to be recovered.
A My Health Record that was cancelled in the past (and archived) will also be permanently deleted. If you cancel a record at any time it will be permanently deleted.
Greater privacy for teenagers aged 14 and over
Under these measures, once a teenager turns 14, parents will automatically be removed as authorised representatives.
Increased penalties for misuse of information
Harsher fines and penalties will apply for inappropriate or unauthorised use of information in a My Health Record. Civil fines will increase to a maximum of $315,000, with criminal penalties including up to 5 years’ jail time.
Strengthening protections for victims of domestic and family violence
There are currently safeguards in place to protect victims of domestic and family violence. Under the changes, the Agency will no longer be obliged to notify people of certain decisions if doing so would put another person at risk.
In addition, parents subject to a court order, where they do not have unsupervised access to their child, or who pose a risk to the life, health and safety of the child or another person will no longer be eligible to be an Authorised Representative.
We will continue to work and consult with relevant stakeholders to continually reduce misuse of the My Health Record system.
Government agencies involved in managing the My Health Record system
These changes clarify that our powers as the System Operator of My Health Record can’t be delegated to another entity (e.g. government agency or private organisation) with the exception of the Department of Health and the Chief Executive of Medicare.
We already delegate some of our powers to Medicare so they can efficiently deliver some services on our behalf. For example, Medicare currently:
- Register healthcare providers organisations and other participants so they can access My Health Record
- Verify individuals’ identity prior to opting out
- Send written notifications to people when certain actions are taken, such as when people opt-in to My Health Record.
We have also delegated powers to the Department of Health to provide education on our behalf.
These changes will provide Australians with greater assurances that only government agencies involved in the efficient delivery of My Health Record are involved in managing the system.
Use of My Health Record data for research purposes
The My Health Record system is a valuable source of information on Australia’s health system and the outcomes of care being achieved. This information can guide service planning, policy development and research to further improve the Australian health system.
The principles contained within the Framework to guide the secondary uses of data will become law (within the My Health Record Rules). A Data Governance Board will be established to approve the release of any data in line with these rules.
Lastly, it will also be clarified that insurers cannot access data for any reason.
No commercial use of My Health Record data
The legislation makes clear that the My Health Record system cannot be privatised or used for commercial purposes. Only a government organisation will be able to manage the My Health Record system.