Security, Access & Privacy

Prior to implementing My Health Record, it is a legislative requirement for healthcare provider organisations to have a Security and Access policy to use the system.  

The Office of the Australian Information Commissioner (OAIC) has developed a policy template to provide guidance on meeting this legislative requirement. It is recommended that your practice use this template to assist in documenting your written policy.

• My Health Record system security and access policy template

Patient Consent

The Agency specifies that there is no requirement to obtain consent prior to uploading a patient’s clinical information onto My Health Record. However, the healthcare provider must comply if the patient wishes to omit certain clinical information from being uploaded.  

Emergency Record Access

• This is sometimes referred to as a "break glass"
• Overriding a patient’s My Health Record access controls to obtain key health information is possible in certain emergency situations, when:
  • It is necessary to lessen or prevent a serious threat to an individual’s life, health or safety, and it is unreasonable or impracticable to obtain the healthcare recipient’s consent, or
  • It is necessary to lessen or prevent a serious threat to public health or safety.

For guidance, view the OAIC and My Health FAQs on Emergency Access or visit The Agency’s website.

Penalties for Misuse

Unauthorised use of My Health Record will lead to significant fines and penalties.  

For example, viewing an individual’s My Health Record for  employment or insurance purposes is considered improper use of the system.

For further information, visit The Agency’s website.

Further information

• My Health Record legislation and governance
• My Health Record Privacy and Access
• Reporting a data breach