The My Health Records Act 2012: access, controls and offences
The My Health Records Act 2012 establishes Australia's My Health Record system. Strict access rules, audit logging, and significant criminal penalties apply for unauthorised access.
What the Act establishes
The My Health Records Act 2012 creates the My Health Record system. This system facilitates the creation and maintenance of electronic records containing an individual’s health information. Registered healthcare providers and the individual themselves can access these records.
The Australian Digital Health Agency administers the My Health Records Act 2012 and, consequently, the My Health Record system. This agency is responsible for the operational aspects and governance of the system.
Individuals are initially included in the My Health Record system automatically. However, the Act provides a mechanism for individuals to choose to not participate, allowing them to opt out of the system.
Healthcare provider obligations
Healthcare provider organisations wishing to access the My Health Records system are required to register. This registration process involves the nomination of specific personnel, including Responsible Officers and Organisation Maintenance Officers.
Access to a My Health Record by a healthcare provider is permitted only for legitimate healthcare-delivery purposes. Any access must also adhere to the individual’s specified access controls.
All access to My Health Records is audit-logged, and individuals have the ability to view who has accessed their record.
Privacy controls for individuals
Individuals have several options to manage the privacy of their My Health Record. They can set access controls, including a Record Access Code (PIN), which limits which healthcare providers can view their record. This provides a means to restrict access to specific professionals. Privacy Act 2026 readiness
Furthermore, individuals have the ability to control the content within their record. They can choose to hide specific documents from being viewed by providers and can also request that providers refrain from uploading particular types of information.
Individuals also retain rights regarding the accuracy of their record. They can request access to their My Health Record and request corrections if they believe the information is inaccurate.
Offences and enforcement
Unauthorised access, use or disclosure of My Health Record information constitutes a serious criminal offence. Individuals found guilty of such offences may face a maximum penalty of up to 5 years imprisonment, alongside substantial fines. Bodies corporate (organisations) are subject to even higher penalties for similar breaches. NDB notification timer
The Office of the Australian Information Commissioner (OAIC) is responsible for addressing privacy complaints concerning My Health Records. Individuals with concerns about privacy practices related to their record should direct their complaints to the OAIC.
The Australian Digital Health Agency has the authority to take action against healthcare providers who demonstrate serious or repeated breaches of My Health Record protocols. This action may include suspending or cancelling a provider's access to the system.
Frequently asked
Can a healthcare provider access my My Health Record without my consent?
Healthcare provider access is restricted to legitimate healthcare-delivery purposes and must comply with your access controls. You can set a Record Access Code (PIN) limiting which providers can access it, hide specific documents, and review the access log to see who has accessed your record.
What's the penalty for unauthorised access?
Unauthorised access, use or disclosure of My Health Record information is a serious criminal offence carrying up to 5 years imprisonment plus significant fines for individuals, with higher penalties for bodies corporate. The Australian Digital Health Agency can also suspend or cancel provider access.
Related
Free tools