Skip to main content
MHR Logo

My Health Record

Information for healthcare providers and organisations

 

Overview

My Health Record is a secure online summary of key patient health information. Healthcare providers can access the system to view and add information.

Healthcare provider benefits

  • provides immediate access to key health information
  • facilitates the validation and verification of clinical information
  • avoid adverse medication events, provides access to allergy information
  • avoids duplication of tests and diagnostic imaging
  • provides immunisation details
  • improves continuity of care, informs end of life care

Patient benefits

  • prompt access to key health information in an emergency
  • secure, convenient access to health information
  • safer, faster more efficient care
  • less need to remember key aspects of their medical history and medications
  • improved management of health information
  • informed self-management of health conditions

What's in a record

Records contain key health information like immunisations, pathology and diagnostic imaging reports, prescription and dispensing information, hospital discharge summaries and more, all in one place.

Views and overviews

A quick, easy way to find information in a patient's record

These documents are system generated and consolidate the information in a person’s record. In an emergency department (ED) setting, they can help clinicians find information quickly.

Immunisation Consolidated View

This view displays details of a patient's immunisations recorded in the Australian Immunisation Register (AIR) and in any shared health summaries or event summaries, in their record.

The view shows immunisation history including date, disease, and vaccine details, including batch number and vial serial number, dose, source, and a link to the source document.

Medicare Overview

Medicare information may include:

PBS/RPBS claims information

Prescription information from Pharmaceutical Benefits Scheme (PBS) and Repatriation Schedule of Pharmaceutical Benefits (RPBS).

Australian Organ Donor Register status

The patient’s organ and/or tissue donor decisions are sourced from the Australian Organ Donor Register.

Australian Immunisation Register

Details of patient's immunisations as recorded in the Australian Immunisation Register (AIR).

MBS/DVA claims information

Medicare Benefits Schedule (MBS) and Department of Veterans’ Affairs (DVA) claims information.

Medicines Information View

This view brings together medicines-related information, including allergies and adverse reactions, from documents held in a patient’s record. Information is gathered from:

  • the patient's most recent (up to 2 years) prescription and dispense records and other PBS claims information
  • the patient's most recent shared health summary and discharge summary
  • available event summaries, specialist letters, e-Referral notes and pharmacist shared medicines list uploaded to the patient's record since their latest shared health summary
  • the patient's personal health summary, which may include any allergies or adverse reactions and other key information

Pathology and Diagnostic Imaging Reports Overview

This overview allows healthcare providers to get a quick snapshot of a patient's test result history. These overviews show multiple reports within a specific date range on one page.

Healthcare provider uploads

Clinical documents uploaded by doctors, pharmacists and other clinicians

Shared health summary

This is a summary of a patient’s health status at a point in time, which can include medical conditions, medicines, allergies and adverse reactions, and immunisations. A shared health summary is created by an individual’s nominated healthcare provider, as defined in the My Health Records Act, with the information extracted from their local clinical information system.

A nominated healthcare provider may be: 

  • a registered medical practitioner
  • a registered nurse
  • an Aboriginal and Torres Strait Islander health practitioner with a Cert IV in Aboriginal and/or Torres Strait Islander Primary Health Care

The nominated healthcare provider is generally the patient's usual healthcare provider who is delivering coordinated and comprehensive care to the patient (for example their regular GP).

Note: an enrolled nurse is not permitted by the My Health Records Act to author/create a shared health summary. An enrolled nurse can create an event summary to share information about a significant clinical event, provided the enrolled nurse is providing healthcare to the patient. 

Examples of when to create a shared health summary include: 

  • when completing a patient health assessment (for example a GP Management Plan, 75+ Assessment, or child health check) 
  • when there are significant changes to a patient’s health status in any of the four key areas: patient’s medical conditions, medicines, allergies/adverse reactions or immunisations

The shared health summary should be created in consultation with the patient. A patient has only one current shared health summary at a time.

View an example of a shared health summary.

Discharge summaries

Discharge summaries provide the details of the patient's hospital stay and recommendations for care after discharge.

When a discharge summary is created, it is sent directly to the intended recipient, in accordance with current practices. When a hospital is connected to the system, a copy of the discharge summary can also be uploaded to the patient's record.

Prescription and dispense records

Prescription and dispense records contain information about medicines that have been prescribed and dispensed, and details about both the healthcare provider that prescribed or dispensed the medicine/s and the healthcare organisation.

Pathology reports

Pathology reports can be uploaded by registered pathology laboratories.

The reports are immediately available to all members of the patient’s healthcare team, subject to any access controls the patient may have set. Patients will need to wait seven days before being able to view them in their record (with some exceptions).

Learn more about pathology reports.

See which pathology labs are connected.

Diagnostic imaging reports

Diagnostic imaging reports can be uploaded by registered diagnostic imaging services.

The reports will be immediately available to all members of the patient’s healthcare team, subject to any access controls the patient may have set. Patients will need to wait seven days before being able to view them in their record (with some exceptions). 

Learn more about diagnostic imaging reports.

See which diagnostic imaging services are connected.

Specialist letters

Specialist letters are used by a treating specialist to respond to a referrer (for example a GP) about a referred patient. When a specialist writes back to the referrer, the letter may also be uploaded to the patient's record.

Event summary

Event summaries capture key health information about a significant healthcare event that is relevant to the ongoing care of an individual. It may be used to indicate a clinical intervention, improvement in a condition or that a treatment has been started or completed.

An event summary may contain: 

  • allergies and adverse reactions
  • medicines
  • diagnoses
  • interventions
  • immunisations
  • diagnostic investigations

Event summaries are intended for healthcare providers who are not the patient’s regular provider / nominated healthcare provider. 

They can be created and uploaded by any healthcare provider with a Healthcare Provider Identifier–Individual (HPI-I) who is working at a participating healthcare organisation and involved in the patient’s care with conformant software. 

Examples of when to create an Event Summary include:  

  • Patients visiting an after-hours medical service 
  • Holidaying patients 
  • Patients visiting from another area 
  • Patients receiving an immunisation or flu vaccine. 

Generally, an event summary is used when it is not appropriate for the healthcare provider to create and upload a shared health summary, discharge summary or specialist letter. 

Goals of Care

A goals of care document is created by a healthcare provider through a shared decision-making process with the person in their care and family/carer. This is done to capture medical and non-medical goals of care in the context of end-of-life care.

eReferrals

When a healthcare provider creates an eReferral, it will be sent directly to the intended recipient, as per current practices. A copy may also be sent to the patient's record.

Pharmacist Shared Medicines List

The Pharmacist Shared Medicines List is a list of medicines a person is known to be taking including prescribed, over the counter, and complementary medicines. This document can only be authored by a pharmacist, but can be viewed by other healthcare providers.

Consumer uploads

Information added by the record holder that they think is important

Personal health summary

Individuals can enter free text information about allergies and adverse reactions as well as current medications, including over the counter or complementary medicines. This will appear as "patient-entered" information in the Medicines Overview. 

Personal health notes

Individuals can enter information to help them keep track of their health and key health events. The system dates each note, which includes an entered title and the entered text. These notes are not visible to healthcare providers.

Advance care planning information

Advance care planning information can be uploaded to a patient's record and can contain their wishes for future health and care. The individual can also enter details of their Advance Care Document Custodian who holds a copy of their advance care planning document. This could be an individual or organisation. 

Emergency contact details

Individuals can list their emergency contacts and healthcare providers can view these via the National Provider Portal (NPP)

Child development information

Parents or guardians can record results of their child's scheduled health checks, development, and other useful information.

Register and set up access

Discover how to establish policies, register your organisation, and access the system via conformant clinical software, the National Provider Portal (NPP) or hospital applications:

Register and set up access

Education and training

Find resources to help you feel confident using the system. Detailed information, software summary sheets, training and support are all available here.

Your area of practice

Access eLearning modules, summary sheets, webinars, resources

Aboriginal and Torres Strait Islander health

Aged care

Allied health

Community pharmacy

eLearning Modules
Clinical software summary sheets

Scroll down to find summary sheets for these and other software products:

  • Aquarius
  • Corum LOTS
  • Dispense Works
  • Fred, Minfos
  • Z Dispense
  • National Provider Portal
Webinar recordings
Resources
On demand training environment
  • Fred Dispense - see "Training simulators" section below.
Training

General practitioners

eLearning Modules
Fact sheets
Clinical software summary sheets

Scroll to the next section to find step-by-step guides to performing tasks within the system, for general practice.

  • Best Practice Premier
  • Communicare
  • Genie
  • MedicalDirector
  • Medtech32
  • Naitonal Provider Portal
  • Zedmed
Videos
Webinar recordings
Training

Also see RACGP Resources about My Health Record.

Hospitals

Nursing and midwifery

Pathology services

Please refer to the software guides used in your laboratory or radiology information systems to learn more about viewing and uploading information to My Health Record in your organisation. 

Staff in the pathology laboratory or diagnostic imaging practice need to be aware of how to action a request to ‘Do not send’. Further information can also be found in the eLearning modules below.  

eLearning Modules

In practice

Training

Diagnostic imaging services

Please refer to the software guides used in your laboratory or radiology information systems to learn more about viewing and uploading information to My Health Record in your organisation. 

Staff in the pathology laboratory or diagnostic imaging practice need to be aware of how to action a request to ‘Do not send’. Further information can also be found in the eLearning modules below.  

eLearning Modules

In practice

Training

Practice management

Specialists

eLearning Modules

Clinical software summary sheets

Scroll down to find summary sheets for these and other software products:

  • Bp VIPnet
  • Genie
  • Gentu
  • Shexie
  • National Provider Portal
Webinar recordings
Training
Further resources

RACP digital health resources

Clinical software summary sheets

Step-by-step guides to performing tasks within the system

Aquarius

Audit4

Best Practice Premier

Bp VIPnet

Communicare

Corum LOTS

Dispense Works

Fred Dispense

Genie

Gentu

MedicalDirector

Medtech32

Minfos

MMEx

National Provider Portal (NPP)

Shexie

Z Dispense

Zedmed

Training simulators

Self-paced learning with demonstrations and simulators of the system

Healthcare professionals and consumers can now simulate the use of My Health Record functionality in clinical software products and the National Consumer and Provider Portals. 

The simulations have been developed to support demonstration, training, and self-paced learning of the functionality and benefits of the My Health Record system and contains fictional patients and medical information.

To access a simulation, select one of the environments below then enter the following username and case sensitive password to log in:

  • Username: OnDemandTrainingUser
  • Password: TrainMe

General practice

Best PracticeCommunicareGenieMedical DirectorZedmed

Pharmacy

Fred Dispense

Portals

Consumer PortalProvider PortalHospitals (HIPS UI)

The simulation environment uses the latest released versions of each Clinical Information System software.

To demonstrate the use of My health record functionality, best endeavours have been made to provide clinically validated data and scenarios that are relevant and demographically diverse for use in the software simulations.

Please note: Test patients and clinical records used in the software simulations are provided for training purposes only.

If you would prefer to attend a CPD accredited training session led by one of our instructors, please register for any of the "On Demand Training" session - click here to sign up.

Support

The environment is available 24 hours 7 days a week. Support is provided by the Australian Digital Health Agency during business hours only (8am - 5pm (AEST/AEDT), Monday - Friday). For any assistance or enquiries that you may have with the environment, please contact us on [email protected] or phone: 1300 901 001.

Frequently asked questions

1 – Why is my software not listed?

The software simulators are regularly updated as new features become available.  

Not all clinical software is conformant to the national digital health specifications and standards. There are necessary steps required to ensure the software integrated to My Health Record is conformant. Software developers that have declared conformance are included in the agency’s Conformance Register.

If you would like to see a particular digital health feature or software product demonstration and it is not included here, please email [email protected].

2 – What My Health Record functionality can be simulated?

My Health Record functionality that can be simulated in the Clinical information systems (Best Practice, Medical Director, Zedmed and Genie)

  • View My health Record – Accessing Clinical documents and Views
  • Practice creating and uploading a Shared Health Summery document for a patient
  • Practice creating and uploading an Event Summary document for a patient
  • View My health record with Access Code restrictions in place.

Additional My Health Record functionality that can be simulated in the pharmacy system (Fred Dispense)

  • Uploading a Dispense Record to My Health Record and Consent
  • Upload an Event Summary to My Health Record containing Allergies/ Conditions
  • Adding a new patient and validating IHI to connect to My Health Record
  • Adding a new Pharmacist and retrieving /validating a HPI-I
  • Enabling Pharmacist access to the My Health Record within Fred Dispense.

My Health Record functionality that can be simulated in the Portals

Provider Portal 

  • Access to the My Health Record system without using conformant clinical software

Consumer Portal

  • Access to a child’s My Health record as an authorised representative
  • Access to clinical documents and Medicare information in the My Health record
  • Adding a personal health summary and a personal health note into the My Health Record
  • Management of advance care documents and custodian details for the My Health Record
  • Manage document access settings and provider access in the My Health Record
  • Manage notification settings and viewing the list of Who has accessed the My Health Record
  • Remove a Document from my Health Record

3 – What screen resolution do I need?

Recommended screen resolution is 1280x1024.

Some software products mandate minimum display settings. Setting below the recommended settings may impact on users' ability to access the software.

4 – Why can’t I connect?

The following are possible reasons you may not be able to connect.

  • The latest version Firefox/Chrome/Internet Explorer may not be downloaded
  • Port 8443 on the user’s network may be closed. This is used for authentication by VMware Horizon
  • Wrong username/password may have been entered
  • IP address is outside of Australia.

While the Agency will try to notify visitors to this page of any known outages or degradations, this will not always be possible. If the simulation is not performing as expected, please contact the Help Centre.

For further assistance please go to our Contact for healthcare professionals page, or call Support during business hours on 1300 901 001.

Privacy and access

Under the My Health Records Act, staff members authorised by a healthcare organisation can access and view a patient’s record for the purpose of providing healthcare, and provided it is in accordance with any access controls. In addition to clinicians, a healthcare organisation may authorise other staff to access the system as part of their role in healthcare delivery.

When you can view and upload information

Healthcare providers and staff members can only access an individual’s record if:

  • they are authorised by the healthcare provider organisation to access the system, and 
  • they are providing healthcare to the individual or supporting the provision of healthcare to the individual, and 
  • the access is in accordance with any access controls the individual may have set.

The Privacy Act applies to all healthcare providers in the private sector throughout Australia. It does not apply to state and territory public sector healthcare providers. In most parts of Australia, state and territory legislation applies to public healthcare providers. In some states and territories, this legislation also applies to healthcare providers in the private sector, in addition to the Privacy Act. Additional information is available on the privacy for health service providers page of the Office of the Australian Information Commissioner (OAIC) website.

Authority to upload information to a My Health Record

Under the My Health Records Act, healthcare provider organisations are authorised to upload information to the system. This means that, subject to the situations described below, there is no requirement for a healthcare provider to obtain consent prior to uploading clinical information. There is also no requirement for a healthcare consumer to review clinical information prior to it being uploaded. 

It may be considered good clinical practice to advise a patient that you will be uploading information to their record, particularly if this information might be considered sensitive. This approach is recommended by the Australian Medical Association in its guide to using the My Health Record system (section 4.5). 

Situations where documents should not be uploaded

If a consumer specifically asks a healthcare provider organisation not to upload particular documents or information to their My Health Record, the healthcare provider organisation must comply with the person’s request. This is a condition of your organisation’s registration with the My Health Record system.

You can advise the patient about the potential risks of excluding information from their My Health Record and explain the benefits of ensuring all information is included. However, you must comply with their final decision, and not upload the information, if this is requested.

The My Health Records Act recognises that under some state and territory laws consent must be given expressly, or in a particular way, before information related to specific areas of health is disclosed.

The state and territory laws which have specific consent requirements regarding the disclosure of health information are listed in clause 3.1.1 of the My Health Records Regulation.

There are none in Western Australia, Tasmania, Northern Territory, South Australia and Victoria; there are some in the Australian Capital Territory, New South Wales and Queensland. Healthcare provider organisations in ACT, NSW and Queensland may need to obtain consent in a particular manner from the consumer or identified third party before uploading information to My Health Record, depending on the type of health information it is. 

If a state or territory law is listed in this clause, then the consent requirements of those laws overrule the provisions of the My Health Records Act.

Our clinical software summary sheets (above) have instructions on how to prevent an upload from your clinical software.

Viewing a record

Any person who is authorised by a healthcare organisation can access and view an individual’s record, for the purpose of providing healthcare services. In addition to clinicians, a healthcare organisation may authorise other staff to access the system as part of their role in healthcare delivery. 

Healthcare providers are also authorised to:

  • disclose the health information to the individual, or their authorised or nominated representative
  • collect, use or disclose the health information for any purpose with the consent of the individual
  • collect, use or disclose the health information for purposes relating to the provision of indemnity cover for a health care provider.

Healthcare provider organisations can access and view information in a record during a consultation. They could also access the record without the individual being present, provided that access is for the purpose of providing healthcare to the individual. For example, a specialist may choose to review clinical documents in an individual's record prior to a consultation.

By default, documents in the system are set to general access for healthcare providers. This means you can view all documents within an individual’s record, except for information that has been entered in the consumer-only notes section of the record, and any documents that the person has previously removed. Healthcare consumers can choose to add additional access controls to their record to restrict access to specific documents (using a limited document access code), or to their whole record (using a record access code). A provider will be prompted by their clinical software if an access code is required.

In certain circumstances, healthcare provider organisations can access information in a record using the emergency access function, which overrides consumer access controls. It's important to note, all use of the emergency access function is monitored.

Notifying a pathology and diagnostic imaging provider when a report should 'Not be uploaded to My Health Record'

If you do not want the reports uploaded, or the patient requests that they do not want their reports to be uploaded to their record, you should notify the diagnostics imaging provider by: 

  • checking the 'Do not send reports to My Health Record' check box in your practice management software, or 

  • checking the 'Do not send reports to My Health Record' check box on the paper referral form, or 

  • writing 'Do not send reports to My Health Record' on the request form. 

Find out which clinical information systems have been updated to support communication of 'Do not send reports to My Health Record'.

Access controls

Individuals can decide which of their healthcare provider organisations can view their health information by restricting access to their entire record, or to specific documents within it. 

Limiting access to a My Health Record 

Patients can decide which healthcare provider organisations can view or update their record by setting a Record Access Code (RAC).  

Where a RAC has been set, the healthcare recipient can choose to share this code with you, so that you can access their record. Once the patient has shared their RAC with you, you will be listed on their provider access list. Healthcare provider organisations that are listed on a patient’s provider access list won’t need the patient’s RAC to continue accessing their record.  

Limiting access to specific documents 

Where a limited document access code has been set, the healthcare recipient (or their representative(s)) can choose to provide healthcare provider organisation(s) with the limited document access code. Once a healthcare provider enters the limited document access code into their clinical information system, or the National Provider Portal, they will be able to access to the restricted document(s). Healthcare providers can still view restricted documents in an emergency.

It is important that any access codes provided by the individual are not retained by the healthcare provider organisation and are destroyed following their use. 

Access history

An individual or their nominated or authorised representative can view a list of access to their record at any time. This is known as the access history.

An individual can also choose to be notified by SMS or email when someone accesses their record or when certain changes are made.

When an individual can choose to be notified:

  • a change is made to the immunisation information in their record
  • a healthcare provider organisation accesses their record for the first time
  • a new myGov account has been linked to their record
  • a new shared health summary is added
  • a nominated representative accesses their record
  • an advance care document is added, removed or reinstated
  • the emergency access function is used by a healthcare provider organisation

Audit trails

The System Operator maintains audit trails of all activity in the My Health Record system. These may be used for the purpose of management or operation of the system, or to support audits and investigations. 

Emergency access

Healthcare providers can access information within the system for the purpose of lessening or preventing a serious threat.

By default, documents in an individual’s record are set to general access for registered healthcare provider organisations. This means a treating healthcare provider can view all documents within an individual’s record, except for information that has been entered in the personal health notes section of the record, and any documents that have been removed or hidden by the healthcare recipient (or their representative(s)).

Healthcare recipients (or their representative(s)) can choose to restrict access to their record (using a record access code) or to restrict access to specific documents (which they can share with selected organisations, using a limited document access code):

  • Where a record access code has been set, a treating healthcare provider will be prompted by their clinical information system, or the My Health Record National Provider Portal, if a record access code is required. When this occurs, the healthcare provider can ask the healthcare recipient to share the record access code.
  • Where a limited document access code has been set, the healthcare recipient (or their representative(s)) can choose to provide the treating healthcare provider with the limited document access code. The healthcare provider will need to enter the limited document access code into their clinical information system, or the My Health Record National Provider Portal, to gain access to the restricted document(s).

There are certain urgent situations, defined in Section 64 of the My Health Records Act, where it may be permissible for treating healthcare providers to access information in a person’s record without entering the relevant access code(s) using a function known as Emergency Access. This is sometimes referred to as a ‘break glass’ function. It is important to understand when this function can lawfully be used.

Appropriate use of emergency access

It is expected that the need to use Emergency Access will be rare, as Emergency Access to a healthcare recipient's record (or a restricted document within it) is only authorised under the My Health Records Act if the healthcare organisation reasonably believes that:

  1. the access is necessary to lessen or prevent a serious threat to an individual’s life, health or safety and the healthcare recipient's consent cannot reasonably be obtained. For example, due to being unconscious; or
  2. the access to the healthcare recipient’s My Heath Record is necessary to lessen or prevent a serious threat to public health or safety. For example, to identify the source of a serious infection and prevent its spread.

In addition, the majority of people have not set any access controls, which means information in their record is not restricted. In most cases, therefore, you will be able to see all available health information, for the purpose of providing healthcare, without needing to use Emergency Access.

When not to use emergency access

A person should not use Emergency Access:

  • to view their own record or a family member's record - people can access their own record via myGov or a mobile app
  • to demonstrate how to use the Emergency Access function. Training resources are available for this purpose
  • to check whether any restricted documents exist (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lessen or prevent a serious threat to the individual’s life, health or safety and it is unreasonable or impracticable to provide consent; or to lessen or prevent a serious threat to public health or safety).
  • when an individual has forgotten the access code they have set (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lesson or prevent a serious threat to the person’s life, health or safety; or to lessen or prevent a serious threat to public health or safety) – a person can reset their access code by logging into their record, or telephoning the My Health Record Helpline 1800 723 471.

Use of the Emergency Access function that is not authorised by section 64 of the My Health Records Act is subject to civil and/or criminal penalties under the My Health Records Act.

Additional Information

Once granted, emergency access to a record is available for a maximum of five days. When this period ends, the record reverts to the previous settings. If the emergency situation continues beyond the initial five-day period, you will need to request Emergency Access again.

Use of the Emergency Access function is recorded in the access history of the record, which can be viewed by the healthcare recipient and their authorised or nominated representative(s). In addition, healthcare recipients can choose to receive an SMS or email notification each time the Emergency Access function is used to view their record.

With Emergency Access, any access controls that the individual has set will be overridden. This means the treating healthcare provider who uses the Emergency Access function will have full access to the healthcare recipient’s record, except for information that has been entered in the personal health notes section of the record, and any documents that healthcare recipient (or its authorised representative(s) has previously removed or hidden.

Notification provisions under section 75 of the Act

It is important to note that registered healthcare provider organisations are subject to reporting obligations under section 75 of the My Health Records Act. Consequently, unauthorised use of the Emergency Access function may be reportable to the Office of the Australian Information Commissioner (OAIC) and the Agency (as System Operator).

Note

This information is general in nature, and you should obtain your own professional legal advice relevant to your circumstances.

More information

You can find out more about the My Health Record Emergency Access function from the OAIC, including:

Penalties

There are significant fines and penalties for inappropriate or unauthorised use of information. 

Actions subject to penalties include, for example:  

  • unauthorised collection, use or disclosure of health information in a record 
  • use of health information in a record for prohibited purposes 
  • unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service 
  • failure to give written notice within 14 days if the healthcare provider or organisation ceases to be eligible to be registered - please notify the Agency if you or your organisation ceases to be registered
  • failure to notify an actual or potential data breach in which the healthcare provider or organisation were directly involved 
  • holding, taking, processing or handling, records held for the purposes of the system outside Australia, or causing someone else to do so

System security

Security is a key design element of the system, which adheres to Australian Government security requirements.

System security

The system is managed in line with the Australian Government Protective Security Policy Framework. Data is stored in Australia, and is protected by high grade security protocols to detect and mitigate against external threats. The system is tested frequently to ensure these mechanisms are robust and working as designed.

Design features include many safeguards to protect the information stored within the system, including audit trails, technology and data management controls, as well as appropriate security measures to minimise the likelihood of unauthorised access to information in a patient’s record. In addition to these measures, the My Health Record system is protected by legislation which governs the way the system is accessed, managed and used.

In addition, healthcare providers have obligations to protect personal and health information. 

Information security advice for your business

Your business is responsible for ensuring that the systems you use to access the system are secure. Find five simple steps to protect health, personal and financial information in the guide: Information Security for small healthcare businesses

The Australian Government strongly encourages individuals, business and organisations to take steps to ensure they provide safe and secure digital health services. For online security advice and tips visit the Australian Cyber Security Centre.

Participation obligations

Healthcare provider organisations participating in the system are required to understand and comply with a range of legislative obligations, including the legislation listed in the "Legislation" section at the top of this page.

It is important to understand your obligations prior to registering.

Once your organisation has registered to participate in the system there are several ongoing obligations.

Ongoing obligations

At a high level healthcare provider organisations are required to:

  • Provide healthcare services, regardless of whether an individual has a My Health Record or has limited access to information contained in their My Health Record by using access controls. See the section on access controls (above) to understand how they may be applied and the rare circumstance they may be overridden using Emergency Access - see the "Emergency access" section in the "Privacy and access" section above.
  • Take reasonable steps to ensure any information uploaded to the My Health Record system is easily understood, accurate and up-to-date, at the time it is uploaded. It is also important to ensure information is not defamatory or subject to copyright. See the OAIC guidance for additional information on the relevance of the Australian Privacy Principles when using the My Health Record system.
  • Ensure that the details for the organisation’s Responsible Officer and Organisation Maintenance Officer(s) are kept up to date in Provider Digital Access (PRODA).
  • Have a process in place to prevent a clinical document being uploaded to the My Health Record system where an individual has asked that the information is not uploaded.
  • Ensure information being uploaded to the My Health Record system is prepared by individuals that are registered healthcare providers who have a healthcare provider identifier–individual (HPI-I). It is important to conduct regular checks to ensure individual’s using the system on behalf of the organisation have a registration that is not conditional, suspended, cancelled, or lapsed.
  • Train users of the system regarding appropriate collection, use and disclosure My Health Record information. This includes awareness of organisational and individual legislative obligations specific to the My Health Record system, along with the Privacy Act 1988 and any relevant state or territory laws.
  • Ensure that data quality is maintained when information is uploaded to the My Health Record system, and that it complies with the relevant legislative obligations. This includes establishing and maintaining a list of individuals authorised to access the My Health Record system on behalf of your organisation and ensuring they are registered healthcare providers. 
  • Notify the Agency as the System Operator and, where relevant, the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of a potential or actual data breach relating to the My Health Record system. See guidance on managing a data breach (see below) and the steps for notifying the relevant parties of a data breach (see below).
  • Ensure that the Agency, as System Operator, is notified within two business days of becoming aware of a non-clinical My Health Record system-related error in a record, or of a material change to your organisation
  • Assist  with any inquiry, audit, review, assessment, investigation, or complaint regarding the My Health Record system.
  • Ensure that a My Health Record Security and Access policy is in place and that the policy is reviewed, at least annually, and copies of each version are retained. See the Security and Access policy checklist - see "STEP 1: Establishing policies" in the "Register and set up access" section above.

    Incident management

    Clinical incidents

    All healthcare systems, including the My Health Record system and other digital health products, require careful monitoring to ensure that potential clinical incidents are identified and addressed.

    How to manage clinical incidents

    Data breaches

    Healthcare provider organisations must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system. 

    How to manage data breaches

    Help your patients to register

    Most people in Australia already have a My Health Record. However, if you have a patient who would like assistance with registering for the first time, your organisation may be able to assist them to register for a My Health Record.

    Help your patients to register

    Resources

    Events and webinars

    Events and webinars

    Statistics

    Statistics

    Frequently asked questions

    Frequently asked questions
    Chat