Skip to main content

My Health Record

Register and set up access

See how to establish policies, register your organisation, and access the system.

Prior to registration

In order to participate in the system, you must comply with a number of obligations prior to registration. These obligations are outlined below.

Establish a security and access policy

Prior to registering to participate in the My Health Record system, your organisation will need to have a Security and Access policy in place.

You will also need to assign a responsible officer and an organisation maintenance officer to act as the system administrators and key contacts for your organisation in relation to participation in the My Health Record system.

To learn more about this requirement, the Agency has developed a Security and Access policy checklist - see STEP 1 below.

Healthcare Identifier

To be eligible to register to participate in the system, your organisation will need to obtain a Healthcare Identifier. Use of Healthcare Identifiers is governed by the Healthcare Identifiers Act. The HI Act requires that an organisation take reasonable steps to protect healthcare identifiers from misuse and loss, and unauthorised access, modification or disclosure. 

For additional guidance, see the above section on registering with the Healthcare Identifiers (HI) Service and the My Health Record system. 

List of authorised individuals

In order to participate in the system, you will need to establish and maintain an up-to-date list of individuals authorised to access the system on your behalf. 

STEP 1: Establish policies

Healthcare organisations must operate in accordance with relevant policies and legislation when participating in the system. They must establish, review, update, maintain, enforce and promote policies that ensure the system is used safely and responsibly by staff.

Prior to registering to participate in the system, your organisation will need to have a Security and Access policy in place. See the Healthcare provider organisation obligations section (below) for details.

You will also need to assign a responsible officer and an organisation maintenance officer to act as the system administrators and key contacts for your organisation in relation to participation in the system.

    Policy requirements checklist

    To learn more about this requirement, the Agency has developed a security and access policy checklist.

    The checklist is a guide only, and should be assessed against the needs and risks that may apply to your organisation.

    Healthcare provider organisations need to ensure the policy includes and addresses the topics outlined in Rule 42 of the My Health Records Rule as outlined below. 

    1. Healthcare provider organisation policies
    • A written My Health Record Security and Access policy is in place prior to the healthcare provider organisation registering to participate in the system, and the policy is maintained on an ongoing basis. 
    • The policy is communicated and remains accessible to all employees.
    • The policy is communicated with any healthcare providers to whom the organisation supplies services under contract, and remains accessible to these providers. For example, a healthcare provider organisation that supplies information technology services to individual healthcare providers to enable them to access the system, must communicate the policy to these providers. 
    • The policy is enforced in relation to all employees and any healthcare providers to whom the organisation supplies services under contract. 
    2. Manner of authorising and process for suspending and deactivating user accounts
    • The policy details the manner of authorising persons accessing the system via or on behalf of the healthcare provider organisation.
    • The policy outlines the ways a user account is suspended and/or deactivated in the following circumstances:
      • A user leaves the organisation
      • A user’s security is compromised
      • A user has changed duties and no longer requires access to the system
    3. Training for authorised users, before they access the system
    • The policy includes a requirement that, before a user is authorised to access the system, they receive training covering:
      • How to use the system accurately and responsibly 
      • Legal obligations of the healthcare provider organisation and people who access the system on behalf of the organisation 
      • Consequences of breaching those obligations 
    • The Agency is planning to publish a recommended training checklist and declaration form that may support your organisation in meeting this legislative requirement.
    • It is recommended that organisations maintain a register of staff training.
    4. Process for identifying the individual who accesses a person’s record (on each occasion)
    • The policy outlines the process for identifying a person who requests access to a healthcare recipient’s record and communicating the person’s identity to the My Health Record System Operator (Australian Digital Health Agency).
    • Generally, this would occur via the My Health Record National Provider Portal, or clinical information systems, where:
      • the clinical software is used to assign and record unique internal staff member identification codes, including a Healthcare Provider Identifier-Individual (HPI-I); and
      • the unique identification code, or the provider’s HPI-I, is recorded by the clinical software and automatically provided to the System Operator for each instance of system access.

    Note: See the legislative obligations for communicating to the System Operator under Section 74 of the My Health Records Act.

    5. Physical and Information Security Measures, including user account management processes
    • The policy details the physical and information security measures that are in place to mitigate information security risks and prevent unauthorised access.
    • People accessing the system via or on behalf of the healthcare provider organisation understand and adhere to the physical and information security measures.
    • The healthcare provider organisation employs reasonable user account management practices, including:
      • Restricting access to those persons who require access as part of their duties
      • Uniquely identifying individuals using the healthcare provider organisation’s information technology systems
      • Having that unique identity protected by a password or equivalent protection mechanism
      • Ensuring password and/or other access mechanisms are sufficiently secure and robust to mitigate the security and privacy risks associated with unauthorised access to the system
      • Disabling the user accounts of persons no longer authorised to access the system
      • Suspending a user account as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised.

    Note: See the Agency’s cyber security resources for more information. Additional guidance is provided in the Guide to Securing Personal Information and the Guide to Health Privacy on the Office of the Australian Information Commissioner website.

    6. Strategies for identifying, responding to, and reporting system-related security risks
    • The policy describes the mitigation strategies used by the healthcare provider organisation to ensure the system-related security risks can be:
      • promptly identified
      • acted upon
      • reported to the healthcare provider organisation’s management.
    • This should include processes for identifying and reporting:
      • unauthorised access to the  system
      • any matters that may compromise the security or integrity of the system, for example, a security incident, such as ransomware, that has affected a healthcare provider organisation.
    • Organisations should ensure processes are in place to comply with data breach notification obligations outlined in section 75 of the My Health Records Act. Learn more about how to manage a data breach further down the page.
    • To assist with monitoring use of the system, audit logs should record the user identity, date and time of access, whose record was accessed and the type of information that was accessed.
    7. Assisted Registration (if offered)
    • Where the healthcare provider offers assisted registration, this topic is required within the policy. If the organisation does not offer assisted registration, it is recommended that this is noted in the policy.
    • Assisted registration is where a healthcare provider assists healthcare recipients to register for a record.
    • The policy needs to outline the methods for:
      • Authorising employees of the organisation to provide assisted registration
      • Providing training before a person is authorised to provide assisted registration
      • Confirming a healthcare recipient’s consent to be registered
      • Identifying a healthcare recipient for the purposes of assisted registration, including the process and criteria that must apply

    Note: See the legislative requirements for confirming a healthcare recipient’s consent under Rule 9 of the My Health Records (Assisted Registration) Rule.

    8. Policy implementation and maintenance
    • The My Health Record Security and Access policy must be reviewed annually (at a minimum) and when any material new or changed risks are identified (such as a change within the system, organisation, or regulation; or factors that might result in unauthorised access, use or disclosure of information in a record).
    • The policy must include a unique version number and date of effect.
    • A copy of each version of the policy must be retained by the organisation.

    Note: The Agency or the Office of the Australian Information Commissioner may request a current or previous version of your organisation’s Security and Access policy at any time. The legislation specifies that a healthcare provider organisation must comply with a request to provide a copy of the policy within 7 days of receiving the request.

    More information

    The Office of the Australian Information Commissioner provides Rule 42 guidance outlining points for healthcare provider organisations to consider when developing their My Health Record Security and Access policy. General guidance is also available to help you protect health information.

    A number of templates have been developed to assist you in developing a security and access policy for your organisation. Links to these have been provided below.

    STEP 2: Register your organisation

    Register for a PRODA account

    Provider Digital Access (PRODA) is an online authentication system for healthcare organisations to securely access government online services, such as Health Professional Online Services (HPOS).

    Your organisation will need to identify who will be acting in the role of a Responsible Officer (RO). This person will be responsible for the practice and may be the owner or manager of the organisation. The RO will have primary responsibility for the practice's compliance with participation requirements, ensuring that the practice and its employees comply with the relevant legislation, policies and regulations.

    This individual will need to register for a PRODA account (if they do not already have one). Information for how to register is available here.

    Helpful registration tips:

    • Ensure the name you register the account with has the same name as all your documents, or a Change of Name certificate is provided as supporting documentation.
    • Confirm the gender on the account matches the documents.
    • Confirm the DOB is entered correctly
    • The email address used to register the Individual PRODA account should not be a publicly accessible email address such as an admin account.

    Link to Health Professional Online Service (HPOS)

    When you first log in to PRODA, you will need to link to HPOS. Visit Services Australia to link HPOS to your PRODA account. You will then be able to access a range of eligible services using only your PRODA log in. Learn more

    Register with the Healthcare Identifiers Service

    Once the RO has registered for PRODA and linked HPOS to their account, they can register the organisation with the Healthcare Identifiers (HI) Service. This national service underpins the secure transmission of digital health data by uniquely identifying healthcare organisations, healthcare provider individuals and healthcare recipient individuals.

    Once registered with the HI Service, your organisation is issued with a unique HPI-O number. This number is used to identify the organisation in a range of national digital health initiatives.

    From the HPOS ‘My programs’ page:

    • Select the ‘My Health Record and Healthcare Identifiers’ tile
    • Select ‘Healthcare Identifiers - Register seed organisation’
    • Complete the online form to register your seed organisation
    • For more information, visit the Services Australia website

    Healthcare providers hold a Healthcare Provider Identifier - Individual (HPI-I) 

    All healthcare providers registered with the Australian Health Practitioner Regulation Agency (AHPRA) will already have an HPI-I. To find your HPI-I you can:

    • Log in to the AHPRA website or
    • Call AHPRA on 1300 419 495 Monday to Friday 9:00am - 5:00pm (local time)

    Note: If you know your AHPRA User ID, add 800361 to the front of the ID to get your HPI-I.

    If you practice a health profession not regulated by AHPRA, you can apply for an HPI-I by completing the online application in Health Professional Online Services (HPOS).

    Link the HPI-I to the organisation's HPI-O

    For a healthcare provider representing a healthcare organisation to access the NPP, the practice manager/administrator must link their HPI-I to the organisation's HPI-O. This can be done by:

    Once successful linking has occurred, healthcare providers representing the organisation can access the NPP.

    If your organisation is not yet registered in the HI Service and My Health Record, see below.

    Register the organisation in the HI Service and My Health Record

    If your organisation does not already have a Healthcare Provider Identifier – Organisation (HPI-O), the practice owner needs to register it with the HI Service and My Health Record. To register:

    • Log on to PRODA account
    • Select Go to Service on the HPOS tile in HPOS, select My programs and then select the Healthcare Identifiers and My Health Record tile
    • Select the My Health Record – Register Organisation tile, and complete the online form to register the Seed Organisation
    • If the organisation is not known to the HI Service, the applicant will need to provide evidence that they have the authority to make decisions on behalf of the organisation by uploading documents in the Seed Organisation registration application

    Once the registration is complete, the applicant will receive a notification in their HPOS Mail Centre.

    STEP 3: Choose how to access the system

    In most healthcare settings, access to the system is via conformant clinical software or the National Provider Portal.

    In hospital applications, access can be via the Healthcare Information Provider Service (HIPS) or HIPS Mobile.

    See below for how to access the system using these methods.

    Conformant clinical software

    Use your organisation's software to access the system

    Many common clinical information systems (CISs) conform to the system standard and can connect directly to the system. This means that healthcare providers are generally able to access, view and upload information to a patient's record through their conformant CIS.

    You can check whether your clinical software conforms to the standard.

    NASH PKI Certificates

    The National Authentication Service for Health (NASH) is used by healthcare organisations to securely access and share health information. A NASH Public Key Infrastructure (PKI) Certificate is required for access to the HI Service. This certificate can be requested, linked and downloaded through HPOS by your Organisation Maintenance Officer (OMO). In a healthcare organisation, the role of OMO may be assigned to a staff member who is familiar with the practice’s administration systems. Alternatively, the RO may take on the OMO role as well.

    Request and download a NASH PKI Certificate (if required)

    Check with your software vendor whether you need to have a NASH PKI Certificate or whether they will be interacting with the My Health Record system as a Contracted Service Provider (CSP).

    Configure Software

    Contact your software vendor or check their website and follow the steps to configure your software and set-up access for your team.

    National Provider Portal (NPP)

    View records without using conformant clinical software

    Healthcare providers who do not have conformant clinical software, can access an individual’s record through the National Provider Portal. The NPP is a web-based, read-only site that allows healthcare providers to view the information in a patient's record. The uploading of documents is not supported.

    To use the NPP, healthcare providers need to get set up first. Your organisation will also need a Healthcare Provider Identifier - Organisation (HPI-O) and be registered to participate in the system.

    How to access and use the NPP

    Getting started:

    Step 1: Log onto the NPP

    Go to provider.ehealth.gov.au/login.html to access the portal.

    Step 2: Click on the 'Login' button

    You will be redirected to the PRODA login page where you will be required to enter your username and password.

    Step 3: Link your PRODA ID to the My Health Record system by entering your Identifier Number

    You will only need to complete the linking once.

    Step 4: Select the organisation you are representing

    If you work for multiple healthcare provider organisations, please select the organisation you are representing in relation to your specific patient’s care.

    Step 5: Search for the individual's record

    Once you log in, a search screen will appear.

    Add their information to the search screen to find their record. To find the individual's record, the information you enter must match their details as recorded with Medicare.

    The information required includes:

    • Last name
    • Date of birth
    • Sex
    • Identifier (IHI, Medicare or DVA)

    Hospital applications and HIPS Mobile

    Access the system in a hospital setting

    Most hospitals across Australia are already connected to the system. This means that authorised employees are generally able to access and view information in a patient’s record through the hospital's applications. If you are working in a hospital or other healthcare setting, check with your health information manager or local intranet for information on how to access the system in your organisation’s applications. Remember to check your organisation's policy regarding access and use of the system.

    If your hospital requires connection support, contact [email protected]

    HIPS Mobile

    HIPS Mobile provides authorised employees with seamless access to their patients’ healthcare information and services, when and where they need it. It is available as an add on to existing HIPS software enabling the viewing of records on mobile devices, including mobile and tablets.

    Benefits

    Mobile access to HIPS allows for viewing of records on mobile and tablet where and when it is needed. This means:

    • Critical information is on hand and available to all clinicians while performing ward rounds, bedside consultations and remote care.
    • For Emergency Departments this can mean saving time, when patient history needs to be accessed in an Emergency - including medicines, pathology and Covid history including immunisations.
    • Improved management of patient information for Clinicians, who can now create specific ‘My Patient’ lists for each of the clinician’s work locations and access records on and offsite via the hospital’s VPN. This list syncs with the HIPS UI standalone view.

    Ceasing registration

    Healthcare provider organisations must ensure that they notify the Agency, as System Operator, within 14 days if they cease to be eligible for registration with the system. This may occur where the organisation, for example: 

    • is closing its business or has ceased trading 
    • is no longer eligible for registration under Section 43 of the My Health Records Act, for example, because the organisation no longer has a healthcare provider identifier for the organisation (HPI-O) or no longer employs a healthcare provider individual, which is a person who has a healthcare provider identifier for an individual (HPI-I). 

    In some cases, such as where an organisation is closing its business or has ceased trading, a healthcare provider organisation may need to cancel its HPI-O in addition to deregistering from the system. Where a healthcare provider chooses to cancel its HPI-O, it will no longer have access to other important services in addition to the My Health Record system, such as electronic prescribing and secure messaging. 

    To deregister from the system, and if applicable, cancel the HPI-O, log in to the Healthcare Provider Online Service (HPOS). Alternatively, you may call the HI Service Help Desk on 1300 361 457 to request assistance in deregistering from the system. 

    Chat