My Health Record participation obligations

A guide to establishing your organisation’s My Health Record security and access policy and ensuring ongoing compliance.

Policy guidance for Pathology and Diagnostic Imaging providers

If you are a Pathology and Diagnostic Imaging provider, we have established further guidance to assist in developing your security and access policy.

Find out more

Contact

If after reading the guidance on this page you have additional questions in relation to your security and access policy, submit an enquiry via the Contact us form. Please mark the query ‘Attention: Compliance Outreach’

Healthcare organisations participating in My Health Record must operate in accordance with relevant legislation and comply with a number of obligations.

These obligations fall into two broad categories:

Prior to registering with My Health Record – organisations must establish a security and access policy to ensure My Health Record is used safely and responsibly.

Complying with ongoing participation obligations following registration – your organisation’s security and access policy must be regularly reviewed, updated, maintained, enforced and communicated to all staff. Your organisation is also required to comply with a range of ongoing participation obligations.

Organisations must assign a responsible officer (RO) and an organisation maintenance officer/s (OMO/s) as key contacts in relation to participation in the system. The RO and OMO/s are accountable for the organisation's compliance with ongoing participation obligations.

Establish a My Health Record security and access policy

Prior to registering to participate in the system, your organisation will need to develop a security and access policy. You will be required to attest, at the time of registering with My Health Record, that the policy is in place.

What is a security and access policy?

The term 'security and access policy' refers to the written policy that healthcare provider organisations must have, communicate and enforce in order to register, and maintain registration, with the My Health Record system. The policy sets out security measures and access requirements for ensuring appropriate use of My Health Record in your organisation.

This policy is required under Rule 21 of the My Health Records Rules 2026.

What is the purpose of the security and access policy?

A security and access policy helps your organisation comply with the requirements of the My Health Records Rules 2026 and My Health Records Act 2012.

An effective and tailored security and access policy will help your healthcare organisation safeguard sensitive patient information by ensuring the appropriate use of My Health Record.

It will also assist you to act on any security risks related to My Health Record and respond to enquiries, when required.

For example, if a patient raises a concern about potential unauthorised access to their My Health Record, your policy should outline how to identify the individual who accessed the record, assess whether the access was authorised, and manage the matter appropriately, including notifying the System Operator and other relevant entities, if required. 

Policy requirements

There are specific topics that must be covered in your organisation's security and access policy. The topics are set out in Rule 21 of the My Health Records Rules 2026. To learn more about this requirement, please see the topics outlined below.

I employ few or no staff other than myself –  Do I need to cover all of the required topics in my security and access policy, even if they don't apply to my organisation?

Yes. All organisations seeking to register with the My Health Record system must have a policy that addresses all of the topics specified by the My Health Records Rules 2026, regardless of the organisation’s size, scale or technical capability. This can be done in a manner that is appropriately tailored to your organisation's circumstances. 

1. Healthcare provider organisation policies

  • A written security and access policy is in place prior to the healthcare provider organisation registering to participate in the system.
  • The organisation must comply with the policy and ensure the following people comply with the policy as well: the organisation’s employees, linked individual healthcare providers and those to whom the organisation supplies services under contract.
  • The policy is communicated with, and remains accessible to, all employees as well as any healthcare providers to whom the organisation supplies services under contract and any individual healthcare providers linked to the organisation.  
  • For example, a healthcare provider organisation that supplies information technology services to individual healthcare providers to enable them to access the system, must communicate the policy to these providers. 

Do I need a policy if staff in my organisation don’t use My Health Record or use it infrequently?

Yes, all organisations must have a security and access policy prior to registering with My Health Record. Once registered, they must implement, communicate and maintain an up-to-date security and access policy for the organisation.

It does not matter how often My Health Record is used or how many people use it. This requirement applies regardless of whether or not your organisation is actively using My Health Record.

You must also inform any new staff about your policy and provide authorised users with relevant training (see below for more information).

2. Manner of authorising and process for suspending and deactivating user accounts

  • The policy details the procedures that will be used to authorise a person to access, or use information in the My Health Record system, via or on behalf of the healthcare provider organisation, including creation and modification of user accounts.
  • ‘Access’ refers to both viewing and uploading information to My Health Record. This means organisations that register with My Health Record for the purpose of uploading documents only (but do not intend to view any information in My Health Record) are still required to address this element in their policy and outline how access to relevant users will be authorised.
     
    • Uploading Only:
      • If staff members will only be uploading information to My Health Record and will not be viewing My Health Record information, this should be clearly stated in the policy. The policy should also outline how users will be authorised to upload documents to My Health Record.
      • Where documents are uploaded to My Health Record as part of a bulk upload process, this should be specified in the policy. If all bulk uploads are to take place through a single authorised user, this should be outlined in the policy, in addition to the process for authorising this user.
         
    • Viewing Only (via the National Provider Portal (NPP):
      • The NPP enables healthcare providers to view information in My Health Record. The organisation’s RO or OMO/s is responsible for authorising staff who require access to My Health Record and linking or removing individual healthcare providers using Health Professional Online Services (HPOS), as needed. Further information on linking and removing healthcare providers in HPOS is available here.
         
    • Viewing and Uploading:
      • If conformant software is used at the organisation which enables both viewing and uploading of information in My Health Record, the policy must outline how the organisation will authorise staff to view and upload information, as well as the individual(s) responsible for granting and managing access (such as the Responsible Officer (RO) or Organisation Maintenance Officer (OMO)). 
         
  • The policy outlines the ways a user account will be suspended and/or deactivated in specific circumstances. This includes identifying the person responsible for these actions (e.g. RO or OMO) and setting out the process for immediate action where:
    • A user leaves the organisation
    • A user's security is compromised
    • A user has changed duties and no longer requires access to the system
    • A user is an individual healthcare provider that ceases to be linked to the organisation 

I don't know how my organisation will access My Health Record yet – do I need to specify this in my security and access policy?

Most healthcare provider organisations will be able to access My Health Record using conformant clinical software (such as a clinical information system, practice management system or dispensing system). Check the register of conformant software to see whether your clinical software provides access to My Health Record.

Healthcare providers who do not have conformant clinical software, can access an individual’s record through the National Provider Portal (NPP). The NPP is a web-based, read-only site that allows healthcare providers to view the information in a patient's record.

It is recommended that you specify in your security and access policy how staff in your organisation will access My Health Record by including the name of your clinical software, the NPP, or a combination of software products/applications.

Understanding how your organisation will access My Health Record is relevant when addressing some sections of your security and access policy. For example, the type of software you use will affect the way that you:

  • undertake user account management processes
  • suspend or deactivate user accounts
  • identify users who access My Health Record.

3. Training for authorised users, before they access the system

  • The policy includes a requirement that, before a user is authorised to access the system, they receive training covering:
    • how to use the system accurately and responsibly
    • legal obligations of the healthcare provider organisation and individuals using the My Health Record system 
    • consequences of breaching those legal obligations.
  • The policy includes a requirement that a user will receive training annually and following any significant changes to the My Health Record system or the governing legislation.
  • Organisations must maintain records of the training provided to users, such as a register of staff training and/or completion certificates. The organisation must retain training records for 5 years, starting on the day the training record was created. 

4. Process for identifying the individual who accesses a person's record (on each occasion)

  • The policy outlines how the organisation will meet its obligations under section 74 of the My Health Records Act 2012 in relation to identifying the individual who accessed a person's record and communicating the person’s identity to the Australian Digital Health Agency (System Operator), where requested.
  • Each time an organisation interacts with My Health Record, this activity is logged. Conformant software and the NPP (if used) automatically communicate this information to the System Operator. This includes the user identifier (user ID) of the person accessing My Health Record. An organisation must be able to confirm which person the user ID belongs to and ensure this information is communicated to the System Operator, if requested. This process should be detailed in the security and access policy.
  • For example, an organisation could:
    • check the user ID of the person who accessed My Health Record at a particular time (by checking the transaction log, or referring to details included in the request from the System Operator)
    • confirm who the relevant user ID is assigned to
    • have a process where the organisation's Responsible Officer (RO) or Organisation Maintenance Officer (OMO) provides the user’s identity to the System Operator when requested to do so.
  • All relevant processes (whether automated or manual) should be outlined in your policy. 

5. Process for ensuring compliance with My Health Record data breach obligations

  • The policy outlines how the organisation will meet its obligations under section 75 of the My Health Records Act 2012 with regard to managing My Health Record data breaches.
  • Under the My Health Records Act 2012, a data breach involves:  
    • unauthorised collection, use or disclosure of health information in an individual’s My Health Record has or may have occurred; or
    • an event has or may have occurred, or any circumstances have or may have arisen, that compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.
  • The policy also outlines how the organisation will notify the Australian Digital Health Agency (System Operator) and, where relevant, the Office of the Australian Information Commissioner (OAIC) of the breach, contain the breach and mitigate future breaches. Refer to data breach notification obligations for more information. 

6. Physical security, information security, cybersecurity, and technical and organisational measures, including user account management processes

The policy details the physical security, information security, cybersecurity, and technical and organisational measures that are in place to mitigate information security risks and prevent unauthorised access, including:

  • The user account management practices for information technology systems that are used by users to access the My Health Record system via or on behalf of the organisation, such as:
    • Restricting access to those persons who require access as part of their duties
    • Uniquely identifying individuals using the healthcare provider organisation's information technology systems
    • Having that unique identity protected by a password or equivalent protection mechanism
    • Ensuring password and/or other access mechanisms are sufficiently secure and robust (PDF, 467.51 KB) to mitigate the security and privacy risks associated with unauthorised access to the system
    • Disabling the user accounts of persons no longer authorised to access the system
    • Suspending a user account as soon as practicable after becoming aware that the account or its password or access mechanism has been compromised.
    • Ensuring that practices are reviewed at least annually
    • Ensuring that users are aware of, and trained in, the above practices.
  • The regular system maintenance that will be carried out by the organisation such as installing software updates and security patches in a timely manner and checking systems for errors, vulnerabilities or unusual behaviour.
  • The data protection, including data encryption and regular back‑up measures implemented by the organisation.
  • The regular monitoring and review of the above security measures carried out by the organisation. 
  • Technical and organisational measures may complement each other and can overlap. They may also encompass existing controls, including physical security, information security, and cybersecurity measures.

What is a physical security measure?

A measure that is designed to safeguard physical access to My Health Record. The physical security measures implemented by your organisation should be appropriately tailored to the organisation's circumstances. Some examples could include:

  • installing computer privacy screens
  • creating physical barriers to stop people seeing information displayed on computer screens
  • ensuring devices used to access My Health Record are located in secure areas under appropriate surveillance.

What is an information security measure?

A measure designed to safeguard the integrity, confidentiality, and availability of information within My Health Record. These measures involve implementation of user account and password management (as outlined above), and other security controls relevant to your organisation’s size and structure.

What is a cybersecurity measure?

A measure that is designed to protect My Health Record from digital threats such as hacking, malware or unauthorised system access. Cybersecurity measures should be appropriate to your organisation’s size, systems and level of risk.

Some examples could include:

  • using strong passwords or multi‑factor authentication
  • installing and maintaining antivirus and malware protection
  • keeping systems and software up to date with security patches
  • monitoring systems for unusual or suspicious activity. 

For additional information, refer to:

What are technical and organisational measures?

Examples of technical measures include protecting personal information through physical measures, and software and hardware. For example, this may occur through securing access to premises, encrypting data, installing anti-virus software and using strong passwords.

Organisational measures include steps, processes and actions that may be put in place, such as training employees on data protection, and developing standard operating procedures and policies for securing personal information.

7. Strategies for identifying, responding to, and reporting system-related security risks

  • The policy describes the strategies used by the healthcare provider organisation to ensure the system-related security risks can be:
    • promptly identified
    • acted upon
    • reported to the healthcare provider organisation's management.
  • To assist with monitoring use of the system, audit logs should record the user identity, date and time of access, whose record was accessed and the type of information that was accessed. Conducting regular checks of My Health Record audit logs for any unusual access or unauthorised behaviour will ensure risks are promptly identified and mitigated. 

Policy implementation and maintenance

  • The My Health Record security and access policy must be reviewed annually (at a minimum), when any material new or changed risks are identified (such as a change within the system, organisation, or regulation; or factors that might result in unauthorised access, use or disclosure of information in a record), and when requested by the System Operator.
  • The policy must include a unique version number and date of effect.
  • A copy of each version of the policy must be retained by the organisation for 5 years starting on the day the iteration comes into effect. 

Note: The Agency or the Office of the Australian Information Commissioner (OAIC) may request a current or previous version of your organisation's security and access policy at any time. Where a healthcare provider organisation receives a request from the Agency, the legislation specifies that a copy of the policy must be provided within 7 days.

Does the policy need to be in a single, stand-alone document?

Not necessarily, however, it is strongly recommended that your security and access policy is contained in a single document, rather than distributed across multiple documents. This ensures your policy contains all the processes and obligations in one place and is easily accessible to all relevant employees.

If the requirements of Rule 21 of the My Health Records Rules 2026 have been addressed across several policy documents, it is recommended that references are included in those policies to demonstrate that the information forms part of the organisation's My Health Record security and access policy.

You must also ensure that you review, update, maintain, enforce and promote all relevant policy documents to staff within your organisation.

Does the policy need to be called a 'My Health Record security and access' policy?

It is not mandatory for your organisation's policy to be called a security and access policy. However, this title is recommended, as use of this title ensures that it can be easily recognised as the policy developed to satisfy the requirements of Rule 21 of the My Health Records Rules 2026. This title is recommended by the Agency and the privacy regulator for My Health Record.

Regardless of the name of your policy, it is important that it addresses each of the topics required by Rule 21 in a manner that is appropriately tailored to your organisation's circumstances.

Do I need to keep a copy of all previous versions of my security and access policy?

Yes, a copy of each version of your organisation's security and access policy must be retained for five years in accordance with Rule 43(4) of the My Health Records Rules 2026.

Does my security and access policy need to be signed?

It is not a legislative requirement for your policy document to be signed. However, it is noted that some accreditation bodies that conduct policy reviews may impose additional requirements. For example, we are aware that some accreditation bodies do require policies to be signed by an authorised individual within your organisation.

As this may not apply to every organisation, it is recommended that you consult with your accreditation provider and confirm their requirements. By doing so, you can ensure that your policy aligns with requirements of the My Health Records Rules 2026 and also addresses the accreditation standards relevant to your organisation.

What do I do with my security and access policy once it has been developed?

Once finalised, you must ensure that your organisation's security and access policy is enforced, and that it is communicated to all employees (including contractors) and any healthcare providers to whom you provide services under contract or that are linked to your organisation. You must also ensure that the policy is reviewed annually, at a minimum, and when any material new or changed risks are identified (such as a change within the system, organisation, or regulation; or factors that might result in unauthorised access, use or disclosure of information in a record), and when requested by the System Operator. 

Do I need to submit a copy of my security and access policy to the Agency (System Operator) once it has been developed?

No, you don't need to provide a copy of your policy at the time it is developed. However, we may request a copy of your security and access policy at any time, and you must provide a copy within 7 days of the request, as outlined in Rule 44 of the My Health Records Rules 2026.

Record-keeping

Once registered with the My Health Record system, organisations must keep records relating to how they implement various elements of their security and access policy.

To comply with Rule 45 of the My Health Records Rules 2026, an organisation must keep a record of:  

  • how the organisation authorises access to the My Health Record system, including records of the user accounts created, changed, suspended or deactivated – records must be retained for five years
  • training that has been provided to employees before they access the My Health Record system, annually and following significant changes to the legislation or system – records must be retained for five years
  • how the organisation ensures a person who requests access to a healthcare recipient’s My Health Record can be identified and the person’s identity communicated to the System Operator (for example, this may include audit logs) – records must be retained for two years
  • how the organisation ensures that it is able to identify, manage and respond to My Health Record data breaches and that these processes comply with obligations under section 75 of the My Health Records Act 2012 (for example, evidence of documented processes and any action planned or taken) – records must be retained for two years
  • how the organisation has implemented physical security, information security, cybersecurity, and technical and organisational measures at the organisation (for example, documented application of the user account management practices, system maintenance activities, data protection, encryption and back-up procedures that have been employed and when) – records must be retained for two years.

Failure to maintain a security and access policy

Registered organisations that do not comply with policy requirements of the My Health Records Rules 2026 are not eligible to participate in My Health Record and may have their registration revoked.

It is noted that the Office of the Australian Information Commissioner (OAIC) is the privacy regulator for My Health Record and the OAIC may consider regulatory action if it finds that an organisation does not have a compliant My Health Record security and access policy. The Commissioner's approach to enforcement of My Health Record requirements is outlined in the My Health Records (Information Commissioner Enforcement Powers) Guidelines 2026

Are checks of organisations' security and access policies undertaken?

We may request to review your organisation’s policy. Where such a request is received, you must respond within 7 days upon receipt of the request, in accordance with Rule 44 of the My Health Records Rules 2026.

In addition, the Office of the Australian Information Commissioner (OAIC) regularly carries out privacy assessments in relation to My Health Record. These assessments may involve a review of organisations' security and access policies.  

I have received a request to provide a copy of my organisation's security and access policy – do I have to respond?

Yes, where you are asked to submit a copy of your organisation’s security and access policy to the System Operator, you must provide a copy of your policy within 7 days of receiving the request, in accordance with Rule 44 of the My Health Records Rules 2026.

If you receive a request from the System Operator to provide a copy of your organisation's security and access policy, this is because information available to us indicates that your organisation is registered with My Health Record. 

I am not registered for My Health Record – why have I received a request to provide a copy of my security and access policy?

If you have received a request to provide a copy of your organisation’s security and access policy, it is because our records indicate that your organisation is registered with My Health Record. Your business or organisation may have registered with My Health Record at the time of registering with the Healthcare Identifiers Service or when registering for electronic prescribing. You can check your registration details by logging in to your Provider Digital Access (PRODA) account or calling the Healthcare Identifiers Service helpline on 1300 361 457.

If you cease to be eligible for registration with My Health Record, you must ensure that the System Operator is notified within 14 days (for example, because you are closing your business or have ceased trading, no longer have a HPI-O for your organisation or no longer employ a healthcare provider individual who has a healthcare provider identifier (HPI-I)).

Ongoing participation obligations

Once you have established a security and access policy for your organisation and registered with the My Health Record system, you are required to comply with a range of ongoing participation obligations in accordance with the My Health Records Act 2012 and the My Health Records Rules 2026.

At a high level, you are required to: 

  • Deliver healthcare services appropriately regardless of an individual’s My Health Record status
  • Protect the privacy, security and maintain quality of My Health Record information
  • Ensure only authorised users, and where applicable registered healthcare providers (with a valid HPI‑I), access and upload information to My Health Record
  • Maintain accurate organisational details (including RO and OMO contact details) via PRODA and Health Professional Online Services (HPOS)
  • Comply with conditions of registration as a My Health Record system participant and directions given by the System Operator
  • Notify the System Operator of breaches, errors and relevant changes within required timeframes
  • Train staff on the appropriate use of My Health Record, along with privacy and legislative obligations
  • Respect and document healthcare recipient instructions regarding viewing or uploading of health information to their My Health Record.