Fact Check: Security of My Health Record
- Created on Friday, 14 July 2017
What is My Health Record?
My Health Record is a secure online summary of your health information. An individual can control what goes into it, and who is allowed access. Individuals can choose to share their health information with their doctors, hospitals and other healthcare providers.
Why is there a need for a digital record system?
One in three General Practitioners (GPs) will see a patient for whom they have little or no health information. Many patient records are created as paper files. They are regularly transmitted between healthcare providers using unsecure email, fax machines and by post. The My Health Record offers health professionals secure digital access to a patient’s record at the point of care, wherever that may be.
There are significant benefits of My Health Record for all Australians. These include avoided hospital admissions, fewer adverse drug events, reduced duplication in diagnostic tests, better coordination of care for people seeing multiple healthcare providers, and better informed treatment decisions.
Following unanimous support by all State and Territory governments, the Government will expand My Health Record and create a record for every Australian, unless they prefer not to have one.
The Health Sector Supports My Health Record
- The Australian Medical Association's policy position for maximising My Health Record, states:
‘We all want the My Health Record to work. It has the potential to support much better patient care, particularly when your patients see another doctor or health care provider.’
- The Royal Australian College of General Practitioners (RACGP) includes helpful case studies on their website on the benefits of My Health Record for GPs:
‘The RACGP has been an advocate for a national shared electronic health record system and understands the clinical benefits of healthcare providers accessing healthcare information not available via normal communications channels.’
- The Pharmacy Guild of Australia supports the My Health Record in community Pharmacy:
‘Community pharmacy, as the most accessible community health care destination, has always been at the forefront of digital innovation and an opt-out model for the operation of My Health Record will enable community pharmacies to enhance their patient care.’
How does My Health Record system protect people’s health information?
My Health Record legislation provides protections for privacy of medical information in the system. The Agency, as the system operator, is responsible for the security of the My Health Record system.
The Agency have in place a comprehensive set of people, process, and technology controls to protect health records from a cyber-attack. The system has bank strength security which ensures information is stored and accessed by only trusted connected health systems.
The system complies with the Australian Government requirements for storing and processing protected information, and is regularly tested and audited to confirm that these requirements are met.
The Agency’s Cyber Security Centre continually monitors the system for evidence of unauthorised access. This includes utilising specialist security real-time monitoring tools that are configured and tuned to automatically detect events of interest or notable events. Examples of this include:
- Overseas access by Consumers and Healthcare Providers
- Multiple failed logins from the same computer
- Multiple logins within a short period of time
- Logins to the same record from multiple computers at the same time
- High transaction rate for a given Healthcare Provider
- Certain instances of after business hours access and all instances of emergency access.
The Cyber Security Centre regularly reviews the events of interest based on its knowledge of the likely threats to the My Health Record and updates them accordingly.
How do healthcare providers protect your health information?
Every time a healthcare provider accesses a My Health Record, a log is automatically created. This allows an individual to monitor every access to their My Health Record in real time, with complete transparency.
An individual’s Medicare card number does not allow My Health Record information to be accessed, additional information is required to authenticate consumers and health care providers.
Healthcare organisations can only access an individual’s My Health Record if they:
- are directly involved in the individual’s care;
- have a healthcare provider certificate installed (either with NASH HPI-I or HPI-O certificate) on the device that they are using to access the record;
- a valid username and password, and;
- have the Record Access Code (RAC), if an individual has enable restrictions.
Any software that connects to the system undergoes automated checks to ensure that it conforms to the system requirements and has authority to access the information. Write access to My Health Record is only available to healthcare provider organisations via approved clinical software.
If a person were to deliberately access an individual’s My Health Record without authorisation, criminal penalties may apply. These may include up to two years in jail and up to $126,000 in fines.
What controls do individuals have?
A person can arrange to be notified by email or SMS when a healthcare provider organisation accesses their record for the first time. The individual can also view a real time log of every access to their My Health Record by a provider organisation.
Individuals can control what information is in their My Health Record, and which healthcare provider organisations can access their record. A range of privacy controls are available including:
- Setting a Record Access Code (RAC) which the individual can give to their healthcare provider organisation to allow access to their record, and prevent other healthcare providers from access unless in an emergency
- Flagging specific documents in their record as ‘limited access’, and controlling who can view
- Removing documents from view within their record
- Asking healthcare providers not to upload information and, under the My Health Records Act 2012, healthcare providers must comply with this request.
Download 'Factsheet: Security of My Health Record'
About the Australian Digital Health Agency
The Australian Digital Health Agency is the system operator of the My Health Record. The Agency provides the leadership, coordination and delivery of a collaborative and innovative approach to utilising technology to support and enhance a clinically safe and connected national health system. This will give individuals more control of their health and their health information, and support healthcare professionals to provide informed healthcare through access to current clinical and treatment information.