Patient Access Controls

How is consent managed in the My Health Record system?

By default, when an individual registers for a My Health Record they give "standing consent" for all registered healthcare provider organisations to access and upload information to their My Health Record. Healthcare professionals working in healthcare provider organisations can:

  • Access the individual's My Health Record during, or in regard to, a consultation or clinical event involving the individual; and
  • View all documents in the My Health Record system and upload documents to the My Health Record, unless the individual specifically requests the healthcare professional not to upload the document.

How can individuals control access to their My Health Record?

Individuals have a number of mechanisms available to them to manage the content of, and to control access to, their and/or their dependent's My Health Record(s). These include:

Limiting Access

  • Limiting access to the whole of their record and having a Record Access Code that needs to be given to healthcare provider organisations who they wish to grant access and/or;
  • Limiting access to specific documents in their My Health Record, and having a Document Access Code to give to select healthcare provider organisations for them to gain access to the restricted set of documents;
  • Turning off automatic checking for a My Health Record, which will prevent a healthcare provider organisation being automatically notified via their local clinical software if a person has a record.

Tracking Access

  • Individuals can see a list of healthcare organisations that have accessed their record and can change the level of access they wish particular healthcare organisations to have, including revoking access (except in the case of an emergency);
  • Individual can also be notified by email or SMS when certain activities occur in their My Health Record e.g. a new healthcare organisation accesses their My Health Record.

Refusal of consent to upload

Expressly informing a healthcare provider organisation that they do not want certain information to be uploaded to their My Health Record during a consultation, upon which the healthcare provider organisation must comply.

Removing Documents

The ability to remove previously uploaded documents from their My Health Record (via their consumer portal). When this is done these documents will not be available to the consumer or healthcare provider organisations, including in an emergency. This type of facility is not dissimilar to the current situation where patients may choose to withhold information to their care providers.

When registering, individuals are made aware of the implications and risks of limiting the access of healthcare provider organisations to their My Health Record, as it can adversely affect the quality of advice and decision making about their care.

The value of a My Health Record for a patient's medical care will largely depend on the information it contains about the patient's health status and the care they have received. As the patient's healthcare provider organisation, you could explain how the patient might set access controls in a way that is beneficial to them given their clinical situation.

You could also explain the clinical implications of excluding particular information and limiting access to certain types of providers who may need to access the record from time to time to facilitate their care of the patient in the future.

Healthcare provider organisations are encouraged to use normal clinical judgement in situations where information may be absent or incomplete. See www.myhealthrecord.gov.au