Digital health and patient consent

Patient consent and uploading clinical information to a My Health Record

In registering for a My Health Record, patients provide a "standing consent" for all healthcare organisations involved in their care to upload clinical information to their record. There is no requirement for a provider to obtain consent on each occasion prior to uploading clinical information. There is also no requirement for a patient to review clinical information prior to it being uploaded.

The Australian Medical Association (AMA) states in its Guide to Using the My Health Record that it is good medical practice to advise a patient that you will be uploading information to their My Health Record, particularly if this information might be considered sensitive. See section 4.5 of the AMA's Guide.

If a patient requests that a clinical document is not uploaded, a provider is obliged to follow this request.

Patient consent and viewing a My Health Record

Any person involved in an individual's healthcare and authorised by a healthcare organisation, can access and view an individual's My Health Record. A healthcare organisation may authorise clinicians to view a patient's My Health Record as well as other staff who need to access the My Health Record system as part of their role in healthcare delivery (for example, an Aboriginal and Torres Strait Islander Health Practitioner who does not have a HPI-I).

My Health Record legislation does not prevent a healthcare provider from accessing and viewing an individual's My Health Record outside of a consultation, i.e. without the individual being present, provided that access is for the purpose of providing healthcare to the individual. For example, a specialist may choose to review clinical documents in an individual's My Health Record prior to a consultation.

Patient Privacy Controls

Individuals have the ability to control which healthcare organisations access the information in their My Health Record by enabling advanced privacy controls. Individuals can limit access to their entire record (using a Record Access Code) or to particular documents (using a Limited Document Access Code). The patient will need to provide their access code to a provider for the provider to access their My Health Record. A provider will be prompted by their clinical software if an access code is required. In an emergency, a provider can assert the emergency access functionality which will override the existing access controls for a specified period.

For more information about My Health Record privacy controls, see the Privacy and Security FAQs on the myhealthrecord.gov.au website.

Currently the number of individuals opting to use these privacy settings is fewer than 2 out of every 1000 individuals registered, and where an individual has opted to use privacy settings, healthcare organisations do not have to be granted access to a My Health Record in order to upload to it.

Patient Consent and ePrescriptions

It would be good privacy practice for a prescriber (e.g. General Practice) to update their existing consent forms, privacy policies and so on, to inform patients that copies of prescriptions will be sent to pharmacists via the PES (in the same way that patients are informed that copies of their pathology results may be sent to other providers treating them). If the patient does not wish their record to go through a PES they should notify their doctor and pharmacist.

For ePrescriptions to go to the My Health Record system, the standing consent model for other clinical documents applies for prescription records. However, the prescribing system also includes a mechanism so that if a patient requested a prescription record not be uploaded to their My Health Record, the dispensing system defaults to apply the same consent decision to the corresponding dispense record – meaning that neither the prescription or dispense record is uploaded to the My Health Record system. However, this consent decision can be overruled by the individual and dispensing healthcare provider at the point of care.

Patient consent and Secure Message Delivery (SMD)

A healthcare provider does not need patient consent to send clinical information using Secure Message Delivery (SMD), in much the same way that a provider is not required to seek consent to send clinical information point-to-point via your existing channels, such as fax.