What you need to know about My Health Record

24 September, 2018

Every Australian will soon have a My Health Record automatically created unless you opt out by 15 November 2018. The My Health record is an online summary of an individual’s health information and will be maintained for 30 years after an individual’s death or 130 years after birth.

The My Health Record will not replace existing health records but supplements it and is easily accessible. My Health Record should lead to better coordinated treatment for individuals as their health information can be accessed at a moment’s notice. 

The My Health Record will contain information of your medical conditions and treatments, medicine details, allergies, and test or scan results. Documents such as hospital discharge summaries, referral letters, immunization records and organ donor decisions can also be added to your record. Once you have one, doctors can upload health information into it unless you ask them not to. It is therefore up to you to discuss adding or not adding a document to your record. If you have privacy concerns, you can set a Record Access Code and give it only to healthcare professionals you want to access your record. If you want to restrict certain documents, you can set a Limited Document Access Code. These controls may be overridden in an emergency. 

The My Health record system operates under the My Health Records Act 2012 (the Act). The Act sets out: 

  • the role and functions of the Australian Digital Health Agency (the system operator of the My Health Record);
  • a registration framework for individuals, and entities such as healthcare provider organisations, to participate in the My Health Record system; and
  • a privacy framework (aligned with the Privacy Act 1988) specifying which entities can collect, use and disclose certain information in the system (such as health information contained in a healthcare recipient’s My Health Record), and the penalties that can be imposed on improper collection, use and disclosure of this information. 

Only registered healthcare providers involved in your care and who are registered with the My Health Record System Operator are allowed by law to access to My Health Records. There are ongoing obligations on a participating healthcare organization. Some of which include preventing unauthorised collection, use or disclosure of health information included in an individual’s My Health Record, not discriminating against an individual because they do not have a digital health record or because of their My Health Record’s access control settings as well as not uploading a clinical document to the My Health Record system where an individual has withdrawn consent to the uploading of that clinical document.  

All access and use of the My Health Record system is captured in an audit trail. Activity relating to an individual healthcare consumer’s My Health Record is listed in their access history record, which can be viewed by the individual, their representatives or authorised healthcare providers at any time. Insurers shouldn’t be able to access your record. While no online database could protect against all possible threats, and healthcare data is an attractive target, the My Health Record system is managed in line with the Australian Government Protective Security Policy Framework. My Health Record data will remain within Australia, and is protected by high grade security protocols to detect and mitigate against external threats. 

In Australia there are laws that protect aspects of your confidential information, including the Privacy Act 1988 (Cth) and associated Privacy Principles, that impose sanctions on those who fail to properly deal with private data. Common law remedies also exist in theory, however there is no readily accessible statutory cause of action that allows a privacy breach victim to claim their emotional distress and other damages. 

There is uncertainty over the potential for employers to gain access to the private health data of workers as employer doctors (used for pre-employment health checks or insurance purposes) could get access to and pass on a worker’s entire medical history under the new system. Section 14(2) of the Healthcare Identifiers Act 2010 specifically prohibits use by insurers and for employment checks.  It is illegal to access a person’s My Health Record for the purpose of an employment check. An employment check is not considered to be healthcare and therefore use of the My Health Record would not be permitted. A health provider who breaches the Act or the Healthcare Identifiers Act 2010 would face significant penalties. 

Your medical records are confidential and an employer’s request for more information is generally only considered reasonable when it is required to determine, for example from a health and safety perspective, whether you are fit to return to work or to moderated duties.  Employers cannot access My Health records and would need to apply to the Australian Digital Health Agency for such access. Employees need to be aware of provisions in your employment contract that may allow access or require you provide medical information through the My Health Record. Professionals Australia can assist you in reviewing any such clause that you may come across in your contract. 

Section 70 of the Act does allow for the disclosure of data to a range of enforcement agencies, including police, courts and the immigration department, for the purposes of upholding the law or protecting public revenue. The Australian Digital Health Agency has stated that it has not and will not release any documents without a court/coronial or similar order. The Australian Digital Health Agency has also stated that no documents have been released in the last six years and it has also been reported as stating that no requests from police have yet been received. However, the Act does not mandate this, and it does not appear that the Australian Digital Health Agency’s operating policy is supported by any rule or regulation. 

The Office of the Australian Information Commissioner (OAIC) regulates the handling of personal information under the My Health Record system by individuals. The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s My Health Record. 

If an individual believes that information in their My Health Record has been mishandled, they should first raise a complaint with the healthcare provider or other entity that they think is at fault. If they are not satisfied with the response, an individual can then raise a complaint to the Australian Digital Health Agency via the My Health Record Help line: 1800 723 471, the OAIC or the relevant state and territory regulator. 

In May 2018 the ‘Framework to guide the secondary use of My Health Record system data’ (the Framework) was released. The purpose of the Framework is to inform Australians about how My Health Record system data may be used for research, policy and planning (‘secondary’) purposes by de-identifying your information. There are a variety of secondary uses of health information that are described in the Act, such as for the purposes of research and public health, law enforcement. However, concerns have been raised that private health insurers would be given the opportunity to access this data and use such data as a condition of issuing policies. A framework for how the data can be used by third parties is up for review in 2020. 

If you cannot decide whether you want to stay in or opt out, you can always opt out before 15 November 2018, then rejoin at a later stage. If you have any concerns or queries regarding your employer accessing your medical information or if there are relevant provisions in your employment contract which refer to medical information, please contact the Workplace Advice and Support team at Professionals Australia.  

Want to comment on this topic? Click 'Have Your Say' and add your thoughts.