My Health Record is an online summary of an individual’s key health information. A My Health Record will be created for every Australian who wants one after 31 January 2019. An individual may cancel their My Health Record at any time.
The My Health Record system is intended to allow for the online sharing of a patient’s medical information with their treating healthcare providers. Only registered healthcare providers (known as participants) who are involved in a patient’s care, and who are registered with the My Health Record System Operator (the Australian Digital Health Agency), are permitted by law to access My Health Records.
What is in a patient’s My Health Record?
A My Health Record can contain an array of medical information. Some examples of what may be contained in a My Health Record include:
- Personal health summaries
- Advance care planning/ directives
- Emergency contact information
- Medicare and PBS information
- Details of an individual’s donor status (as sourced from the Australian Donor Register)
- Shared health summaries
- Discharge summaries
- Medication records
- A patient’s prescribed and dispensed medications
- Pathology reports
- Diagnostic Imaging reports
Protecting Patient Privacy
The My Health Records Act 2012 (Cth) (the Act) provides protections for the privacy of health information stored in an individual’s My Health Record.
Within an individual’s My Health Record are a number of privacy and access controls that an individual can place on their record. This includes:
- Setting an access code, which can be provided to selected healthcare providers to enable access to the individual’s record;
- Controlling access to specific documents, thereby limiting the types of documents that can be viewed;
- Requesting a healthcare provider not to upload information. A healthcare provider must comply with any such request (section 45(d) of the Act);
- Configuring automatic notifications via email or SMS when a healthcare provider accesses their record for the first time, or views their record in an ‘emergency situation’ and overrides the access controls in place.
Healthcare providers are under no obligation to use the My Health Record system, but it is important that registered healthcare providers know and understand the circumstances in which a patient’s My Health Record can be accessed before using the system.
When should I view a patient’s My Health Record?
A healthcare provider does not require a patient’s consent to view their record and a patient’s My Health Record can be accessed outside of a consultation, provided that access is for the purpose of providing healthcare to the patient.
Currently, patients provide “standing consent” when they register for a My Health Record, which enables healthcare providers directly involved in a patient’s care to upload clinical information to their record. Generally, there is no requirement for a healthcare provider directly involved in a patient’s care to obtain the patient’s consent prior to viewing or uploading clinical information to the My Health Record system, but it is good practice to advise patients when information is being uploaded to their My Health Record.
By default, documents in a patient’s My Health Record are set to general access for healthcare providers. If, however, a patient has placed access controls on their My Health Record which limits access to some or all of their records (as discussed above), a healthcare provider will be prompted to enter the access code set by the patient, which will need to be entered before access is granted.
Emergency Access function
In an emergency situation, a patient’s privacy settings can be bypassed or overridden by the ‘Emergency Access’ function. The Emergency Access function can only be used in certain circumstances and it is important that healthcare providers understand when this function can be lawfully used.
Section 64 of the Act provides that the Emergency Access function may be used by participants only where:
- The participant reasonably believes that there is a serious threat to the patient’s life, health or safety and their consent cannot be obtained (for example, if the patient is unconscious);
- There are reasonable grounds to believe that access to the patient’s My Health Record is necessary to lessen or prevent a serious threat to public health or safety (for example, to identify the source or a serious infection and prevent it from spreading).
The Emergency Access function must not be used other than as outlined in Section 64. It also cannot be used merely because the patient has forgotten their access code (unless there is a serious threat to the patient’s life, health or safety).
With Emergency Access, any access controls previously set by the patient will be overridden and the healthcare provider will have full access to the patient’s record. Once granted, Emergency Access will be available for a maximum of five (5) days.
Use of the Emergency Access function is recorded in the access history (which can be viewed by the patient) and will trigger a notification to the Australian Digital Health Agency (the Agency). Following notification to the Agency, the healthcare provider will receive a request for information and is required to inform the Agency of the circumstances requiring the use of the Emergency Access function.
It is recommended that you contact the Agency if you use the Emergency Access function and report the circumstances in which the Emergency Access function was used. You can do this by calling the My Health Record Help Line on 1800 723 471.
Misuse of My Health Records
Misuse of a person’s health information is a serious matter. The potential for damage is significant and healthcare providers have professional and legal obligations to protect patient information.
Unauthorised use, collection or disclosure of health information included in a patient’s My Health Record attracts serious penalties, where the participant is reckless or knows that the collection, use of disclosure is unauthorised. Section 59 of the Act provides for fault based penalties of up to 120 penalty units (currently $25,200) or up to 2 years imprisonment. Civil penalties can also apply.
However, the serious penalties relating to the misuse of information are not intended to apply to accidental misuse. The unauthorised collection, use or disclosure of information will only incur a penalty if the person knows or is reckless as to whether that action is unauthorised. Therefore, if you as a participant accidentally collect, use or disclose this information – for example, if you inadvertently or accidentally use the emergency access function – you are not liable for a civil or criminal penalty.
Where do I get more information?
Healthcare providers should ensure that they have received adequate training in the My Health Record system before accessing a patient’s My Health Record.
For further information, see:
- The My Health Record Online Training portal, run by the Australian Digital Health Agency (https://www.digitalhealth.gov.au/using-the-my-health-record-system/digital-health-training-resources);
- Online eLearning modules (https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/elearning-modules);
- A series of webinars have also been produced to assist healthcare providers with their training needs: (https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/webinars)
- Contact the My Health Record Help Line: 1800 723 471
This article was written by Chandrika Darroch, Senior Associate. For further information about My Health Record, please contact Chandrika.