Since January 2019, all Australians have had a My Health Record, unless they opted out.
The My Health Record is an online summary of an individual’s health information, accessible to any healthcare professional involved in the individual’s care. A patient may choose to delete their record at any time.
A clear understanding of the system’s operation is crucial, especially in regard to privacy access control features and the ability to opt out of secondary use. Patients can then make an informed decision about engaging with My Health Record. Individuals with concerns about the disclosure, sharing or access to sensitive health information may choose to opt out. Healthcare providers can support their patients to make these decisions; however, clinicians should be mindful that a patient may feel compelled to follow a perceived or actual direction about whether or not to engage with the record. For this reason, having an open, informed and balanced discussion in a manner free from judgement or compulsion is important.
Electronic records generate risk of data leakage, access by unauthorised staff, browsing by unauthorised people or other methods, including hacking.
Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems, and the problem of staff intentionally or inadvertently accessing prohibited electronic records.
For more information on professional legal obligations in respect of the My Health Record, visit the My Health Record page.
Privacy of medical records is governed through a combination of federal and state/territory law in Australia. There are different standards and processes that also apply in individual health services or businesses.
However, some cross-jurisdictional consistency of privacy law in the health sector is facilitated by the Commonwealth Privacy Act 1988 (Cth), which applies to all private sector organisations that provide health services and hold health information (as well as any Commonwealth agency). In short, a health service is broadly defined by s 6FB of the Privacy Act 1988 (Cth), as any activity that involves:
- assessing, maintaining, improving or recording a person’s health;
- diagnosing or treating a person’s illness or disability; or
- dispensing a prescription drug or medicinal preparation by a pharmacist.
Consequently, health services include health service providers, such as private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals, as well as complementary therapists and others. An outline of the jurisdiction of the Act is available here.
The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles governing minimum privacy standards for handling personal information, including:
- the need to gain consent for the collection of health information
- how to notify an individual after the collection of personal information
- the proper use or disclosure of personal information
- the details that should be included in a health service provider’s privacy policy
- securing and protecting information
- providing individuals with a right to access their health records.
Some Australian Privacy Principles state that health service professionals must meet certain obligations, while other Australian Privacy Principles require that they take reasonable steps to meet stated obligations.
Practitioners should familiarise themselves with the Australian Privacy Principles (which are legally binding) and seek appropriate advice if necessary.
For many practitioners it is important to understand both state and federal laws. In New South Wales, for example, the state privacy legislation, the Health Records and Information Privacy Act 2002 (NSW) applies to public sector and private sector healthcare providers, and to holders of health records located in New South Wales. Consequently, private sector health service providers must comply with 2 sets of privacy legislation – federal and state. The 2 pieces of legislation impose similar obligations on private healthcare providers.
A brief overview of the numerous privacy laws in each state and territory (and their intersection with the federal Privacy Act 1988 (Cth)) is provided by the Office of the Australian Information Commissioner at State and territory privacy legislation. To ensure compliance with both federal and state privacy laws, you should obtain legal advice.