On 26 November 2018, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Bill 2018.
These measures allow Australians to choose to have a My Health Record at any time in their life. A My Health Record will be created for every Australian who wants one after 31 January 2019. After this date, a person can delete their record permanently at any time.
These changes are in response to the Australian community’s calls for even stronger privacy and security protections for people using My Health Record.
A summary of the changes is provided on this page. You can also view the full legislation on the Parliament of Australia website.
Access by insurers and employers
The Australian Digital Health Agency will not approve the release of an individual’s personal or health information to a third party except where it is for the provision of healthcare or is otherwise authorised or required by law.
Under these laws, no-one is permitted to access, or ask you to disclose, any information within your My Health Record for insurance or employment purposes.
Access by law enforcement and government agencies
To date the Agency’s official operating policy has been that no information within My Health Record can be released without an order from a judicial officer. The Agency has never received such a request and has never released information.
Under new laws, no information can be released to law enforcement or a government agency without your consent or an order from a judicial officer.
Permanent deletion of a cancelled My Health Record
Under these laws a person can permanently delete a My Health Record at any time in their life. No archived copy or back up will be kept and deleted information won’t be able to be recovered.
A My Health Record that was cancelled in the past (and archived) will also be permanently deleted. If you cancel a record at any time it will be permanently deleted.
Greater privacy for teenagers aged 14 and over
Under these laws, once a teenager turns 14, parents will automatically be removed as authorised representatives.
Increased penalties for misuse of information
Harsher fines and penalties will apply for inappropriate or unauthorised use of information in a My Health Record. Civil fines have been increased to a maximum of $333,000 for individuals ($1,665,000 for bodies corporate), with criminal penalties including up to 5 years’ jail time.
Strengthening protections for victims of domestic and family violence
There are currently safeguards in place to protect victims of domestic and family violence. Under these laws, the Agency will no longer be obliged to notify people of certain decisions if doing so would put another person at risk.
In addition, parents subject to a court order, where they do not have unsupervised access to their child, or who pose a risk to the life, health and safety of the child or another person will not be eligible to be an Authorised Representative.
The Agency will work and consult with community and stakeholders to identify and reduce any potential for misuse of the My Health Record system.
Operation of the My Health Record system
These changes clarify that our powers as the System Operator of My Health Record can’t be delegated to another government agency, with the exception of the Department of Health and the Chief Executive of Medicare.
Use of My Health Record data for research purposes
The My Health Record system is a valuable source of information on Australia’s health system and the outcomes of care being achieved. This information can guide service planning, policy development and research to further improve the Australian health system.
The principles contained within the Framework to guide the secondary uses of data will become law (within the My Health Record Rules). A Data Governance Board will be established to approve the release of any data in line with these rules.
The new laws also permanently remove the ability of insurers to apply for access to My Health Record data for the purposes of research.
No commercial use of My Health Record data
The laws make clear that the My Health Record system cannot be privatised or used for commercial purposes. Only a government organisation will ever be able to manage the My Health Record system.