Frequently Asked Questions for Healthcare Providers
Under the My Health Records Act 2012, healthcare provider organisations, the System Operator and other system participants are permitted to collect, use and disclose information in a digital record under certain emergency circumstances.
Requests for such access may be made by individual Healthcare Providers within your organisation but are approved with respect to the organisation.
You are permitted to collect, use or disclose information in a healthcare recipient’s digital record if it is unreasonable or impracticable to obtain consent from them or their authorised representative and you reasonably believe that this is necessary to lessen or prevent a serious threat to the healthcare recipient or another individual’s life, health or safety.
An example could be if the healthcare recipient is unconscious in an emergency situation.
You can also collect, use and disclose the information in a healthcare recipient’s digital record without the consent of them or their authorised representative if you reasonably believe that this is necessary to view digital records of certain healthcare recipients in order to lessen or prevent a serious threat to public health or safety.
An example could be where a dangerous infection has been detected within a hospital and it is necessary to identify the source of the infection to prevent its spread.
Under emergency access all information in a My Health Record can be accessed, except for:
- records that have been ‘effectively removed’ by the individual. This information can no longer be viewed by the individual, even in an emergency; and
- information entered in the consumer-only notes section.
When you are granted emergency access, any advanced access controls previously set by the healthcare recipient or their authorised representative are overridden. This means that any restricted information can be accessed in an emergency. You may also store information collected from a healthcare recipient’s digital record during an emergency on your own local clinical records.
Any emergency access to a digital record is recorded by the System Operator and included in an individual’s access history which can be viewed by the healthcare recipient or their authorised representative. The healthcare recipient or their authorised representative can also choose to be automatically notified of emergency accesses to their digital record via an SMS or email from the System Operator.
The System Operator grants emergency access for five days. Once this period ends, all access reverts to the default access controls or the advanced access controls set by the healthcare recipient or their authorised representative if any had been set before the emergency access was granted.
If the emergency situation continues beyond the initial five day period, you will need to request emergency access from the System Operator again.
Under the Commonwealth Privacy Act, Australian Privacy Principle 6, subclause 6.2 (d) a provider of health services is able to access and use health information held in the My Health Record system where a ‘permitted general situation’ exists in relation to the healthcare recipient.
Section 16A of the Privacy Act defines ‘permitted general situations’ to include those situations where it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure and the health service provider reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.