Legislation and governance
Legislation: Changes to legislation
The legislation supporting the My Health Record system was developed in consultation with stakeholders. Find out more about this consultation
The My Health Record system operates under the My Health Records Act 2012. The Act establishes:
- the role and functions of the System Operator;
- a registration framework for individuals, and entities such as healthcare provider organisations, to participate in the system; and
- a privacy framework (aligned with the Privacy Act 1988) specifying which entities can access and use information in the system, and the penalties that can be imposed on improper use of this information.
The Commonwealth Minister for Health can make My Health Records Rules to support the operation of the My Health record system. The Rules currently in force are:
- My Health Records Rule 2016 – this specifies requirements for registered entities in the system;
- My Health Records (Assisted Registration) Rule 2015 – this specifies requirements for registered healthcare providers that assist individuals to register (through ‘assisted registration’); and
- My Health Records (Opt-out Trials) Rule 2016 – this specifies that individuals in certain postcodes will have a My Health Record automatically created for them, unless they tell us between 4 April and 27 May that they don’t want one.
A foundation of the My Health Record system is the Healthcare Identifiers Service, which is established under the Healthcare Identifiers Act 2010. More information about the legislation supporting the Healthcare Identifiers Services is available.
Other legislation supporting the My Health Record system is:
- My Health Records Regulation 2012 – this specifies additional information as identifying information and privacy laws that continue to apply to the disclosure of sensitive information;
- Healthcare Identifiers Regulations 2010 – these provide additional detail and requirements regarding the operation of the Healthcare Identifiers Service; and
- PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 – these set out the Information Commissioner’s general approach to exercising its enforcement and investigative powers.
Changes to legislation
Changes to the legislation supporting the My Health Record system were made in late 2015 and early 2016, primarily as a result of the Review of the Personally Controlled Electronic Health Records and the Healthcare Identifiers Act and Service Review. These changes were developed in consultation with stakeholders.
Information about the key changes are here:
- the name of the system was changed from the personally controlled electronic health record system to the My Health Record system;
- the Minister can make My Health Record Rules to implement the system to automatically create records for individuals unless they choose not to have one, either in trial areas and nationally – at present this means individuals in the Nepean Blue Mountains and Northern Queensland may have a My Health Record created for them as part of trials;
- organisations providing assisted registration no longer need to store individuals’ signed application forms, and may dispose of forms they already hold;
- healthcare provider organisations and other participants no longer need to enter into a participation agreement with the System Operator;
- the unauthorised collection, use or disclosure of information in the My Health Record system, of healthcare identifiers or of other information collected in relation to either the My Health Record system or Healthcare Identifiers Service is subject to civil and criminal penalties;
- if a participant (not including healthcare providers) takes My Health Record system information outside Australia, they may be subject to civil and criminal penalties;
- all participants must notify the System Operator of potential and actual data breaches;
- the My Health Record operates without the need to rely on intellectual property licences to avoid infringing copyright – instead an exception applies;
- the penalty for failing to comply with the My Health Records Rules has increased to 100 penalty units (up to $18,000 for individuals and $90,000 for bodies corporate);
- authorised and nominated representatives of individuals must act in accordance with the will and preferences of the individual they represent;
- healthcare providers whose professional registration (or membership in a professional association if they are not registered with AHPRA) is cancelled, suspended, lapsed or conditional are prohibited from uploading anything to a My Health Record unless they are suspended because their registration (or membership) fees are overdue by less than six months;
- the System Operator can remove (or instruct the removal of) documents from a My Health Record if they are uploaded by a healthcare provider without the necessary professional registration (or membership);
- healthcare provider organisations are expressly authorised to upload information to a My Health Record if it includes relevant information about a third party;
- the Independent Advisory Council and Jurisdictional Advisory Committee will be abolished from July 2016; and
- the Australian Digital Health Agency will become the My Health Record System Operator from July 2016.
For more detailed information about legislation changes, please see the following fact sheets:
- Notification of data breaches
- Authorised Representatives
- Participation Agreements
- Assisted Registration
- Participation Trials
The 2015-16 Budget announcement My Health Record – A New Direction for Electronic Health Records in Australia authorised the establishment of the Australian Digital Health Agency (the Agency) to strengthen digital health governance arrangements..
The Agency was established by the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 (the Rule), which was made by the Commonwealth Minister for Finance under section 87 of the Public Governance, Performance and Accountability Act 2013. The Agency was established in law on 30 January 2016, and is expected to be fully operational by 1 July 2016.
The Agency is to be governed by a skills-based Board comprised of members with skills, knowledge and experience relevant to business leadership as well as the health sector. To support the Board in carrying out its functions, the following four standing advisory committees have been established under the Rule:
- the Clinical and Technical Advisory Committee;
- the Jurisdictional Advisory Committee;
- the Consumer Advisory Committee; and
- the Privacy and Security Advisory Committee.
The Agency is being established under the guidance of the Digital Health Implementation Taskforce Steering Committee (the Steering Committee), which comprises key digital health industry, consumer and healthcare stakeholders. The Steering Committee was formed in September 2015 to work collaboratively with key health sector stakeholders, all jurisdictions, the Commonwealth Departments of Health and Human Services, and the National E-Health Transition Authority (NEHTA) to lead the establishment of the structure, governance and operations of the Agency, and to plan and manage the transition of relevant functions and resources to the Agency.
From 1 July 2016, the Agency will be responsible for overseeing the operation and evolution of the national digital health capability. It is also expected to become the system operator of the My Health Record.