Register for a My Health Record myGov iconSign in with myGov

Last updated 16 June 2017

Setting the record straight on My Health Record penalties!

This month we set the record straight on the My Health Record penalties and their uses and applications.

Why do My Health Record penalties exist?

All healthcare providers in Australia have professional and legal obligations to protect their patients' health information. Penalties apply to the misuse of the My Health Record system to protect the sensitive information that a record contains.

What are the penalties?

Healthcare provider organisations and/or their employees may be subject to civil and/or criminal penalties for:

  • The unauthorised collection, use or disclosure of health information contained in a My Health Record
  • The unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service.
  • A person accessing the My Health Record system on behalf of the registered healthcare organisation who fails to provide enough information to the System Operator to identify the person without seeking more information
  • Failing to notify an actual or potential data breach in which they were directly involved
  • Failing to comply with the My Health Records Rules that apply to the entity
  • Failing to give written notice within 14 days if the entity ceases to be eligible to be registered
  • Failure to notify the Healthcare Identifiers Service Operator of changes to their organisation’s information within 20 days
  • Failure to retain identifying information about a person requesting disclosure of healthcare identifiers (if not provided at the time of disclosure)

How are penalties applied?

The penalties relating to the misuse of information do not apply to accidental misuse. The unauthorised collection, use or disclosure of information will only incur a penalty if the person knows or is reckless as to whether that action is unauthorised. This means that if a person accidentally collects, uses or discloses this information – for example, if a healthcare provider inadvertently or accidentally accesses an individual’s My Health Record – they are not liable for a civil or criminal penalty (although there may still be an interference with privacy and the Australian Information Commissioner may still be able to investigate).

Where can I get help?

The Australian Digital Health Agency has developed resources to assist organisations to understand their obligations for participation in the My Health Record system. These resources can be found at In addition, the Office of the Australian Information Commissioner has developed a range of resources to assist healthcare organisations to meet their obligations and these can be found on the OAIC website. The Royal Australian College of General Practitioners has also worked closely with the OAIC to revise the RACGP privacy policy template for general practices which can be found on the RACGP website.

Last updated 16 June 2017