Register for a My Health Record myGov iconSign in with myGov

Last updated 02 August 2016

Penalties

Legislative changes have been made to the penalty frameworks supporting the My Health Record system and the Healthcare Identifiers Service, as set out in the My Health Records Act 2012 and Healthcare Identifiers Act 2010.  

These changes took effect on 1 March 2016.

Why are there penalties?

Misuse of a person’s health information is a serious matter.  The potential for damage (whether personal damage to an individual or reputational damage to a healthcare provider organisation) is significant and this is reflected in current professional and legal obligations on persons such as healthcare providers to protect patient information.

The My Health Record system and the Healthcare Identifiers Service contain health and other important information so penalties are used, among other measures, to protect this information.

What has changed?

Penalties that previously applied to My Health Record system and Healthcare Identifiers Service information varied depending on the source of the information.  Primarily, misuse of My Health Record system information was subject only to civil penalties while misuse of Healthcare Identifiers Service information was subject only to criminal penalties.

The penalties for the misuse of any of this information have increased so that both civil and criminal penalties apply.

Additional sanctions are also now available in the Healthcare Identifiers Service that reflect sanctions available in the My Health Record system – namely, injunctions and enforceable undertakings. 

These allow the My Health Record System Operator, Healthcare Identifiers Service Operator and Australian Information Commissioner to take action in response to a breach in proportion to the seriousness of a breach – for example, the My Health Record System Operator may enter into an undertaking with a healthcare provider organisation that require the organisation to take additional steps to mitigate identified risks.

What actions may be subject to penalties?

The misuse of information in either the My Health Record system or Healthcare Identifiers Service, and other activities that relate to the security and integrity of the My Health Record system and Healthcare Identifiers Service, are subject to penalties under the My Health Records Act 2012 and Healthcare Identifiers Act 2010.  More information about these penalties is provided in the tables at the end of this document.
Do the penalties apply to accidents?

The serious penalties relating to the misuse of information do not apply to accidental misuse.  The unauthorised collection, use or disclosure of information will only incur a penalty if the person knows or is reckless as to whether that action is unauthorised.  This means that if a person accidentally collects, uses or discloses this information – for example, if a healthcare provider inadvertently or accidentally accesses an individual’s My Health Record – they are not liable for a civil or criminal penalty (although there may still be an interference with privacy and the Australian Information Commissioner may still be able to investigate).

Why have these changes been made?

These changes have been made to better protect the sensitive information that can be contained in a My Health Record and allow the My Health Record System Operator to respond more proportionally to the seriousness of a breach.  These changes also align the penalty frameworks of the My Health Record system and Healthcare Identifiers Service.

Actions subject to penalties

Action Penalty Has this changed?

Misuse of information

Unauthorised collection, use or disclosure of health information in a My Health Record
Sections 59 and 60 of the My Health Records Act 2012
Civil penalty of up to 600 penalty units ($126,000 for individuals and $630,000 for bodies corporate)
Criminal penalty of up to two years imprisonment and/or 120 penalty units ($25,200 for individuals and $126,000 for bodies corporate)
Yes
It was previously subject to a civil penalty of up to 120 penalty units ($21,600 for individuals and $108,000 for bodies corporate)
Unauthorised use or disclosure of healthcare identifiers or other information obtained for the purposes of the Healthcare Identifiers Service
Section 26 of the of the Healthcare Identifiers Act 2010
Civil penalty of up to 600 penalty units ($126,000 for individuals and $630,000 for bodies corporate)
Criminal penalty of up to two years imprisonment and/or 120 penalty units ($25,200 for individuals and $126,000 for bodies corporate)
Yes
It was previously subject to a criminal penalty of up to two years imprisonment and/or 120 penalty units ($21,600 for individuals and $108,000 for bodies corporate)
Security and integrity
If a person accesses the My Health Record system on behalf of a registered healthcare provider organisation and fails to provide enough information to the System Operator to identify that person without seeking more information
Section 74 of the My Health Records Act 2012
Civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate) No
Failing to notify an actual or potential data breach in which they were directly involved
Section 75 of the My Health Records Act 2012
Civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate) No
Failing to give written notice within 14 days if the entity ceases to be eligible to be registered
Section 76 of the My Health Records Act 2012
Civil penalty of up to 80 penalty units ($16,800 for individuals and $84,000 for bodies corporate)

No

Holding, taking, processing or handling, records held for the purposes of the My Health Record system outside Australia, or causing someone else to do so
Section 77 of the My Health Records Act 2012
Civil penalty of up to 600 penalty units ($126,000 for individuals and $630,000 for bodies corporate)
Criminal penalty of up to two years imprisonment and/or 120 penalty units ($25,200 for individuals and $126,000 for bodies corporate)
Yes
It was previously subject to a civil penalty of up to 120 penalty units ($21,600 for individuals and $108,000 for bodies corporate)
Failing to comply with the My Health Records Rules that apply to the entity
Section 78 of the My Health Records Act 2012
Civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate) Yes
It was previously subject to a civil penalty of up to 80 penalty units ($14,400 for individuals and $72,000 for bodies corporate)
Failure to notify the Healthcare Identifiers Service Operator of changes to their organisation’s information within 20 days
Section 25E of the Healthcare Identifiers Act 2010
Civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate) Yes
It was previously subject to a criminal penalty of up to 50 penalty units ($14,400 for individuals and $72,000 for bodies corporate)
Failure to retain identifying information about a person requesting disclosure of healthcare identifiers (if not provided at the time of disclosure)
Regulation 7 of the of the Healthcare Identifiers Regulations 2010
Civil penalty of up to 50 penalty units ($10,500 for individuals and $52,500 for bodies corporate) Yes
It was previously subject to a criminal penalty of up to 50 penalty units ($14,400 for individuals and $72,000 for bodies corporate)

Last updated 02 August 2016