Managing access, privacy and security
Under the My Health Records Act 2012, healthcare providers, the System Operator and other system participants are permitted to collect, use and disclose information in your My Health Record under certain emergency circumstances.
If emergency access is granted to a healthcare provider (such as a hospital or medical practice) the organisation is responsible for determining which individual healthcare providers within the organisation have access.
Registered healthcare providers are permitted to collect, use or disclose information in your digital record if it is unreasonable or impracticable to obtain consent from the healthcare recipient or their authorised representative and they reasonably believe that this is necessary to lessen or prevent a serious threat to your or another individual’s life, health or safety.
An example could be if you are unconscious in an emergency situation.
Healthcare providers can also collect, use and disclose the information in your digital record without your or your authorised representative’s consent if they reasonably believe that this is necessary to lessen or prevent a serious threat to public health or safety.
An example could be where a dangerous infection has been detected within a hospital and it is necessary to identify the source of the infection to prevent its spread.
If you or your authorised representative choose to suspend your digital record (if for example you are moving overseas for a significant period of time), emergency access could still be granted by the System Operator. However, if your digital record has been cancelled it cannot be accessed, even during an emergency.
Under emergency access all information in your digital record can be accessed, except for:
- records that have been ‘effectively removed’ by you. This information can no longer be viewed by you, your authorised representative or any healthcare provider organisations, even in an emergency; and
- information entered in the healthcare recipient-only notes section of your record which cannot be viewed by healthcare providers regardless of access settings.
When emergency access is granted, any advanced access controls previously set by you or your authorised representative are overridden. This means that any restricted information can be accessed in an emergency. The healthcare provider may also store information collected from your digital record during an emergency on its own local clinical records.
Any emergency access to a digital record is recorded by the System Operator and included in your access history which you or your authorised representative can view in the My Health Record system. You or your authorised representative can choose to be notified of emergency accesses to your digital record via an SMS or email from the System Operator.
The System Operator grants emergency access for five days. Once this period ends, all access reverts to the default access controls or the advanced access controls set by your or your authorised representative if any had been set before the emergency access was granted.
If the emergency situation continues beyond the initial five day period, the healthcare provider will need to request emergency access from the System Operator again.
Section 64 of the My Health Records Act 2012 provides legal authority for emergency access. This is consistent with the Privacy Act 1988, Australian Privacy Principles.