Privacy and Security for Providers
It is an offence under the My Health Records Act 2012 for a person to collect health information from an individual's My Health Record, or use or disclose that information, if the collection, use or disclosure is not authorised by the Act and the person knows that the collection is not authorised or is reckless as to whether the collection is authorised or not.
If the individual provider is not authorised to collect, use or disclose information in the My Health Record System, the individual, rather than the organisation, may be liable for a penalty.
The penalty for unauthorised collection, use or disclosure is currently up to $108,000 for an individual or up to $540,000 for a body corporate, or up to two years’ imprisonment.
If a Healthcare Provider accesses an individual’s My Health Record by mistake, they will not be liable for a civil penalty under the My Health Records Act, however it may constitute a privacy breach under the Privacy Act 1988.
It is up to the patient to choose which healthcare provider organisations can access and upload clinical documents into their My Health Record. A patient will also be able to control what information is stored in the record and which Healthcare Provider Organisations can access that information.
Participating Healthcare Provider Organisations may access a patient’s My Health Record in an emergency, where patient consent is not possible. This is consistent with existing privacy laws.
In life-threatening cases, where it is unreasonable or impractical to obtain a patient’s consent to access the My Health Record, healthcare providers may assert emergency access. This access will override any access controls that have been set by the patient and provide your organisation with unrestricted access to a patient’s My Health Record for five days. Your use of the emergency access function will be logged in the Access history and may be notified to the patient if they requested notifications. Asserting emergency access is warranted where you believe that access to the information is necessary to lessen or prevent a serious threat to:
- An individual’s life, health or safety and the patient’s consent cannot be obtained
- Public health or public safety
Healthcare organisations are authorised by the My Health Record legislation to collect, use and disclose health information included in an individual’s My Health Record if the collection, use or disclosure of the health information is for the purpose of providing healthcare to the individual. Healthcare organisations are also authorised to:
- Disclose the health information to the individual or the individual’s authorised or nominated representative
- Collect, use or disclose the health information for any purpose with the consent of the individual
- Collect, use and disclose the health information for purposes relating to the provision of indemnity cover for a healthcare provider
Any collection, use or disclosure of this health information must comply with the individual’s access control settings of their My Health Record (except in emergency situations). Note that healthcare organisations are not authorised to collect, use or disclose health information included in the consumer-only notes of the My Health Record.
Access flags are a key component of the My Health Record System's access control mechanisms, supporting the individual’s capability to restrict the healthcare organisations that are able to access their My Health Record. The level of detail for this capability is established when a healthcare organisation sets access flags. Access flags are set by healthcare organisations in the My Health Record system (not in local systems).
When a healthcare organisation is involved in the care of an individual (and, as a result, is added to the access list for the individual’s My Health Record), access flags determine if any other associated healthcare organisations are also added to the access list for the individual’s My Health Record. Access flags do not prevent the sharing of information that has been downloaded from an individual’s My Health Record. Downloaded information is subject to existing laws and professional obligations.
In the case of a GP practice, an access flag, for example, may be associated with that particular practice. This enables the individuals who have chosen to restrict access to their My Health Record to allow access to that practice, thereby enabling access by authorised users within that practice.
The Healthcare Identifiers Service provides a regime for establishing a network of associated healthcare organisations, consisting of a seed organisation (which is the head organisation of the network) and network organisations (which are subordinate to the seed organisation).
It is the responsibility of the seed organisation to ensure that the network hierarchy supports the setting of access flags in accordance with the principles set out in the My Health Record Rules. In general, these principles require that the setting of access flags balance reasonable individual expectations about the sharing of information as part of providing healthcare and arrangements within the organisation for access to health information collected by the organisation.
The seed organisation must regularly review the access flags of their network hierarchy and adjust them as necessary to remain consistent with the principles. If the System Operator considers that access flags have not been set in accordance with the principles or are otherwise inappropriate, the System Operator will consult with the seed organisation and may require the organisation to change its access flags.
A person’s My Health Record provides the activity history related to their record, called the audit log. The audit log displays the name of the healthcare organisation that accessed the individual’s My Health Record, when it accessed the record and the nature of that access (for example, viewing a particular document or uploading a particular record). The audit log may also display the role of the person who accessed the individual’s My Health Record, for example, general practitioner, if that information is available.
The audit log allows individuals to identify who has accessed their record.
Healthcare providers can also see details of when they last accessed the My Health Record system via the Provider Portal when they log on.
Authorised Representatives (such as a parent or legal guardian) will have control of their children's My Health Record from 0 to 14 years, including decisions as to which Healthcare Provider Organisations have access to the child’s record and which clinical documents they can see.
After a child turns 14, they will be able to choose whether to manage their own My Health Record. If a child chooses not to take control of their My Health Record between 14 and 17, their Authorised Representative (which may or may not be a parent) can continue to manage their record until they turn 18. Once an individual turns 18, Authorised Representative(s) will automatically lose access to that My Health Record. If an individual still wants their parent(s) or guardian(s) to view information in their My Health Record after they turn 18, they will need to take control of their record and set them up as Nominated Representatives.
Parents will not be able to view the MBS, PBS or Immunisation Register details of children aged over 14.
My Health Record data is stored in Australia, in line with the Australian Government Protective Security Policy Framework. The My Health Record system implements high grade security protocols to detect and mitigate against external threats. The system is tested frequently to ensure these mechanisms are in place and robust.
Security is a key design element of the system, which adheres to Australian Government security frameworks. Design features include audit trails, technology and data management controls, as well as appropriate security measures to minimise the likelihood of unauthorised access to information in a patient’s record. In addition to these measures, the My Health Record system is protected by legislation. It is important to follow the guidance available from the RACGP or your medico-legal insurance organisation on information security.
The Australian Government strongly encourages individuals, businesses and organisations to take steps to ensure they are operating safely and providing services securely online. The Australian Government’s website Stay Smart Online offers a lot of useful advice and tips to individuals, and small and medium businesses about online security.
Existing clinical standards also apply to information sourced from My Health Record. Healthcare providers and organisations have a duty to keep their patients’ health information confidential and secure and that requirement will continue for the My Health Record system.
Furthermore, registered healthcare organisations must comply with the requirements in the My Health Records Rules. Among other things, the My Health Records Rules require healthcare organisations to develop and maintain robust security policy on the physical and information security measures that are to be established and adhered to by the healthcare organisation and people accessing the My Health Record System via or on behalf of the healthcare organisation.
It is crucial to the success of the My Health Record System, particularly in respect of clinical assurance and security, that healthcare providers, individuals and other health sector stakeholders are involved in the governance of the system. The Independent Advisory Council, an advisory committee to the System Operator, will ensure key stakeholders have input to the operation of the system. For more information please visit Stay Smart Online
The National E-Health Transition Authority will continue to assess clinical safety of the system elements with oversight from the Australian Commission on Safety and Quality in Health Care.