The RACGP is undergoing scheduled system maintenance: Wednesday, 17 April 2024 from 8:15PM – 10:15 PM AEST. During the maintenance window, some RACGP services will experience disruptions.
We apologise for any inconvenience caused.

Education toolkits for general practice

Introduction to My Health Record in general practice - Chapter 10

Safety and security

Last revised: 15 May 2020

How safe is the data?

  • The My Health Record system has been in operation since 2012 (originally as the Personally Controlled Electronic Health Record or PCEHR); there has never been a security breach of the My Health Record. The system is designed to the highest level of security and privacy to keep your health information safe and secure.
  • The system is hosted on the same platform as ATO, Medicare, Centrelink, and NDIS (myGov)
  • ​All databases are exposed to risks to their safety and privacy, such as:
    • Identification issues and duplicate records
    • Unauthorised access to records and data breaches
    • Missing data
    • Software and system issues.


There are three types of safeguards to protect the security and privacy of My Health Record data.

Practice safeguards

  • Policies and procedures which govern the use of My Health Record at level of the individual general practice. There are a number of specific requirements for this policy and the RACGP has developed a policy template for this purpose.
  • Education for all practice staff involved in the use of My Health Record (initial and ongoing training)
  • A culture of security among practice staff (a culture of keeping devices and passwords secure)
  • Insurance to protect practice equipment
  • Your personal medical indemnity coverage.

System safeguards

  • Design principles which restrict access to authorised healthcare providers operating within an authorised healthcare organisation
  • Data is stored in Australia on government servers
  • Security vigilance with encryption and digital authentication, and access monitoring and penetration testing.

Regulatory safeguards

  • Various Acts, Regulations and Rules protect My Health Record data and help ensure it is used safely
  • Oversight by government agencies and departments such as the Office of the Australian Information Commissioner (OAIC).

The characteristics of a breach of health and personal information relating to the My Health Record system are outlined in the My Health Records Act 2012. According to this Act, a data breach involves:

  • the unauthorised collection, use or disclosure of health information in an individual’s My Health Record”, or
  • an event/circumstances that compromises, may compromise, have compromised, or may have compromised the security or integrity of the My Health Record system.

In the event of a potential/actual data breach involving My Health Record

As soon as you are aware that a data breach has (or might have) occurred, you must:

  • Contact your medical defence organisation
  • Advise the Australian Digital Health Agency so they can notify the people affected
  • Advise the Office of the Australian Information Commissioner (OAIC)
  • Take steps to prevent additional breaches
This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log