My Health Record in general practice

Security and access

Last revised: 18 Apr 2023

My Health Record security 

Only healthcare providers who have been authorised by their organisation to access My Health Record can access health information within a patient’s record. All access and use of the My Health Record system is captured in an audit trail. 

All databases, including general practice records, can be subject to data safety and privacy issues, such as: 

  • identification issues and duplicate records 
  • unauthorised access to records and data breaches 
  • missing data 
  • software and system issues. 

Types of safeguards to manage risks  

There are three types of safeguards to protect the security and privacy of My Health Record data - practice safeguards, system safeguards, and regulatory safeguards.  

Practice safeguards: 

  • implementing policies and procedures which govern the use of My Health Record at the individual general practice level 
  • providing education for all practice staff involved in the use of My Health Record (initial and ongoing training)  
  • promoting a culture of security among practice staff (for example, a culture of keeping devices and passwords secure and ensuring that screens are turned away from view or located in areas under appropriate surveillance)  
  • taking reasonable steps to prevent misuse of/unauthorised access to Healthcare Identifiers with account management measures  
  • taking care to ensure information is accurate to the best of your knowledge before uploading to My Health Record 
  • having personal medical indemnity coverage.  

System safeguards: 

  • design principles which restrict access to authorised healthcare providers operating within a registered healthcare organisation  
  • data storage being in Australia, on government servers  
  • security vigilance with encryption and digital authentication, access monitoring and penetration testing.  

Regulatory safeguards:  

  • various Acts, Regulations and Rules protecting My Health Record data and ensuring it is used safely   
  • oversight by government agencies and departments such as the Office of the Australian Information Commissioner (OAIC).  

Unauthorised access

Under the My Health Records Act, it is an offence for a person to collect, use or disclose health information contained in a My Health Record if that activity is not authorised under the Act and the person knows the activity is not authorised, or is reckless as to whether it is authorised.

Financial and imprisonment (up to 5 years) penalties apply for inappropriate use of information in My Health Record.

Accessing a My Health Record by mistake is not associated with a penalty under the My Health Records Act, but might constitute a privacy breach under the Privacy Act 1988 (Cwlth). Failure to notify the Office of the Australian Information Commissioner (OAIC) might incur a civil penalty of up to 100 penalty units ($33,000 for an individual and $165,000 for a body corporate).

The RACGP supports the OAIC’s preferred regulatory approach to facilitate voluntary compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches.

For more information, visit the Agency’s website.

Advertising