Unauthorised access
Under the My Health Records Act, it is an offence for a person to collect, use or disclose health information contained in a My Health Record if that activity is not authorised under the Act and the person knows the activity is not authorised, or is reckless as to whether it is authorised.
Penalties apply for inappropriate use of information in My Health Record, ($333,000 for an individual and $1,665,000 for a body corporate), or up to five years’ imprisonment.
Accessing a My Health Record by mistake is not associated with a penalty under the My Health Records Act, but might constitute a privacy breach under the Privacy Act 1988 (Cwlth). Failure to notify the Office of the Australian Information Commissioner (OAIC) might incur a civil penalty of up to 100 penalty units ($18,000 for an individual and $90,000 for a body corporate).
The RACGP supports the OAIC’s preferred regulatory approach to facilitate voluntary compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches.
For more information, visit the Agency’s website.