What Security And Access Controls Does My Health Record Have?

The Australian Digital Health Agency (ADHA), as the system operator, is responsible for the security of the My Health Record system. They have in place a comprehensive set of people, processes, and technology controls to protect health records from a cyber-attack. The ADHA advises that the system has bank strength security which ensures information is stored and accessed by only trusted, connected health systems.

Accessing and uploading to a My Health Record

A My Health Record can be accessed by any registered healthcare providers involved in the care of a patient.

In registering for a My Health Record, patients provide standing consent for all healthcare organisations involved in their care to view and upload clinical information to their record. When uploading a new Shared Health Summary it is important that the patients consent is obtained. Although it is not legally required to obtain consent when uploading other document types, it is good medical practice to advise a patient when information is uploaded to their My Health Record.

The My Health Record legislation does not prevent a healthcare provider from accessing and viewing an individual’s My Health Record outside of a consultation provided that access is for the purpose of providing healthcare to the individual.

Individual access control

Individuals control which healthcare organisations can access the information in their My Health Record by enabling advanced privacy controls. Individuals can limit access to their entire record or to some documents using an access code.

In an emergency, a provider can assert the emergency access functionality which will override the existing access controls for a specified period.

For more information see privacy and security for providers or My Health Record privacy policy.

Download My Health Record Security fact sheet.