Posted on
- updated on

How practices can prepare for the My Health Record (MHR) opt-out period – now extended until 31 January 2019 – and answers to patients’ questions.

Until 31 January 2019, patients who do not want a MHR can opt-out by visiting the MHR website or calling the MHR help line on 1800 723 471. They will not have a record created for them. For more information, view the Australian Digital Health Agency’s step-by-step guide.

In response to public calls for stronger privacy and security protections for people using MHR, the My Health Records Act has been amended to introduce various measures to strengthen MHR privacy. The new measures, which commenced on 10 December, 2018:

Allow permanent deletion of cancelled records

Australians can opt-in or opt-out of having a MHR at any time during their life. Records will be created for every Australian after 31 January 2019 if they have not opted out. After this date, a person can delete their record permanently at any time. No archived copy or back-up will be kept and deleted information won’t be able to be recovered.

A MHR that was cancelled in the past (and archived) will also be permanently deleted.

Prohibit insurers and employers from using MHR information

Under the amendments, insurers and employers are prohibited from using information within a patient’s MHR, or asking a person to disclose their information, for insurance or employment purposes.

Require a court order to access MHR information

The Australian Digital Health Agency will not approve the release of an individual's personal or health information to a third party except where it is related to the provision of healthcare or is otherwise authorised or required by law.

The reforms give patients assurance that no information within MHR can be released without an order from a judicial officer.

Increase privacy for teenagers aged 14 and over

Under the MHR system, authorised representatives, such as a parent or legal guardian, have control of their child’s MHR from 0 to 14 years.

Anyone under 14 who can prove to the Australian Digital Health Agency they are a ‘mature minor’, can take control of their existing record.

The reforms allow teenagers more privacy in relation to their health information and parents will automatically be removed as authorised representatives on a teenager’s MHR once they turn 14.

Strengthen protections for victims of domestic and family violence

Under the changes, the Australian Digital Health Agency will no longer be obliged to notify people of certain decisions if doing so would put another person at risk.

Furthermore, parents subject to a court order, where they do not have unsupervised access to their child, or who pose a risk to the life, health and safety of the child or another person will no longer be eligible to be an authorised representative.

Increase penalties for misuse of information

Harsher fines and penalties will apply for inappropriate or unauthorised use of information in a MHR. Civil fines will increase to a maximum of $315,000, with criminal penalties including up to five years’ jail time.

Clarify management of MHR system by Government agencies

To provide Australians with greater reassurance, only the Australian Digital Health Agency, Department of Health and the Chief Executive of Medicare have the power to manage the MHR system.

Not allow commercial use of MHR data

The reforms clarify the MHR system cannot be privatised or used for commercial purposes. Only a government organisation will be able to manage the MHR system.

MHR activation

A MHR will be created for all Australians with a Medicare card or Department of Veterans’ Affairs card who do not opt-out. However, the MHR will not contain any content. The patient’s MHR will be activated when the patient logins for the first time or when a healthcare provider accesses the record during treatment. Two years of Medicare and PBS records will then be added to the MHR, unless a patient chooses not to include this information. Patients will also be able to upload personal notes, advanced care documentation, and medication and allergy information.

Patient consent and restricting access

Patients provide a ‘standing consent’ for all healthcare organisations involved in their care to upload clinical information to their record. Providers do not need to obtain consent on each occasion prior to uploading clinical information. However, the AMA’s Guide to using the My Health Record (currently under review), recommends advising a patient you will be uploading information to their MHR, particularly if this information might be considered sensitive.

Patients can ask their healthcare provider not to add specific test reports and other medical information to their MHR. Patients can also restrict access to specific information by applying a Limited Access Code to that specific document – or by applying a Personal Access Code to the entire record.

If a patient requests that a clinical document is not uploaded, a provider is obliged to follow this request.

More information

View our list of resources in PracticeHub to help you navigate MHR.

The Australian Digital Health Agency offers online training for health practitioners and patients on MHR and has developed a series of educational webinars.

Georgie Haysom, BSc, LLB (Hons), LLM (Bioethics), GAICD, Head of Research, Education and Advocacy, Avant


No items found.