Australian Parliament passes legislation to strengthen My Health Record Privacy


On 26 November 2018, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Bill 2018.

The measures allow Australians to opt in or opt out of having a My Health Record at any time during their life. Records will be created for every Australian who wants one after 31 January 2019. After this date, a person can delete their record permanently at any time.

These changes are in response to the Australian community’s calls for even stronger privacy and security protections for people using My Health Record.

Access by insurers and employers

The Australian Digital Health Agency will not approve the release of an individual's personal or health information to a third party except where it is related to the provision of healthcare or is otherwise authorised or required by law. 

Under these measures, insurers and employers are prohibited from accessing any information within your My Health Record or asking you to disclose your information.

The primary purpose of My Health Record is to improve your care, and access to your information by private health insurers and employers is not healthcare.

Access by law enforcement and government agencies

Under the Agency’s official operating policy, no information within My Health Record can be released without an order from a judicial officer. To date, the Agency has never received such a request and has never released information.

Under these measures, the Agency’s policy will be protected in law and will give Australians the assurance that no information can ever be released without oversight from a judicial officer.

Permanent deletion of a cancelled My Health Record

You will be able to permanently delete a My Health Record at any time, if you decide you would no longer like one.  No archived copy or back up will be kept and deleted information won’t be able to be recovered.  

A My Health Record that was cancelled in the past (and archived) will also be permanently deleted. If you cancel a record at any time it will be permanently deleted.

Greater privacy for teenagers aged 14­ and over

Under these measures, once a teenager turns 14, parents will automatically be removed as authorised representatives.

Increased penalties for misuse of information

Harsher fines and penalties will apply for inappropriate or unauthorised use of information in a My Health Record. Civil fines will increase to a maximum of $315,000, with criminal penalties including up to 5 years’ jail time.

Strengthening protections for victims of domestic and family violence

There are currently safeguards in place to protect victims of domestic and family violence. Under the changes, the Agency will no longer be obliged to notify people of certain decisions if doing so would put another person at risk.

In addition, parents subject to a court order, where they do not have unsupervised access to their child, or who pose a risk to the life, health and safety of the child or another person will no longer be eligible to be an Authorised Representative. 

We will continue to work and consult with relevant stakeholders to continually reduce misuse of the My Health Record system.

Access to a My Heath Record by government agencies

These changes clarify that our powers as the System Operator of My Health Record can’t be delegated to another government agency, with the exception of the Department of Health and the Chief Executive of Medicare.

This will provide Australians with greater assurances that only government agencies involved in the efficient delivery of My Health Record have access to the system.

Use of My Health Record data for research purposes

The My Health Record system is a valuable source of information on Australia’s health system and the outcomes of care being achieved. This information can guide service planning, policy development and research to further improve the Australian health system.

The principles contained within the Framework to guide the secondary uses of data will become law (within the My Health Record Rules). A Data Governance Board will be established to approve the release of any data in line with these rules.

Lastly, it will also be clarified that insurers cannot access data for any reason.

No commercial use of My Health Record data

The legislation makes clear that the My Health Record system cannot be privatised or used for commercial purposes. Only a government organisation will be able to manage the My Health Record system.

Learn more about my health record