Go to top of page

My Health Record System Operator reporting requirements

The My Health Record system operates under the My Health Records Act 2012. This Act establishes the role and functions of the Agency as System Operator; a registration framework for individuals, and entities (such as healthcare provider organisations) to participate in the system; and a privacy framework (aligned with the Privacy Act 1988) specifying which entities can access and use information in the system, and the penalties that can be imposed on improper use of this information.

The Agency takes the security of patient’s health and other personal information very seriously. Many of the protections provided by the My Health Records Act are about ensuring that Australians have strong protection of their digital records. These protections are underpinned by rigorous reporting obligations.

Section 107 of the My Health Records Act requires the Agency to include statistics in its annual report on My Health Record system registration, usage, security, and complaints, and the outcomes of those complaints in terms of investigations, enforceable undertakings or court proceedings seeking injunctive relief. These statistics are outlined in the following table.

My Health Record system registration, usage, security and complaints

Reporting requirement


Registrations, cancellations, suspensions of registrations

As at 30 June 2020, there were 22.78 million active records in the My Health Record system (a 1% increase on 2018–19).

In 2019–20 the System Operator registered an additional 2,209 healthcare provider organisations (reflecting a 40% decrease on the previous year). 157 registrations (an increase of 64%) were cancelled or suspended for reasons such as a provider organisation discontinuing operations or transferring ownership.

Use of the My Health Record system by healthcare providers and healthcare recipients

A total of 1,751,007 people accessed their My Health Record via the national consumer portal in 2019–20 (an increase of 0.5% on 2018–19).

An average of 4,057 unique healthcare provider organisations, via their clinical information systems, viewed records each week during 2019–20 (a 76% increase).

An average of 8,023 unique healthcare provider organisations uploaded documents to the My Health Record system each week during 2019–20(a 23% increase).

A total of 810 million documents were uploaded to the My Health Record system in 2019–20 (a 64% increase on 2018–19).

Occurrences relating to the integrity or security of the My Health Record system

Over 2019–20, two (2) matters were reported under section 75 of the My Health Records Act 2012:

One matter was reported to the Office of the Australian Information Commissioner (OAIC) by the Agency, as System Operator. It related to circumstances that may have resulted in a compromise to external IT infrastructure supporting the My Health Record system. Investigations into this situation concluded that there was not any unauthorised access to health information. This potential threat to the supporting IT infrastructure connected to the My Health Record system was identified and promptly addressed. There was no impact to the safety of health information in the system.

The second matter was reported by a State or Territory body to the Agency as System Operator. As this matter related to a State or Territory authority or an instrumentality of a State or Territory, notification to the OAIC was not required. It related to potential unauthorised access to a My Health Record. Investigations concluded that the individual whose record was accessed was receiving treatment at the healthcare facility, and the login used to access the record belonged to a member of the person’s treating team.

Complaints received, investigations undertaken, enforceable undertakings accepted, injunctions granted

Complaints to the Agency about My Health Record are made to the call centre, in email, through the website form or in writing. Complaints are escalated through the Agency for investigation and response if the issue is complex or relates to a potential privacy, clinical or cyber security breach.

Over 2019–20, the Agency received 134 complaints in relation to the My Health Record through the ‘contact us’ form, call centre, email channels and by white mail. No enforceable undertakings were accepted by the System Operator and no proceedings were initiated by the System Operator in relation to enforceable undertakings or injunctions.