Go to top of page

My Health Record System Operator reporting requirements

The My Health Record system operates under the My Health Records Act 2012. This Act establishes the role and functions of the Agency as System Operator; a registration framework for individuals, and entities (such as healthcare provider organisations) to participate in the system; and a privacy framework (aligned with the Privacy Act 1988) specifying which entities can access and use information in the system; and the penalties that can be imposed on improper use of this information.

The Agency takes the security of patient health and other personal information very seriously. Many of the protections provided by the My Health Records Act are about ensuring that Australians’ digital health records have strong protections. These protections are underpinned by rigorous reporting obligations.

Section 107 of the My Health Records Act requires the Agency to include statistics in its annual report on My Health Record system registration, usage, security, and complaints, and the outcomes of those complaints in terms of investigations, enforceable undertakings or court proceedings seeking injunctive relief. These statistics are outlined below.

My Health Record system registration, usage, security and complaints

Reporting requirement

Statistics

Registrations, cancellations, suspensions of registrations

  • In 2020-21 as System Operator, the Agency registered 377,618 people for a My Health Record (a seven percent decrease on 2019-20). This takes the total active records in the My Health Record System to 23 million.
  • In 2020-21 the System Operator registered an additional 2,620 healthcare provider organisations (a 12% increase on the previous year). A total of 134 registrations (an increase of 15%) were cancelled or suspended for reasons such as a provider organisation discontinuing operations or transferring ownership.

Use of the My Health Record system by healthcare providers and healthcare recipients

  • A total of 2,690,310 people accessed their My Health Record in 2020–21 (up 14% on 2019-20).
  • An average of 4,917 unique healthcare provider organisations, via their clinical information systems, viewed records each week during 2020–21 (21% increase).
  • An average of 8,845 unique healthcare provider organisations uploaded documents to the My Health Record system each week during 2020-21 (10% increase).
  • A total of 872,111,307 documents (including Medicare) were uploaded to the My Health Record system in 2020–21 (9% increase on 2019-20).

Occurrences relating to the integrity or security of the My Health Record system

During 2020–21, seven matters were reported under section 75 of the My Health Records Act 2012:

  • Two were reported to the Office of the Australian Information Commissioner (OAIC) by the Agency, as the My Health Record System Operator. Of these:
  • One matter related to incorrect cancellation of a person’s My Health Record. The affected healthcare recipient was contacted, and a review of internal processes was undertaken to mitigate the risk of future incidents.
  • One matter related to My Health Record access by care team members via an atypical software configuration. This access occurred with the consent of healthcare recipients. The System Operator and the software provider have worked collaboratively to identify appropriate adjustments to the software.
  • Five matters were reported to the System Operator by healthcare provider organisations:
  • Four separate matters related to access to a single My Health Record by a staff member. The relevant staff members were counselled and received additional guidance in relation to appropriate use.
  • One matter related to suspected unauthorised access. However, subsequent investigations showed that no My Health Record information was accessed.

Note: healthcare provider organisations are required to notify the System Operator and the OAIC. However, where the entity is a State or Territory authority, notification to the OAIC is not required.

Complaints received, investigations undertaken, enforceable undertakings accepted, injunctions granted

  • Complaints to the Agency about My Health Record are made to the call centre via email through a website form or in writing. Complaints are escalated through the Agency for investigation and response if the issue is complex or relates to a potential privacy, clinical or cyber security breach.
  • In 2020–21, the Agency received 72 complaints in relation to the My Health Record through the ‘contact us’ form, call centre, email or paper mail. No enforceable undertakings were sought by the System Operator and no proceedings were initiated by the System Operator in relation to enforceable undertakings or injunctions.