Safety and security
How safe is the data?
- The My Health Record system has been in operation since 2012 (originally as the Personally Controlled Electronic Health Record or PCEHR). There has never been a security breach of the My Health Record system. The system is designed to the highest level of security and privacy to keep health information safe and secure.
- Healthcare recipients can access their My Health Record, ATO, Medicare, Centrelink, and NDIS accounts via the secure myGov platform.
- Only authorised healthcare providers can access their patients My Health Record. All access and use of the My Health Record system is captured in an audit trail.
- All databases, including general practice records, can be subject to data safety and privacy issues, such as:
- Identification issues and duplicate records
- Unauthorised access to records and data breaches
- Missing data
- Software and system issues
- The Agency has developed guidance materials specifically for the Australian health sector that promotes awareness of information security and provides practical advice. You can read further information here. The Agency also offers a Digital Health Security Awareness course, available here.
Types of safeguards to manage risks
There are three types of safeguards to protect the security and privacy of My Health Record data.
- Policies and procedures which govern the use of My Health Record at the individual general practice level. There are a number of specific requirements for this policy and the RACGP has developed a policy template for this purpose
- Education for all practice staff involved in the use of My Health Record (initial and ongoing training)
- A culture of security among practice staff (a culture of keeping devices and passwords secure)
- Your personal medical indemnity coverage.
- Design principles which restrict access to authorised healthcare providers operating within an authorised healthcare organisation
- Data is stored in Australia on government servers
- Security vigilance with encryption and digital authentication, access monitoring and penetration testing.
- Various Acts, Regulations and Rules protect My Health Record data and help ensure it is used safely
- Oversight by government agencies and departments such as the Office of the Australian Information Commissioner (OAIC).
Data breaches and My Health Record
The characteristics of a breach of health and personal information relating to the My Health Record system are outlined in the My Health Records Act 2012. According to this Act, a data breach involves:
- the unauthorised collection, use or disclosure of health information in an individual’s My Health Record, or
- an event/circumstances that compromises, may compromise, has compromised, or may have compromised the security or integrity of the My Health Record system.
In the event of a potential/actual data breach involving My Health Record
As soon as you are aware that a data breach has (or might have) occurred, you must:
- Contact your medical defence organisation (MDO)
- Advise the Australian Digital Health Agency so they can notify the people affected
- Advise the Office of the Australian Information Commissioner (OAIC)
- Take steps to prevent additional breaches
For more information:
Relevant RACGP resources
- Notifiable data breaches fact sheet
- Agreement to access the My Health Record template for general practices