My Health Record

What is My Health Record?

My Health Record:

• is a national digital health record system
• was previously known as Personally Controlled Electronic Health Records (PCEHR) or eHealth records
• is a summary of an individual’s key health information that can be shared securely online between the individual and their healthcare providers
• does not replace a doctor’s own records.

The opt-out trial

Originally, My Health Record was an opt-in system and patients had to actively register. Now, an opt-out model has been trialled in Northern Queensland and the Nepean Blue Mountains area. People with a registered Medicare address in these areas had until 27 May 2016 to opt out of having a My Health Record automatically created for them. The opt-out rate was 1.9%, meaning that almost one million extra records have been added. This brings the total number of registrants to over 3.8 million at 30 June 2016.

Practice participation

For practices, participation in the My Health Record system requires a number of initial steps, and ongoing compliance with legislative requirements.¹

Issues to be addressed include:

• computer security
• software functionality and secure messaging capability
• data quality in the medical records²
• training staff and appointing specific responsible staff³
• written policies and procedures.

Training

• Online training is available, including specific modules for general practice and specialist practice at the My Health Record website.⁴
• Software training and downloadable guides are also available from the Australian Digital Health Agency (ADHA).⁵
• Face-to-face training can be organised through local Primary Health Networks.

Incentive payments for general practices

General practices can claim an incentive payment for participating in My Health Record. There are a number of criteria they must comply with to receive the full benefit, including uploading a minimum number of Shared Health Summaries.⁶ The RACGP also has some useful resources.⁷

Medico-legal issues

Consent

• When registering for My Health Record, patients are required to give a “standing consent” for the upload of documents. The patient must be adequately informed before giving consent. There is no requirement for a provider to obtain consent on each occasion prior to uploading clinical information, except that specific consent is required to upload sensitive information such as HIV status.
• Written consent is recommended from the patient when they register at a practice – that they understand what will be in the record and who can access it. Verbal consent can be obtained prior to uploading any information to the record.
• Patients can control which healthcare providers have access to their My Health Record and they can remove documents themselves. They cannot edit a document that a doctor has uploaded.
• In an emergency, a provider can assert emergency access functionality which will override the existing access controls for a specified period.

Privacy

System security includes strong encryption, firewalls, secure login/authentication and audit logging (“bank-strength” security). Access to My Health Record is limited by law to specific situations, e.g. registered healthcare providers delivering health care. Practices must meet specific privacy and security requirements, including having a policy setting out access and security procedures. Worksheets and templates to help practices are available.⁸

The Office of the Australian Information Commissioner (OAIC) assessed seven GP practices in Victoria and NSW as being at medium to high risk of breaching privacy laws when using the My Health Record.⁹ Passwords were too weak or not changed often enough, a record of the master copy was kept at the clinic, and computers did not have self-locking screen savers turned on.

Legislation requires mandatory notification to the OAIC if a breach of privacy occurs, and the OAIC has a guide to mandatory notifications.¹⁰ There are significant sanctions for misuse of the information, but not where a mistake is made.

Useful websites

• My Health Record: myhealthrecord.gov.au
• Australian Digital Health Agency (formerly NEHTA): digitalhealth.gov.au

Helpline

• Help centre: phone 1300 901 001
• Email: help@digitalhealth.gov.au 

Karen Stephens
Risk Adviser, MDA National

References

1. Australian Digital Health Agency. My Health Record System Participation Obligations. Available at: digitalhealth.gov.au/using-the-my-health-record-system/maintaining-digital-health-in-your-practice/my-health-record-system-participation-obligations
2. Australian Digital Health Agency. Data Quality Checklist. Available at: myhealthrecord.gov.au/sites/g/files/net4206/f/factsheet-data-quality-my-health-record-20170503.pdf
3. Staff management activities under: Managing your organisation’s digital health information. Available at: digitalhealth.gov.au/using-the-my-health-record-system/maintaining-digital-health-in-your-practice/managing-your-organisation-s-digital-health-information
4. Australian Digital Health Agency. Online Training. Available at: digitalhealth.gov.au/using-the-my-health-record-system/digital-health-training-resources/my-health-record-online-training
5. Australian Digital Health Agency. Training Resources. Available at: digitalhealth.gov.au/using-the-my-health-record-system/digital-health-training-resources
6. Australian Digital Health Agency. Practice Incentives Program eHealth Incentive. myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/news-003
7. Royal Australian College of General Practitioners. Digital Health Incentive Resources. racgp.org.au/download/Documents/e-health/Digital%20health%20incentive/Digital-PIP-General-information.pdf
8. Australian Digital Health Agency. Privacy and Security for Digital Health.
9. Office of the Australian Information Commissioner. eHealth System: Access Security Controls of Seven Healthcare Provider Organisations 2015. Available at: oaic.gov.au/privacy-law/assessments/ehealth-system-access-security-controls-of-seven-healthcare-provider-organisations
10. Office of the Australian Information Commissioner. Guide to Mandatory Data Breach Notification in the PCEHR System. Available at: oaic.gov.au/agencies-and-organisations/guides/guide-to-mandatory-dbn-in-pcehr-system