Penalties in place for accessing health information without permission from My Health Record?

Sue Q made this Freedom of Information request to Department of Health

The request was successful.

From: Sue Q


Dear Department of Health,

Please advise of legislated penalties for anyone accessing a My Health Record without the permission of the recipient of care.

Yours faithfully,

Sue Q

Link to this

From: FOI
Department of Health

Attention: Sue Q

I refer to your email of 27 June 2018 to the Department of Health (Department) regarding the unauthorised access to My Health Record information.

The My Health Records Act 2012 specifies penalties that apply to the unauthorised collection, use or disclosure of health information in a My Health Record.

Sections 59 and 60 of the Act prohibit the collection, use or disclosure of such information unless it is authorised by Division 2 of Part 4 of the Act. Contravention of these prohibitions is subject to serious penalties – the civil penalty is up to $126,000 for an individual ($630,000 for bodies corporate), and the criminal penalty is up to two years’ imprisonment and/or up to $25,200 for individuals ($126,000 for bodies corporate).

While a consumer may give consent to the collection, use or disclosure of their health information for any purpose (section 66 of the Act refers), this is only one circumstance in which an entity may be authorised. There are other circumstances set out in Division 2 of Part 4 of the Act in which a particular entity is authorised to collect, use or disclose this information for particular purposes, including for the purposes of providing healthcare to the consumer, responding to a direction by a court or coroner, and law enforcement.

The default access controls on a My Health Record allow any healthcare provider organisation to access that My Health Record if they are providing care to the consumer. A consumer can set these access controls to restrict access by healthcare provider organisations. If a consumer has restricted access (such as through the use of a Record Access Code), access to that My Health Record for health purposes must be in accordance with those access controls – that is, the organisation needs the code in order to access the record – except in an emergency. Emergency access, as with any type of access to a consumer’s My Health Record, is monitored by the My Health Record System Operator to check for suspicious activity, and the consumer can check their access log at any time and be automatically notified of activity.

I hope this information is helpful. If you have any further questions about the legislative framework for the My Health Record system, you can write to [email address]. Questions about the My Health Record system more generally can be directed to the Australian Digital Health Agency’s My Health Record hotline on 1800 723 471.

FOI Officer

Legal Advice & Legislation Branch
Legal & Assurance Division
Australian Government Department of Health
T: (02) 6289 1666 | E: [Health request email]

PO Box 9848, Canberra ACT 2601, Australia

The Department of Health acknowledges the traditional owners of country throughout Australia, and their continuing connection to land, sea and community. We pay our respects to them and their cultures, and to elders both past and present.

show quoted sections

Link to this

From: Sue Q


Dear FOI,
Many thanks for your comprehensive and enlightening response.
Yours sincerely,

Sue Q

Link to this

Things to do with this request

Department of Health only: