Federal Register of Legislation - Australian Government

Primary content

My Health Records Act 2012

Authoritative Version
  • - C2015C00602
  • In force - Superseded Version
  • View Series
Act No. 63 of 2012 as amended, taking into account amendments up to Health Legislation Amendment (eHealth) Act 2015
An Act to provide for a system of access to electronic health records, and for related purposes
Administered by: Health
Registered 16 Dec 2015
Start Date 27 Nov 2015
End Date 04 Mar 2016
Table of contents.

My Health Records Act 2012

No. 63, 2012

Compilation No. 4

Compilation date:                              27 November 2015

Includes amendments up to:            Act No. 157, 2015

Registered:                                         16 December 2015

 

About this compilation

This compilation

This is a compilation of the My Health Records Act 2012 that shows the text of the law as amended and in force on 27 November 2015 (the compilation date).

This compilation was prepared on 9 December 2015.

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on ComLaw (www.comlaw.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the series page on ComLaw for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the series page on ComLaw for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

  

  

  


Contents

Part 1—Preliminary                                                                                                             1

1............ Short title............................................................................................. 1

2............ Commencement................................................................................... 1

3............ Object of Act....................................................................................... 2

4............ Simplified outline of this Act.............................................................. 2

4A......... Schedule 1........................................................................................... 3

5............ Definitions.......................................................................................... 3

6............ Definition of authorised representative of a healthcare recipient...... 11

7............ Definition of nominated representative of a healthcare recipient....... 13

7A......... Duties of authorised representative or nominated representative....... 15

8............ Things done etc. under provisions of other Acts............................... 16

9............ Definition of identifying information................................................. 16

10.......... Definition of shared health summary............................................... 18

11.......... Act to bind the Crown....................................................................... 18

12.......... Concurrent operation of State laws................................................... 18

13.......... External Territories............................................................................ 18

13A....... System Operator may arrange for use of computer programs to make decisions     19

13B....... System Operator may use electronic communications....................... 19

Part 2—The System Operator and the functions of the Chief Executive Medicare         20

Division 1—System Operator                                                                                20

14.......... Identity of the System Operator........................................................ 20

15.......... Functions of the System Operator..................................................... 20

17.......... Retention of records uploaded to National Repositories Service....... 22

Division 4—Functions of Chief Executive Medicare                                 24

38.......... Registered repository operator.......................................................... 24

Part 3—Registration                                                                                                           25

Division 1—Registering healthcare recipients                                              25

39.......... Healthcare recipients may apply for registration................................ 25

40.......... When a healthcare recipient is eligible for registration....................... 25

41.......... Registration of a healthcare recipient by the System Operator........... 26

Division 2—Registering healthcare provider organisations                 28

42.......... Healthcare provider organisation may apply for registration............. 28

43.......... When a healthcare provider organisation is eligible for registration.. 28

44.......... Registration of a healthcare provider organisation............................. 28

45.......... Condition of registration—uploading of records, etc........................ 29

45A....... Condition of registration—handling old records that are works subject to copyright               30

45B....... Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright   31

45C....... Liability where work uploaded in breach of section 45A or 45B...... 32

46.......... Condition of registration—non‑discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.............................................................................. 33

Division 3—Registering repository operators, portal operators and contracted service providers     34

47.......... Persons may apply for registration as a repository operator, a portal operator or a contracted service provider       34

48.......... When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider.......................................................................................................... 34

49.......... Registration of a repository operator, a portal operator or a contracted service provider          35

50.......... Condition about provision of information to System Operator......... 35

50A....... Condition of registration—handling old records that are works subject to copyright               36

50B....... Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright   37

50C....... Liability where work uploaded in breach of section 50A or 50B...... 38

50D....... Authorisation to make health information available to the System Operator             38

Division 4—Cancellation, suspension and variation of registration 39

51.......... Cancellation or suspension of registration......................................... 39

52.......... Variation of registration.................................................................... 41

53.......... Notice of cancellation, suspension or variation of registration etc..... 42

54.......... Effect of suspension.......................................................................... 43

55.......... My Health Records Rules may specify requirements after registration is cancelled or suspended           44

Division 5—The Register                                                                                          45

56.......... The Register...................................................................................... 45

57.......... Entries to be made in Register........................................................... 45

Division 6—Collection, use and disclosure of information for the purposes of the My Health Record System                                                                                                       46

58.......... Collection, use and disclosure of health information by the System Operator          46

58A....... Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives.................................. 46

Part 4—Collection, use and disclosure of health information included in a healthcare recipient’s My Health Record                                                                                                     53

Division 1—Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record                                                     53

59.......... Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record.......................................................................................................... 53

60.......... Secondary disclosure........................................................................ 54

Division 2—Authorised collection, use and disclosure                              55

Subdivision A—Collection, use and disclosure in accordance with access controls      55

61.......... Collection, use and disclosure for providing healthcare.................... 55

62.......... Collection, use and disclosure to nominated representative............... 55

Subdivision B—Collection, use and disclosure other than in accordance with access controls  56

63.......... Collection, use and disclosure for management of My Health Record system         56

64.......... Collection, use and disclosure in the case of a serious threat............. 56

65.......... Collection, use and disclosure authorised by law.............................. 57

66.......... Collection, use and disclosure with healthcare recipient’s consent.... 57

67.......... Collection, use and disclosure by a healthcare recipient.................... 58

68.......... Collection, use and disclosure for indemnity cover........................... 58

69.......... Disclosure to courts and tribunals..................................................... 58

70.......... Disclosure for law enforcement purposes, etc................................... 59

Division 3—Prohibitions and authorisations limited to My Health Record system        61

71.......... Prohibitions and authorisations limited to health information collected by using the My Health Record system      61

Division 4—Interaction with the Privacy Act 1988                                   63

72.......... Interaction with the Privacy Act 1988................................................ 63

73.......... Contravention of this Act is an interference with privacy.................. 63

73A....... Information Commissioner may disclose details of investigations to System Operator            64

73B....... Obligations of System Operator in relation to correction, etc............ 64

Part 5—Other civil penalty provisions                                                                    65

74.......... Registered healthcare provider organisations must ensure certain information is given to System Operator            65

75.......... Data breaches.................................................................................... 65

76.......... Requirement to notify if cease to be eligible to be registered............. 69

77.......... Requirement not to hold or take records outside Australia................ 69

78.......... My Health Records Rules must not be contravened.......................... 70

Part 6—Enforcement                                                                                                         71

Division 1—Civil penalties                                                                                       71

79.......... Civil penalty provisions.................................................................... 71

Division 2—Enforceable undertakings                                                              73

80.......... Enforceable undertakings.................................................................. 73

Division 3—Injunctions                                                                                             75

81.......... Injunctions........................................................................................ 75

Part 8—Other matters                                                                                                       76

Division 1—Review of decisions                                                                           76

97.......... Review of decisions.......................................................................... 76

Division 2—Delegations                                                                                            78

98.......... Delegations by the System Operator................................................. 78

Division 3—Authorisations of entities also cover employees                79

99.......... Authorisations extend to employees etc............................................ 79

Division 4—Treatment of certain entities                                                        80

100........ Treatment of partnerships.................................................................. 80

101........ Treatment of unincorporated associations......................................... 80

102........ Treatment of trusts with multiple trustees.......................................... 81

104........ Division does not apply to Division 3 of Part 3................................ 82

Division 5—Alternative constitutional bases                                                 83

105........ Alternative constitutional bases......................................................... 83

Division 6—Annual reports and review of Act                                             86

106........ Annual reports by Information Commissioner.................................. 86

107........ Annual reports by the System Operator............................................ 86

108........ Review of the operation of the Act.................................................... 87

Division 7—My Health Records Rules, regulations and other instruments        88

109........ Minister may make My Health Records Rules.................................. 88

110........ Minister may determine a law of a State or Territory to be a designated privacy law               91

111........ Guidelines relating to the Information Commissioner’s enforcement powers etc.    91

112........ Regulations....................................................................................... 92

Schedule 1—My Health Records for all healthcare recipients            93

Part 1—Opt‑out model for the participation of healthcare recipients in the My Health Record system                                                                                                                                      93

1............ Trial of opt‑out model....................................................................... 93

2............ Minister may apply the opt‑out model to all healthcare recipients after trial              93

Part 2—Registering all healthcare recipients                                                      95

Division 1—Registering healthcare recipients                                              95

3............ Registration of a healthcare recipient by the System Operator........... 95

4............ When a healthcare recipient is eligible for registration....................... 95

5............ Healthcare recipient elects not to be registered.................................. 96

6............ Healthcare recipients may apply for registration................................ 97

Division 2—Information sharing for the purposes of the opt‑out system             98

7............ Collection, use and disclosure of health information by the System Operator          98

8............ Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives.................................. 98

Division 3—Handling health information for the purposes of a healthcare recipient’s My Health Record                                                                                                                    105

Subdivision A—Healthcare provider to upload health information        105

9............ Authorisation for healthcare provider to upload health information 105

Subdivision B—Functions of the Chief Executive Medicare                      106

10.......... Registered repository operator........................................................ 106

11.......... Uploading health information to the repository............................... 106

12.......... Making health information available to the System Operator.......... 106

13.......... Healthcare recipient may elect not to have health information disclosed to the System Operator              106

14.......... Health information uploaded or made available may include details of healthcare providers    107

15.......... Way in which repository operated not limited by this Division....... 108

Subdivision C—Other registered repository operators                               108

16.......... Making health information available to the System Operator.......... 108

Part 3—Other consequences of applying the opt‑out rules                      109

17.......... References to other provisions of this Act...................................... 109

Endnotes                                                                                                                                  110

Endnote 1—About the endnotes                                                                          110

Endnote 2—Abbreviation key                                                                              111

Endnote 3—Legislation history                                                                           112

Endnote 4—Amendment history                                                                         113


An Act to provide for a system of access to electronic health records, and for related purposes

Part 1Preliminary

  

1  Short title

                   This Act may be cited as the My Health Records Act 2012.

2  Commencement

             (1)  Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provision(s)

Commencement

Date/Details

1.  Sections 1 and 2 and anything in this Act not elsewhere covered by this table

The day this Act receives the Royal Assent.

26 June 2012

2.  Sections 3 to 112

A day or days to be fixed by Proclamation.

However, if any of the provision(s) do not commence by the later of:

(a) 1 July 2012; and

(b) the day this Act receives the Royal Assent;

they commence on the day after the later of those days.

29 June 2012

(see F2012L01395)

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

             (2)  Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3  Object of Act

                   The object of this Act is to enable the establishment and operation of a voluntary national system for the provision of access to health information relating to recipients of healthcare, to:

                     (a)  help overcome the fragmentation of health information; and

                     (b)  improve the availability and quality of health information; and

                     (c)  reduce the occurrence of adverse medical events and the duplication of treatment; and

                     (d)  improve the coordination and quality of healthcare provided to healthcare recipients by different healthcare providers.

4  Simplified outline of this Act

The My Health Record system is a system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.

A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt‑out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt‑out of the system.

The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient’s My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient’s My Health Record.

If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.

Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.

An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.

4A  Schedule 1

                   Schedule 1 has effect.

Note:          Schedule 1 deals with the opt‑out model for registering healthcare recipients in the My Health Record system.

5  Definitions

                   In this Act:

approved form means a form approved by the System Operator, in writing, for the purposes of the provision in which the expression occurs.

Australia, when used in a geographical sense, includes the external Territories.

authorised representative of a healthcare recipient has the meaning given by section 6.

Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.

cinematograph film has the same meaning as in the Copyright Act 1968.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

contracted service provider of a healthcare provider organisation means an entity that provides:

                     (a)  information technology services relating to the My Health Record system; or

                     (b)  health information management services relating to the My Health Record system;

to the healthcare provider organisation under a contract with the healthcare provider organisation.

date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is.

date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is.

Defence Department means the Department that:

                     (a)  deals with matters arising under section 1 of the Defence Act 1903; and

                     (b)  is administered by the Minister who administers that section.

designated privacy law means a law determined under section 110 to be a designated privacy law.

employee of an entity includes the following:

                     (a)  an individual who provides services for the entity under a contract for services;

                     (b)  an individual whose services are made available to the entity (including services made available free of charge).

enforcement body has the same meaning as in the Privacy Act 1988.

entity means:

                     (a)  a person; or

                     (b)  a partnership; or

                     (c)  any other unincorporated association or body; or

                     (d)  a trust; or

                     (e)  a part of an entity (under a previous application of this definition).

genetic relative of an individual (the first individual) means another individual who is related to the first individual by blood, including a sibling, a parent or a descendant of the first individual.

healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

healthcare provider means:

                     (a)  an individual healthcare provider; or

                     (b)  a healthcare provider organisation.

healthcare provider organisation means an entity that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).

Note:          Because of paragraph (e) of the definition of entity, a healthcare provider organisation could be a part of an entity.

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

healthcare recipient‑only notes, in relation to a healthcare recipient, means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient‑only notes (whether using that expression or an equivalent expression).

Health Department of a State or Territory means a Department of state that:

                     (a)  deals with matters relating to health; and

                     (b)  is administered by the State/Territory Health Minister of the State or Territory.

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

Human Services Department means the Department administered by the Minister administering the Human Services (Medicare) Act 1973.

identifying information has the meaning given by section 9.

index service means the index service maintained by the System Operator for the purposes of the My Health Record system, as mentioned in paragraph 15(a).

individual healthcare provider means an individual who:

                     (a)  has provided, provides, or is to provide, healthcare; or

                     (b)  is registered by a registration authority as a member of a particular health profession.

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

My Health Record of a healthcare recipient means the record of information that is created and maintained by the System Operator in relation to the healthcare recipient, and information that can be obtained by means of that record, including the following:

                     (a)  information included in the entry in the Register that relates to the healthcare recipient;

                     (b)  health information connected in the My Health Record system to the healthcare recipient (including information included in a record accessible through the index service);

                     (c)  other information connected in the My Health Record system to the healthcare recipient, such as information relating to auditing access to the record;

                     (d)  back‑up records of such information.

My Health Records Rules has the meaning given by section 109.

My Health Record system means a system:

                     (a)  that is for:

                              (i)  the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act; and

                             (ii)  the assembly of that information using telecommunications services and by other means so far is it is relevant to a particular healthcare recipient, so that it can be made available, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the healthcare recipient or for purposes specified in this Act; and

                     (b)  that involves the performance of functions under this Act by the System Operator.

National Law means:

                     (a)  for a State or Territory other than Western Australia—the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland, as it applies (with or without modification) as a law of the State or Territory; or

                     (b)  for Western Australia—the Health Practitioner Regulation National Law (WA) Act 2010 of Western Australia, so far as that Act corresponds to the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland.

National Repositories Service means the service referred to in paragraph 15(i).

nominated healthcare provider: a healthcare provider is the nominated healthcare provider of a healthcare recipient if:

                     (a)  an agreement is in force between the healthcare provider and the healthcare recipient that the healthcare provider is the healthcare recipient’s nominated healthcare provider for the purposes of this Act; and

                     (b)  a healthcare identifier has been assigned to the healthcare provider under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; and

                     (c)  the healthcare provider is an individual registered by a registration authority as one of the following:

                              (i)  a medical practitioner within the meaning of the National Law;

                             (ii)  a registered nurse within the meaning of the National Law;

                            (iii)  an Aboriginal health practitioner, a Torres Strait Islander health practitioner or an Aboriginal and Torres Strait Islander health practitioner within the meaning of the National Law who is included in a class prescribed by the regulations for the purposes of this subparagraph;

                            (iv)  an individual, or an individual included in a class, prescribed by the regulations for the purposes of this subparagraph.

nominated representative of a healthcare recipient has the meaning given by section 7.

parental responsibility: a person has parental responsibility for a healthcare recipient (the child) if, and only if:

                     (a)  the person:

                              (i)  is the child’s parent (including a person who is presumed to be the child’s parent because of a presumption (other than in section 69Q) in Subdivision D of Division 12 of Part VII of the Family Law Act 1975); and

                             (ii)  has not ceased to have parental responsibility for the child because of an order made under the Family Law Act 1975 or a law of a State or Territory; or

                     (b)  under a parenting order (within the meaning of the Family Law Act 1975):

                              (i)  the child is to live with the person; or

                             (ii)  the child is to spend time with the person; or

                            (iii)  the person is responsible for the child’s long‑term or day‑to‑day care, welfare and development; or

                     (c)  the person is entitled to guardianship or custody of, or access to, the child under a law of the Commonwealth, a State or a Territory.

Note:          The presumptions in the Family Law Act 1975 include a presumption arising from a court finding that a person is the child’s parent, and a presumption arising from a man executing an instrument under law acknowledging that he is the father of the child.

participant in the My Health Record system means any of the following:

                     (a)  the System Operator;

                     (b)  a registered healthcare provider organisation;

                     (c)  the operator of the National Repositories Service;

                     (d)  a registered repository operator;

                     (e)  a registered portal operator;

                      (f)  a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

personal information has the same meaning as in the Privacy Act 1988.

record includes a database, register, file or document that contains information in any form (including in electronic form).

Register has the meaning given by section 56.

registered contracted service provider means a contracted service provider that is registered under section 49.

registered healthcare provider organisation means a healthcare provider organisation that is registered under section 44.

registered healthcare recipient means a healthcare recipient who is registered under section 41.

registered portal operator means a person that:

                     (a)  is the operator of an electronic interface that facilitates access to the My Health Record system; and

                     (b)  is registered as a portal operator under section 49.

registered repository operator means a person that:

                     (a)  holds, or can hold, records of information included in My Health Records for the purposes of the My Health Record system; and

                     (b)  is registered as a repository operator under section 49.

registration authority means an entity that is responsible under a law for registering members of a particular health profession.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

shared health summary has the meaning given by section 10.

sound recording has the same meaning as in the Copyright Act 1968.

State or Territory authority has the same meaning as in the Privacy Act 1988.

State/Territory Health Minister means:

                     (a)  the Minister of a State; or

                     (b)  the Minister of the Australian Capital Territory; or

                     (c)  the Minister of the Northern Territory;

who is responsible, or principally responsible, for the administration of matters relating to health in the State or Territory, as the case may be.

System Operator has the meaning given by section 14.

this Act includes:

                     (a)  regulations made under this Act; and

                     (b)  the My Health Record Rules.

use health information included in a healthcare recipient’s My Health Record includes the following:

                     (a)  access the information;

                     (b)  view the information;

                     (c)  modify the information;

                     (d)  delete the information.

Veterans’ Affairs Department means the Department that:

                     (a)  deals with matters arising under section 1 of the Veterans’ Entitlements Act 1986; and

                     (b)  is administered by the Minister who administers that section.

Veterans’ Affairs Department file number means a number allocated to a healthcare recipient by the Veterans’ Affairs Department.

work has the same meaning as in the Copyright Act 1968.

6  Definition of authorised representative of a healthcare recipient

Healthcare recipients aged under 18

             (1)  For the purposes of this Act, each person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 18 is the authorised representative of the healthcare recipient.

             (2)  If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 18, the authorised representative of the healthcare recipient is:

                     (a)  a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient for the purposes of this Act under the law of the Commonwealth or a State or Territory, or a decision of an Australian court or tribunal; or

                     (b)  if there is no such person—a person:

                              (i)  who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or

                             (ii)  who is prescribed by the regulations for the purposes of this paragraph.

             (3)  Despite subsections (1) and (2), a person is not the authorised representative of a healthcare recipient aged under 18 years if the System Operator is satisfied that the healthcare recipient:

                     (a)  wants to manage his or her own My Health Record; and

                     (b)  is capable of making decisions for himself or herself.

Healthcare recipients aged at least 18

             (4)  For the purposes of this Act, if the System Operator is satisfied that a healthcare recipient aged at least 18 is not capable of making decisions for himself or herself, the authorised representative of the healthcare recipient is:

                     (a)  a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient under the law of the Commonwealth or a State or Territory or a decision of an Australian court or tribunal; or

                     (b)  if there is no such person—a person:

                              (i)  who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or

                             (ii)  who is prescribed by the regulations for the purposes of this paragraph.

             (5)  An authorisation referred to in paragraph (2)(a) or (4)(a) may be conferred by specific reference to the purposes of this Act, or conferred by words of general authorisation that are broad enough to cover that purpose.

             (6)  A person cannot be the authorised representative of a healthcare recipient unless:

                     (a)  a healthcare identifier has been assigned to the person under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or

                     (b)  the My Health Record Rules provide that a healthcare identifier is not required to have been so assigned.

Effect of being an authorised representative

             (7)  At a time when a healthcare recipient has an authorised representative:

                     (a)  the authorised representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do; and

                     (b)  the healthcare recipient is not entitled to do any thing that this Act would, apart from this subsection, authorise or require the healthcare recipient to do; and

                     (c)  this Act has effect for all purposes, in relation to a thing done by an authorised representative, as if the healthcare recipient had done the thing.

             (8)  At a time when a healthcare recipient has one or more authorised representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient is to be done in relation to at least one of the healthcare recipient’s authorised representatives. This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient.

7  Definition of nominated representative of a healthcare recipient

             (1)  For the purposes of this Act, an individual is the nominated representative of a healthcare recipient if:

                     (a)  an agreement is in force between the individual and the healthcare recipient that the individual is the healthcare recipient’s nominated representative for the purposes of this Act; and

                     (b)  the healthcare recipient has notified the System Operator that the individual is his or her nominated representative.

Effect of being a nominated representative

             (2)  At a time when a healthcare recipient has a nominated representative:

                     (a)  the nominated representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do, subject to any limitations:

                              (i)  to which the healthcare recipient’s agreement is subject; and

                             (ii)  that have been notified to the System Operator by the healthcare recipient; and

                     (b)  this Act has effect for all purposes, in relation to a thing done by a nominated representative, as if the healthcare recipient had done the thing, subject to any modifications prescribed by the regulations.

             (3)  Despite subsection (2), the System Operator must not permit a nominated representative of a healthcare recipient to set access controls in relation to the healthcare recipient’s My Health Record unless:

                     (a)  a healthcare identifier has been assigned to the nominated representative under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or

                     (b)  the My Health Record Rules provide that a healthcare identifier is not required to have been so assigned.

             (4)  The fact that a healthcare recipient has a nominated representative does not prevent the healthcare recipient doing any thing that this Act authorises or requires the healthcare recipient to do.

             (5)  At a time when a healthcare recipient has one or more nominated representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient may be done in relation to one of the healthcare recipient’s nominated representatives and not in relation to the healthcare recipient to the extent:

                     (a)  agreed between the healthcare recipient and the nominated representative; and

                     (b)  notified to the System Operator by the healthcare recipient.

This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient.

7A  Duties of authorised representative or nominated representative

Duty to ascertain will and preferences

             (1)  An authorised representative or a nominated representative (a representative) of a healthcare recipient must make reasonable efforts to ascertain the recipient’s will and preferences in relation to the recipient’s My Health Record.

             (2)  If it is not possible to ascertain the healthcare recipient’s will and preferences, the representative must make reasonable efforts to ascertain the recipient’s likely will and preferences in relation to the recipient’s My Health Record.

             (3)  The healthcare recipient’s likely will and preferences may be ascertained from sources including the following:

                     (a)  if the representative is a nominated representative—the agreement appointing the representative;

                     (b)  to the extent legally possible, from consultation with people who may be expected to be aware of the recipient’s will and preferences.

Duty to give effect to will and preferences

             (4)  The representative must give effect to the healthcare recipient’s will and preferences, or likely will and preferences, ascertained in accordance with subsection (1) or (2).

             (5)  However, if to do so would pose a serious risk to the healthcare recipient’s personal and social wellbeing, the representative must instead act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

Duty if will and preferences cannot be ascertained

             (6)  If the healthcare recipient’s will and preferences, or likely will and preferences, cannot be ascertained, the representative must act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

8  Things done etc. under provisions of other Acts

             (1)  A reference in section 6 or 7 to any thing that this Act authorises or requires a healthcare recipient to do is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires a healthcare recipient to do.

             (2)  A reference in section 6 or 7 to any thing that this Act authorises or requires to be done in relation to a healthcare recipient is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires to be done in relation to a healthcare recipient.

9  Definition of identifying information

             (1)  Each of the following is identifying information of a healthcare provider who is an individual:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                     (c)  the email address, telephone number and fax number of the healthcare provider;

                     (d)  the date of birth, and the date of birth accuracy indicator, of the healthcare provider;

                     (e)  the sex of the healthcare provider;

                      (f)  the type of healthcare provider that the individual is;

                     (g)  if the healthcare provider is registered by a registration authority—the registration authority’s identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled);

                     (h)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (2)  Each of the following is identifying information of a healthcare provider that is not an individual:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                     (c)  the email address, telephone number and fax number of the healthcare provider;

                     (d)  if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider;

                     (e)  if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider;

                      (f)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (3)  Each of the following is identifying information of an individual, other than an individual in the capacity of a healthcare provider:

                     (a)  if applicable, the Medicare number of the individual;

                     (b)  if applicable, the Veterans’ Affairs Department file number of the individual;

                     (c)  the name of the individual;

                     (d)  the address of the individual;

                     (e)  the date of birth, and the date of birth accuracy indicator, of the individual;

                      (f)  the sex of the individual;

                     (g)  if the individual was part of a multiple birth—the order in which the individual was born;

Example: The second of twins.

                     (h)  if applicable, the date of death, and the date of death accuracy indicator, of the individual;

                      (i)  other information that is prescribed by the regulations for the purpose of this paragraph.

10  Definition of shared health summary

                   The shared health summary of a registered healthcare recipient, at a particular time, is a record that:

                     (a)  was prepared by the healthcare recipient’s nominated healthcare provider and described by him or her as the healthcare recipient’s shared health summary; and

                     (b)  has been uploaded to the National Repositories Service; and

                     (c)  at that time, is the most recent such record to have been uploaded to the National Repositories Service.

Note:          This means that there is only one shared health summary for a healthcare recipient at a particular time.

11  Act to bind the Crown

             (1)  This Act binds the Crown in each of its capacities.

             (2)  This Act does not make the Crown liable to be prosecuted for an offence.

Note:          Subsection (2) does not limit other rights and remedies.

12  Concurrent operation of State laws

                   It is the intention of the Parliament that this Act is not to apply to the exclusion of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.

13  External Territories

                   This Act extends to every external Territory.

13A  System Operator may arrange for use of computer programs to make decisions

             (1)  The System Operator may arrange for the use, under the System Operator’s control, of computer programs for any purposes for which the System Operator may make decisions under this Act.

             (2)  A decision made by the operation of a computer program under an arrangement made under subsection (1) is taken to be a decision made by the System Operator.

13B  System Operator may use electronic communications

             (1)  If under this Act the System Operator is required to give information in writing, that requirement is taken to have been met if the System Operator gives the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

             (2)  If under this Act the System Operator is permitted to give information in writing, the System Operator is permitted to give the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

Part 2The System Operator and the functions of the Chief Executive Medicare

Division 1System Operator

14  Identity of the System Operator

             (1)  The System Operator is:

                     (a)  the Secretary of the Department; or

                     (b)  if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator—that body.

             (2)  Before regulations are made for the purposes of paragraph (1)(b), the Minister must be satisfied that the Ministerial Council has been consulted in relation to the proposed regulations.

15  Functions of the System Operator

                   The System Operator has the following functions:

                     (a)  to establish and maintain an index service, for the purposes of the My Health Record system, that:

                              (i)  allows information in different repositories to be connected to registered healthcare recipients; and

                             (ii)  facilitates the retrieval of such information when required, and ensures that registered healthcare recipients, and participants in the My Health Record system who are authorised to collect, use and disclose information, are able to do so readily;

                     (b)  to establish and maintain mechanisms (access control mechanisms) that, subject to any requirements specified in the My Health Record Rules:

                              (i)  enable each registered healthcare recipient to set controls on the healthcare provider organisations and nominated representatives who may obtain access to the healthcare recipient’s My Health Record; and

                             (ii)  specify default access controls that apply if a registered healthcare recipient has not set such controls; and

                            (iii)  specify circumstances in which access to a healthcare recipient’s My Health Record is to be automatically suspended or cancelled;

                     (c)  without limiting paragraph (b), to ensure that the access control mechanisms enable each registered healthcare recipient to specify that access to a healthcare recipient’s My Health Record is only to be:

                              (i)  by healthcare provider organisations and nominated representatives specified by the healthcare recipient; and

                             (ii)  in accordance with any limitations specified by the healthcare recipient, including limitations on the kind of health information to be collected, used or disclosed by such healthcare provider organisations and nominated representatives;

                     (d)  to establish and maintain a reporting service that allows assessment of the performance of the system against performance indicators;

                     (e)  to establish and maintain the Register (see section 56);

                      (f)  to register healthcare recipients and participants in the My Health Record system (see Part 3) and to manage and monitor, on an ongoing basis, the system of registration;

                     (g)  to establish and maintain an audit service that records activity in respect of information in relation to the My Health Record system;

                     (h)  without limiting paragraph (g)—to establish and maintain mechanisms:

                              (i)  that enable each registered healthcare recipient to obtain electronic access to a summary of the flows of information in relation to his or her My Health Record; and

                             (ii)  that enable each registered healthcare recipient to obtain a complete record of the flows of information in relation to his or her My Health Record, on application to the System Operator;

                      (i)  to operate a National Repositories Service that stores key records that form part of a registered healthcare recipient’s My Health Record (including the healthcare recipient’s shared health summary);

                    (ia)  to establish and operate a test environment for the My Health Record system, and other electronic systems that interact directly with the My Health Record system, in accordance with the requirements (if any) in the My Health Records Rules;

                      (j)  to establish a mechanism for handling complaints about the operation of the My Health Record system;

                     (k)  to ensure that the My Health Record system is administered so that problems relating to the administration of the system can be resolved;

                      (l)  to advise the Minister on matters relating to the My Health Record system, including in relation to the matters to be included in the My Health Record Rules (see section 109);

                    (m)  to educate healthcare recipients, participants in the My Health Record system and members of the public about the My Health Record system;

                  (ma)  to prepare and provide de‑identified data for research or public health purposes;

                     (n)  such other functions as are conferred on the System Operator by this Act or any other Act;

                     (o)  to do anything incidental to or conducive to the performance of any of the above functions.

17  Retention of records uploaded to National Repositories Service

             (1)  This section applies to a record if:

                     (a)  the record is uploaded to the National Repositories Service; and

                     (b)  the record includes health information that is included in the My Health Record of a healthcare recipient.

             (2)  The System Operator must ensure that the record is retained for the period:

                     (a)  beginning when the record is first uploaded to the National Repositories Service; and

                     (b)  ending:

                              (i)  30 years after the death of the healthcare recipient; or

                             (ii)  if the System Operator does not know the date of death of the healthcare recipient—130 years after the date of birth of the healthcare recipient.

Division 4Functions of Chief Executive Medicare

38  Registered repository operator

             (1)  It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the My Health Record system in accordance with subsection (2).

             (2)  Without limiting the way in which the repository is to be operated, at any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare:

                     (a)  may at his or her discretion upload health information held by the Chief Executive Medicare about a registered healthcare recipient to the repository operated by the Chief Executive Medicare; and

                     (b)  with the consent of a registered healthcare recipient—may at his or her discretion make available to the System Operator health information held by the Chief Executive Medicare about the healthcare recipient.

Note:          Section 58 authorises the Chief Executive Medicare to disclose identifying information to the System Operator.

             (3)  The health information referred to in subsection (2) in relation to a healthcare recipient may include the name of one or more healthcare providers that have provided healthcare to the healthcare recipient.

Part 3Registration

Division 1Registering healthcare recipients

Note:       This Division does not apply to a healthcare recipient if the opt‑out model applies to the healthcare recipient because of My Health Records Rules made under Schedule 1 to this Act.

39  Healthcare recipients may apply for registration

             (1)  A healthcare recipient may apply to the System Operator for registration of the healthcare recipient.

             (2)  The application must:

                     (a)  be in the approved form; and

                     (b)  include, or be accompanied by, the information and documents required by the form; and

                     (c)  be lodged at a place, or by a means, specified in the form.

40  When a healthcare recipient is eligible for registration

                   A healthcare recipient is eligible for registration if:

                     (a)  a healthcare identifier has been assigned to the healthcare recipient under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and

                     (b)  the following information has been provided to the System Operator in relation to the healthcare recipient:

                              (i)  full name;

                             (ii)  date of birth;

                            (iii)  healthcare identifier, Medicare card number or Department of Veterans’ Affairs file number;

                            (iv)  sex;

                             (v)  such other information as is prescribed by the regulations.

41  Registration of a healthcare recipient by the System Operator

             (1)  The System Operator must decide to register a healthcare recipient if:

                     (a)  an application has been made under section 39 in relation to the healthcare recipient; and

                     (b)  the healthcare recipient is eligible for registration under section 40; and

                     (c)  the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Record Rules, that the identity of the healthcare recipient has been appropriately verified.

Note:          The System Operator is not permitted to register a healthcare recipient in any other circumstances.

             (2)  Despite subsection (1), the System Operator is not required to register a healthcare recipient if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Record Rules.

             (3)  The System Operator is not required to register a healthcare recipient if the healthcare recipient does not consent to a registered healthcare provider organisation uploading to the My Health Record system any record that includes health information about the healthcare recipient, subject to the following:

                     (a)  express advice given by the healthcare recipient to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded;

                     (b)  a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).

          (3A)  A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient) that includes health information about another healthcare recipient (the third party), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).

             (4)  A consent referred to in subsection (3), and an authorisation given under subsection (3A), have effect despite a law of a State or Territory that requires consent to the disclosure of particular health information:

                     (a)  to be given expressly; or

                     (b)  to be given in a particular way;

other than a law of a State or Territory prescribed by the regulations for the purposes of this subsection.

             (5)  A decision under subsection (1) takes effect when it is made.

Division 2Registering healthcare provider organisations

42  Healthcare provider organisation may apply for registration

             (1)  A healthcare provider organisation may apply to the System Operator for registration of the healthcare provider organisation.

             (2)  The application must:

                     (a)  be in the approved form; and

                     (b)  include, or be accompanied by, the information and documents required by the form; and

                     (c)  be lodged at a place, or by a means, specified in the form.

43  When a healthcare provider organisation is eligible for registration

                   A healthcare provider organisation is eligible for registration if:

                     (a)  a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010 to the healthcare provider organisation; and

                     (b)  the healthcare provider organisation complies with such requirements as are specified in the My Health Record Rules; and

                     (c)  the healthcare provider organisation has agreed to be bound by the conditions imposed by the System Operator on the registration.

44  Registration of a healthcare provider organisation

             (1)  The System Operator must decide to register a healthcare provider organisation if:

                     (a)  the healthcare provider organisation has made an application under section 42; and

                     (b)  the healthcare provider organisation is eligible for registration under section 43.

             (2)  Despite subsection (1), the System Operator is not required to register a healthcare provider organisation if the System Operator is satisfied that registering the healthcare provider organisation may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Record Rules.

             (3)  The System Operator may impose conditions on the registration.

             (4)  A decision under subsection (1) takes effect when it is made.

45  Condition of registration—uploading of records, etc.

                   It is a condition of registration of a healthcare provider organisation that the healthcare provider organisation does not, for the purposes of the My Health Record system:

                     (a)  upload a record that includes health information about a registered healthcare recipient to a repository other than:

                              (i)  a repository that forms part of the National Repositories Service; or

                             (ii)  a repository to which a registered repository operator’s registration relates; or

                     (b)  upload to a repository a record:

                              (i)  that purports to be the shared health summary of a registered healthcare recipient, unless the record would, when uploaded, be the shared health summary of the registered healthcare recipient; or

                             (ii)  that is a record of a kind specified in the My Health Record Rules for the purposes of this paragraph, unless the record has been prepared by an individual healthcare provider to whom a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; or

                   (ba)  upload to a repository a record of a kind specified in the My Health Records Rules for the purposes of subparagraph (b)(ii) unless the record is prepared by a person who, at the time the record is prepared, is:

                              (i)  an individual who is registered by a registration authority within the meaning of the Healthcare Identifiers Act 2010, and whose registration is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed in the My Health Records Rules); or

                             (ii)  an individual who is a member of a professional association described in paragraph 9A(1)(b) of the Healthcare Identifiers Act 2010, and whose membership is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed by the My Health Records Rules); or

                     (c)  upload a record to a repository if uploading the record would involve an infringement of a moral right of the author, within the meaning of the Copyright Act 1968; or

                     (d)  upload to a repository a record that includes health information about a registered consumer if the consumer has advised that the record is not to be uploaded.

45A  Condition of registration—handling old records that are works subject to copyright

Old works must not be uploaded if it would be an infringement of copyright to use the work for healthcare or related purposes

             (1)  Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.

Note:          Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.

             (2)  A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the work if it would be an infringement of the copyright in the work for the organisation or another person to do, or authorise to be done, an act comprised in the copyright of the work:

                     (a)  for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

                     (b)  in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

                     (c)  in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

                     (d)  for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

             (3)  It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).

45B  Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright

             (1)  Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.

Note:          Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.

             (2)  A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the sound recording or cinematograph film if it would be an infringement of the copyright in the recording or film for the organisation or another person to do an act comprised in the copyright of the recording or film:

                     (a)  for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

                     (b)  in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or

                     (c)  in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or

                     (d)  for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

             (3)  It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).

45C  Liability where work uploaded in breach of section 45A or 45B

             (1)  If any person suffers loss or damage as a result of anything done by an entity that contravenes section 45A or 45B, the person may bring an action for the amount of the loss or damage against the entity in:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

             (2)  The action must be brought within 6 years after the loss or damage was suffered.

             (3)  In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.

46  Condition of registration—non‑discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.

Healthcare recipient who is not registered

             (1)  It is a condition of registration of a healthcare provider organisation that the organisation does not:

                     (a)  refuse to provide healthcare to a healthcare recipient because the healthcare recipient is not registered under this Part; or

                     (b)  otherwise discriminate against a healthcare recipient in relation to the provision of healthcare because the healthcare recipient is not registered under this Part.

Registered healthcare recipient’s access controls

             (2)  It is a condition of registration of a healthcare provider organisation that the organisation does not:

                     (a)  refuse to provide healthcare to a registered healthcare recipient because the healthcare recipient has set particular access controls on his or her My Health Record; or

                     (b)  otherwise discriminate against a healthcare recipient in relation to the provision of healthcare because the healthcare recipient has set particular access controls on his or her My Health Record.

Division 3Registering repository operators, portal operators and contracted service providers

47  Persons may apply for registration as a repository operator, a portal operator or a contracted service provider

             (1)  A person may apply to the System Operator for registration as any of the following:

                     (a)  a repository operator;

                     (b)  a portal operator;

                     (c)  a contracted service provider.

             (2)  An application for registration as a repository operator must specify each repository to which the registration is proposed to relate.

48  When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider

                   A person is eligible for registration as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that:

                     (a)  the person complies with any My Health Record Rules that apply in relation to registration of the particular kind; and

                     (b)  the person has agreed to be bound by the conditions imposed by the System Operator on the person’s registration; and

                     (c)  in the case of a repository operator or a portal operator—the central management and control of the repository operator or portal operator will be located in Australia at all times when the repository operator or portal operator is registered; and

                     (d)  in the case of a repository operator or a portal operator that:

                              (i)  is a State or Territory authority, or an instrumentality of a State or Territory; and

                             (ii)  is not bound by a designated privacy law of the State or Territory;

                            the repository operator or portal operator is prescribed under section 6F of the Privacy Act 1988.

49  Registration of a repository operator, a portal operator or a contracted service provider

             (1)  The System Operator must decide to register a person as a repository operator, a portal operator or a contracted service provider if:

                     (a)  the person has made an application under section 47 for registration of that kind; and

                     (b)  the person is eligible for registration of that kind under section 48.

             (2)  Despite subsection (1), the System Operator is not required to register a person as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that registering the person may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Record Rules.

             (3)  The System Operator may impose conditions on the registration.

             (4)  If the System Operator decides to register a person as a repository operator, the decision must specify the repositories to which the registration relates.

             (5)  A decision under subsection (1) takes effect when it is made.

50  Condition about provision of information to System Operator

                   It is a condition of registration of a registered repository operator, a registered portal operator or a registered contracted service provider that it must provide to the System Operator information included in the My Health Record of a healthcare recipient if requested to do so by the System Operator.

50A  Condition of registration—handling old records that are works subject to copyright

             (1)  Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.

Note:          Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.

             (2)  A registered repository operator must not make the work available for the purposes of the My Health Record system, if it would be an infringement of the copyright in the work for the operator or another person to do, or authorise to be done, an act comprised in the copyright of the work:

                     (a)  for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

                     (b)  in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

                     (c)  in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

                     (d)  for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

             (3)  It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).

50B  Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright

             (1)  Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.

Note:          Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.

             (2)  A registered repository operator must not, for the purposes of the My Health Record system, make the sound recording or cinematograph film available if it would be an infringement of the copyright in the recording or film for the operator or another person to do any act comprised in the copyright in the recording or film:

                     (a)  for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

                     (b)  in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or

                     (c)  in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or

                     (d)  for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

             (3)  It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).

50C  Liability where work uploaded in breach of section 50A or 50B

             (1)  If any person suffers loss or damage as a result of anything done by an entity that contravenes section 50A or 50B, the person may bring an action for the amount of the loss or damage against the entity in:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

             (2)  The action must be brought within 6 years after the loss or damage was suffered.

             (3)  In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.

50D  Authorisation to make health information available to the System Operator

                   A registered repository operator (other than the Chief Executive Medicare) is authorised to make health information about a registered healthcare recipient that is held by the operator available to the System Operator.

Division 4Cancellation, suspension and variation of registration

51  Cancellation or suspension of registration

Cancellation or suspension on request

             (1)  The System Operator must, in writing, decide to cancel or suspend the registration of a healthcare recipient or other entity if the healthcare recipient or other entity requests the System Operator, in writing, to cancel or suspend the registration.

Cancellation or suspension if healthcare recipient no longer eligible, etc.

             (2)  The System Operator may, in writing, decide to cancel or suspend the registration of a healthcare recipient if:

                     (a)  the System Operator is no longer satisfied that the healthcare recipient is eligible to be registered; or

                     (b)  the System Operator is no longer satisfied, having regard to the matters (if any) specified in the My Health Record Rules, that the identity of the healthcare recipient has been appropriately verified; or

                     (c)  the System Operator is satisfied that, unless the registration of the healthcare recipient is cancelled, the security or integrity of the My Health Record system may be compromised, having regard to the matters (if any) prescribed by the My Health Record Rules; or

                     (d)  the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the healthcare recipient has been withdrawn; or

                     (e)  the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the healthcare recipient was given by an authorised representative or nominated representative of the healthcare recipient, and:

                              (i)  the authorised representative or nominated representative who gave the consent ceases to be an authorised representative or nominated representative of the healthcare recipient; and

                             (ii)  the System Operator requests the healthcare recipient to give consent of the kind referred to in subsection 41(3); and

                            (iii)  the healthcare recipient does not, within a reasonable period, give the consent.

Cancellation or suspension if other entity no longer eligible, etc.

             (3)  The System Operator may, in writing, decide to cancel or suspend the registration of an entity other than a healthcare recipient if:

                     (a)  the System Operator is no longer satisfied that the entity is eligible to be registered; or

                     (b)  the System Operator is satisfied that:

                              (i)  the entity has contravened this Act or a condition of the entity’s registration; or

                             (ii)  cancellation or suspension of registration is reasonably necessary to prevent such a contravention; or

                            (iii)  cancellation or suspension of registration is otherwise appropriate, having regard to the need to protect the security and integrity of the My Health Record system.

Suspension while investigating action in relation to healthcare recipient’s registration

             (4)  The System Operator may, in writing, decide to suspend the registration of a healthcare recipient while the System Operator investigates whether to take action under subsection (2) in relation to the healthcare recipient’s registration.

Suspension while investigating action in relation to entity’s registration

             (5)  The System Operator may, in writing, decide to suspend the registration of an entity other than a healthcare recipient while the System Operator investigates whether to take action under subsection (3) in relation to the entity’s registration.

Cancellation of registration of healthcare recipient on death

             (6)  The System Operator must decide to cancel the registration of a healthcare recipient if the System Operator is satisfied that the healthcare recipient has died.

When cancellation or suspension takes effect

             (7)  A decision under this section takes effect:

                     (a)  when it is made; or

                     (b)  if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare recipient or other entity wishes the cancellation or suspension to occur at a specified future time—at that future time.

Note:          Under section 53, the System Operator must give the healthcare recipient or other entity notice before cancelling, suspending or varying registration (except in urgent circumstances). The decision to cancel, suspend or vary registration cannot be made before the end of the period specified in the notice.

52  Variation of registration

             (1)  The System Operator may decide, on the System Operator’s initiative or on the request of a healthcare recipient or other entity, to vary the registration of the healthcare recipient or other entity:

                     (a)  to impose conditions, or additional conditions, on the registration; or

                     (b)  to vary or revoke conditions imposed on the registration; or

                     (c)  in the case of a registered repository operator—to vary the repositories to which the registration relates; or

                     (d)  to correct an error or omission in the registration.

             (2)  A decision under this section takes effect:

                     (a)  when it is made; or

                     (b)  if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare recipient or other entity wishes the variation to occur at a specified future time—at that future time.

Note:          Under section 53, the System Operator must give the healthcare recipient or other entity notice before cancelling, suspending or varying registration (except in urgent circumstances). The decision to cancel, suspend or vary registration cannot be made before the end of the period specified in the notice.

53  Notice of cancellation, suspension or variation of registration etc.

Written notice before cancellation etc. other than in urgent circumstances

             (1)  The System Operator must give written notice to a healthcare recipient or other entity before:

                     (a)  cancelling or suspending the registration of the healthcare recipient or entity under subsection 51(2), (3), (4) or (5); or

                     (b)  varying the entity’s registration under section 52;

other than as mentioned in subsection (4) of this section (urgency).

             (2)  The notice:

                     (a)  must state that the System Operator proposes to cancel, suspend or vary the registration and the reasons why; and

                     (b)  in the case of an entity that the System Operator is satisfied has contravened or may contravene this Act or a condition of the entity’s registration—may specify steps that the entity must take in order to address the contravention or possible contravention; and

                     (c)  must invite the healthcare recipient or other entity to make a written submission, within the period specified in the notice, to the System Operator in relation to the proposed cancellation, suspension or variation.

             (3)  If the System Operator gives written notice to a healthcare recipient or other entity under subsection (1), the System Operator must not decide to cancel, suspend or vary the registration until after the end of the period referred to in paragraph (2)(c).

Cancellation etc. in urgent circumstances

             (4)  If the System Operator is satisfied that it is necessary, because of the urgency of the circumstances, to cancel, suspend or vary the registration of a healthcare recipient or other entity without following the process outlined in subsections (1) to (3), the System Operator must give written notice to the healthcare recipient or other entity:

                     (a)  cancelling or suspending the registration of the healthcare recipient or entity under subsection 51(2), (3), (4) or (5); or

                     (b)  varying the entity’s registration under section 52.

             (5)  A decision under subsection (4) takes effect:

                     (a)  when notice of the decision is given under that subsection; or

                     (b)  if a later time is specified in the notice under that subsection—at that later time.

54  Effect of suspension

                   During any period when the registration of a healthcare recipient or other entity is suspended:

                     (a)  the healthcare recipient or other entity is taken not to be registered for the purposes of Division 2 of Part 4 (authorised collection, use and disclosure of health information), other than:

                              (i)  paragraph 63(b) (collection, use or disclosure on request of the System Operator); and

                             (ii)  subsection 64(1) (serious threat); and

                     (b)  if the entity is a registered repository operator, a registered portal operator or a registered contracted service provider—the entity is taken to be registered for the purposes of the remaining provisions of this Act.

55  My Health Records Rules may specify requirements after registration is cancelled or suspended

             (1)  The My Health Record Rules may specify the requirements to which the System Operator or another entity is subject after the registration of a healthcare recipient or other entity is cancelled or suspended.

             (2)  The My Health Record Rules cannot modify the effect of section 54.

             (3)  The requirements specified in the My Health Record Rules may include requirements relating to the following:

                     (a)  retention, transfer or disposal of My Health Records;

                     (b)  retention, transfer or disposal of other records.

Division 5The Register

56  The Register

             (1)  The System Operator must establish and maintain a Register.

             (2)  The Register may be maintained in electronic form and may be divided into separate parts.

             (3)  The Register is not a legislative instrument.

57  Entries to be made in Register

                   If the System Operator decides under this Part to register a healthcare recipient or other entity or to cancel, suspend or vary such a registration, the System Operator must, as soon as practicable after making the decision, ensure that the following information is entered in the Register in relation to the healthcare recipient or other entity:

                     (a)  such administrative information as is necessary for the purposes of the proper operation of the My Health Record system;

                     (b)  such information (if any) as is specified in the My Health Record Rules for the purposes of this paragraph.

Division 6Collection, use and disclosure of information for the purposes of the My Health Record System

58  Collection, use and disclosure of health information by the System Operator

                   The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the My Health Record of a registered healthcare recipient.

58A  Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives

             (1)  An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of the My Health Record system

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

System Operator

collect

use

disclose

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the collection, use or disclosure is for the purposes of the My Health Record system

2

System Operator

collect

use

disclose

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of determining whether a person is an authorised representative, or a nominated representative, of another person

3

registered repository operator

registered portal operator

collect

use

disclose to a participant in the My Health Record System

the healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the collection, use or disclosure is for the purposes of the My Health Record system

4

service operator for the purposes of the Healthcare Identifiers Act 2010

collect from the System Operator

use

disclose to the System Operator

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person

5

Chief Executive Medicare

collect from the System Operator

use

disclose to the System Operator

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is:

(a) for the purposes of assisting the System Operator to verify the identity of the person; or

(b) otherwise for the purposes of the My Health Record system

6

Chief Executive Medicare

collect from the System Operator

use

disclose to the System Operator

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person

7

Chief Executive Medicare

collect

use

disclose to a participant in the My Health Record system

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is for the purpose of including health information in the healthcare recipient’s My Health Record

8

Veterans’ Affairs Department

Defence Department

use

disclose to the System Operator

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person

9

Veterans’ Affairs Department

Defence Department

 

collect from the service operator under the Healthcare Identifiers Act 2010

use

disclose to a participant in the My Health Record system

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is for the purpose of including prescribed information in the healthcare recipient’s My Health Record

 

10

a prescribed entity

collect

use

disclose to another prescribed entity

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person

Note:          Under section 15 of the Healthcare Identifiers Act 2010, the service operator under that Act is authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare recipients and their representatives for the purposes of the My Health Record system. The service operator is also authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare providers under section 24 of that Act.

             (2)  If:

                     (a)  any of the following entities discloses information to the System Operator in circumstances in which the information is authorised to be disclosed under subsection (1):

                              (i)  the Chief Executive Medicare;

                             (ii)  the Veterans’ Affairs Department;

                            (iii)  the Defence Department;

                            (iv)  the service operator for the purposes of the Healthcare Identifiers Act 2010;

                             (v)  an entity prescribed for the purposes of item 10 of the table in subsection (1); and

                     (b)  the entity that disclosed the information becomes aware that the information has changed;

that entity must, as soon as practicable after becoming aware of the change, inform the System Operator of the change.

Part 4Collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

Division 1Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

59  Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

             (1)  A person must not collect from the My Health Record system health information included in a healthcare recipient’s My Health Record if the collection by the person is not authorised under Division 2, and the person knows or is reckless as to that fact.

             (2)  A person must not use or disclose health information included in a healthcare recipient’s My Health Record if:

                     (a)  the person obtained the information by using or gaining access to the My Health Record system; and

                     (b)  the use or disclosure is not authorised under Division 2, and the person knows or is reckless as to that fact.

Fault‑based offence

             (3)  A person commits an offence if the person contravenes subsection (1) or (2).

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Civil penalty

             (4)  A person is liable to a civil penalty if the person contravenes subsection (1) or (2).

Civil penalty:          600 penalty units.

60  Secondary disclosure

             (1)  A person must not use or disclose health information included in a healthcare recipient’s My Health Record if:

                     (a)  the information was disclosed to the person in contravention of subsection 59(2); and

                     (b)  the person knows that, or is reckless as to whether, the disclosure of the information to the person contravened that subsection.

             (2)  Subsection (1) does not apply if the person discloses the information for the purpose of an appropriate authority investigating the contravention mentioned in paragraph (1)(a).

Fault‑based offence

             (3)  A person commits an offence if the person contravenes subsection (1).

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Civil penalty

             (4)  A person is liable to a civil penalty if the person contravenes subsection (1).

Civil penalty:          600 penalty units.

Division 2Authorised collection, use and disclosure

Subdivision ACollection, use and disclosure in accordance with access controls

61  Collection, use and disclosure for providing healthcare

             (1)  A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient’s My Health Record if the collection, use or disclosure of the health information is:

                     (a)  for the purpose of providing healthcare to the registered healthcare recipient; and

                     (b)  in accordance with:

                              (i)  the access controls set by the registered healthcare recipient; or

                             (ii)  if the registered healthcare recipient has not set access controls—the default access controls specified by the My Health Record Rules or, if the My Health Record Rules do not specify default access controls, by the System Operator.

             (2)  Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose health information included in healthcare recipient‑only notes.

62  Collection, use and disclosure to nominated representative

                   A participant in the My Health Record system is authorised to disclose health information included in a registered healthcare recipient’s My Health Record for any purpose if the disclosure of the health information is:

                     (a)  to the registered healthcare recipient’s nominated representative; and

                     (b)  in accordance with:

                              (i)  the access controls set by the registered healthcare recipient; or

                             (ii)  if the healthcare recipient has not set access controls—the default access controls specified by the My Health Record Rules or, if the My Health Record Rules do not specify default access controls, by the System Operator.

Subdivision BCollection, use and disclosure other than in accordance with access controls

63  Collection, use and disclosure for management of My Health Record system

                   A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if:

                     (a)  the collection, use or disclosure is undertaken for the purpose of the management or operation of the My Health Record system, if the healthcare recipient would reasonably expect the participant to collect, use or disclose the health information for that purpose; or

                     (b)  the collection, use or disclosure is undertaken in response to a request by the System Operator for the purpose of performing a function or exercising a power of the System Operator.

Note:          For example, the System Operator might make a request under paragraph (b) for the purposes of section 69 or 70.

64  Collection, use and disclosure in the case of a serious threat

             (1)  A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient’s My Health Record if:

                     (a)  the participant reasonably believes that:

                              (i)  the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; and

                             (ii)  it is unreasonable or impracticable to obtain the healthcare recipient’s consent to the collection, use or disclosure; and

                     (b)  unless the participant is the System Operator—the participant advises the System Operator of the matters in paragraph (a); and

                     (c)  the collection, use or disclosure occurs not later than 5 days after that advice is given.

             (2)  A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if the participant reasonably believes that the collection, use or disclosure by the participant is necessary to lessen or prevent a serious threat to public health or public safety.

             (3)  Subsections (1) and (2) do not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient only-notes.

65  Collection, use and disclosure authorised by law

             (1)  Subject to section 69, a participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if the collection, use or disclosure is required or authorised by Commonwealth, State or Territory law.

             (2)  Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient‑only notes.

66  Collection, use and disclosure with healthcare recipient’s consent

             (1)  A participant in the My Health Record system is authorised to disclose for any purpose health information included in a healthcare recipient’s My Health Record to the healthcare recipient.

             (2)  A participant in the My Health Record system is authorised to collect, use and disclose for any purpose health information included in a healthcare recipient’s My Health Record with the consent of the healthcare recipient.

67  Collection, use and disclosure by a healthcare recipient

                   A healthcare recipient is authorised to collect, use and disclose, for any purpose, health information included in his or her My Health Record.

Note:          The information the healthcare recipient can collect through the My Health Record system after cancellation of the healthcare recipient’s registration may be limited.

68  Collection, use and disclosure for indemnity cover

             (1)  A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record for purposes relating to the provision of indemnity cover for a healthcare provider.

             (2)  Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient‑only notes.

69  Disclosure to courts and tribunals

             (1)  If:

                     (a)  a court or tribunal other than a coroner orders or directs the System Operator to disclose health information included in a healthcare recipient’s My Health Record to the court or tribunal; and

                     (b)  the order or direction is given in the course of proceedings relating to:

                              (i)  this Act; or

                             (ii)  unauthorised access to information through the My Health Record system; or

                            (iii)  the provision of indemnity cover to a healthcare provider; and

                     (c)  apart from this Part, the System Operator would be required to comply with the order or direction;

the System Operator must comply with the order or direction.

             (2)  If a coroner orders or directs the System Operator to disclose health information included in a healthcare recipient’s My Health Record to the coroner, the System Operator must comply with the order or direction.

             (3)  Except as mentioned in subsection (1) or (2), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a court or tribunal.

             (4)  Except as mentioned in subsection (1) or (2), the System Operator is not authorised to disclose health information included in a healthcare recipient’s My Health Record to a court or tribunal unless the healthcare recipient consents.

             (5)  Subsections (1) and (2) do not authorise the System Operator to disclose healthcare recipient‑only notes.

70  Disclosure for law enforcement purposes, etc.

             (1)  The System Operator is authorised to use or disclose health information included in a healthcare recipient’s My Health Record if the System Operator reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body:

                     (a)  the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

                     (b)  the enforcement of laws relating to the confiscation of the proceeds of crime;

                     (c)  the protection of the public revenue;

                     (d)  the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

                     (e)  the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

             (2)  So far as subsection (1) relates to paragraph (1)(e), it is subject to section 69.

             (3)  The System Operator is authorised to use or disclose health information included in a healthcare recipient’s My Health Record if the System Operator:

                     (a)  has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in; and

                     (b)  reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities.

             (4)  If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.

             (5)  This section does not authorise the System Operator to use or disclose healthcare recipient‑only notes.

Division 3Prohibitions and authorisations limited to My Health Record system

71  Prohibitions and authorisations limited to health information collected by using the My Health Record system

             (1)  The prohibitions and authorisations under Divisions 1 and 2 in respect of the collection, use and disclosure of health information included in a healthcare recipient’s My Health Record are limited to the collection, use or disclosure of health information obtained by using the My Health Record system.

             (2)  If health information included in a healthcare recipient’s My Health Record can also be obtained by means other than by using the My Health Record system, such a prohibition or authorisation does not apply to health information lawfully obtained by those other means, even if the health information was originally obtained by using the My Health Record system.

Information stored for more than one purpose

             (3)  Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if:

                     (a)  the health information is stored in a repository operated both for the purposes of the My Health Record system and other purposes; and

                     (b)  the person lawfully obtained the health information directly from the repository for those other purposes.

Note:          For example, information that is included in a registered healthcare recipient’s My Health Record may be stored in a repository operated by a State or Territory for purposes related to the My Health Record system and other purposes. When lawfully obtained directly from the repository for those other purposes, the prohibitions and authorisations in this Part will not apply.

Information originally obtained by means of My Health Record system

             (4)  Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if:

                     (a)  the health information was originally obtained by a participant in the My Health Record system by means of the My Health Record system in accordance with this Act; and

                     (b)  after the health information was so obtained, it was stored in such a way that it could be obtained other than by means of the My Health Record system; and

                     (c)  the person subsequently obtained the health information by those other means.

Note:          For example, information that is included in a registered healthcare recipient’s My Health Record may be downloaded into the clinical health records of a healthcare provider and later obtained from those records.

Division 4Interaction with the Privacy Act 1988

72  Interaction with the Privacy Act 1988

                   An authorisation to collect, use or disclose health information under this Act is also an authorisation to collect, use or disclose the health information for the purposes of the Privacy Act 1988.

73  Contravention of this Act is an interference with privacy

             (1)  An act or practice that contravenes this Act in connection with health information included in a healthcare recipient’s My Health Record or a provision of Part 4 or 5, or would contravene this Act but for a requirement relating to the state of mind of a person, is taken to be:

                     (a)  for the purposes of the Privacy Act 1988, an interference with the privacy of a healthcare recipient; and

                     (b)  covered by section 13 of that Act.

             (2)  The respondent to a complaint under the Privacy Act 1988 about an act or practice, other than an act or practice of an agency or organisation, is the individual who engaged in the act or practice.

             (3)  In addition to the Information Commissioner’s functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the My Health Record system:

                     (a)  to investigate an act or practice that may be an interference with the privacy of a healthcare recipient under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;

                     (b)  to do anything incidental or conducive to the performance of those functions.

             (4)  The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (3).

Note:          An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.

73A  Information Commissioner may disclose details of investigations to System Operator

                   The Information Commissioner is authorised to disclose to the System Operator any information or documents that relate to an investigation the Information Commissioner conducts because of the operation of section 73, if the Information Commissioner is satisfied that to do so will enable the System Operator to monitor or improve the operation or security of the My Health Record system.

73B  Obligations of System Operator in relation to correction, etc.

             (1)  The System Operator may, in order to meet its obligations under the Privacy Act 1988 in relation to the correction and alteration of records:

                     (a)  request a participant in the My Health Record system to correct personal information contained in a record included in the My Health Record system and, if the participant does so, to upload the corrected record to the My Health Record system; and

                     (b)  if the participant refuses to do so—direct the participant to attach to the record a note prepared by the healthcare recipient in relation to personal information included in the record, and to upload the record and note to the My Health Record system.

             (2)  A participant in the My Health Record system who is given a direction under paragraph (1)(b) must comply with the direction.

Part 5Other civil penalty provisions

  

74  Registered healthcare provider organisations must ensure certain information is given to System Operator

             (1)  A registered healthcare provider organisation is liable for a civil penalty if:

                     (a)  an individual requests access to a healthcare recipient’s My Health Record on behalf or purportedly on behalf of the registered healthcare provider organisation; and

                     (b)  the individual does not give enough information to the System Operator to enable the System Operator to identify the individual who made the request without seeking further information from another person.

Civil penalty:          100 penalty units.

             (2)  Subsection (1) does not require an individual to give more than the minimum information necessary to identify the individual by name.

75  Data breaches

             (1)  This section applies to an entity if:

                     (a)  the entity is, or has at any time been, the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and

                     (b)  the entity becomes aware that:

                              (i)  a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or

                             (ii)  an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or

                            (iii)  circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system; and

                     (c)  the contravention, event or circumstances directly involved, may have involved or may involve the entity.

Note:          This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.

Notifying the System Operator or Information Commissioner

             (2)  If:

                     (a)  the entity is a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and

                     (b)  the entity becomes aware that:

                              (i)  the contravention or event referred to in subsection (1) has or may have occurred; or

                             (ii)  the circumstances referred to in subsection (1) have or may have arisen;

then, as soon as practicable after becoming aware, the entity must notify:

                     (c)  in the case of an entity that is a State or Territory authority or an instrumentality of a State or Territory—the System Operator; or

                     (d)  otherwise—both the System Operator and the Information Commissioner.

Civil Penalty:          100 penalty units.

             (3)  If:

                     (a)  the entity is the System Operator; and

                     (b)  the entity becomes aware that:

                              (i)  the contravention or event referred to in subsection (1) has or may have occurred; or

                             (ii)  the circumstances referred to in subsection (1) have or may have arisen;

then, as soon as practicable after becoming aware, the entity must notify the Information Commissioner.

             (4)  If an entity has given notice under subsection (2) or (3) on becoming aware that the contravention, event or circumstances may have occurred or arisen then, despite subsection (2) or (3), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.

Steps to be taken if contravention, event or circumstances may have occurred or arisen

             (5)  The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:

                     (a)  so far as is reasonably practicable contain the potential contravention, event or circumstances;

                     (b)  evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;

                     (c)  if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one healthcare recipient:

                              (i)  if the entity is not the System Operator—ask the System Operator to notify all healthcare recipients that would be affected; or

                             (ii)  if the entity is the System Operator—notify all healthcare recipients that would be affected.

Note:          A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).

Steps to be taken if contravention or event has occurred or the circumstances have arisen

             (6)  The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things:

                     (a)  so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;

                     (b)  evaluate any risks that may be related to or arise out of the contravention, event or circumstances;

                     (c)  if the entity is the System Operator:

                              (i)  notify all affected healthcare recipients; and

                             (ii)  if a significant number of healthcare recipients are affected, notify the general public;

                     (d)  if the entity is not the System Operator—ask the System Operator:

                              (i)  to notify all affected healthcare recipients; and

                             (ii)  if a significant number of healthcare recipients are affected, to notify the general public;

                     (e)  take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraph (1)(b).

Note:          A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).

             (7)  If an entity has given notice, or requested that the System Operator give notice, under paragraph (5)(c) then, despite paragraphs (6)(c) and (d), the entity need not give notice or request the System Operator to give notice under paragraphs (6)(c) and (d).

             (8)  The System Operator must comply with a request under paragraph (5)(c) or (6)(d).

76  Requirement to notify if cease to be eligible to be registered

                   A registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider must give written notice to the System Operator within 14 days of ceasing to be eligible to be so registered.

Civil penalty:          80 penalty units.

77  Requirement not to hold or take records outside Australia

             (1)  The System Operator, a registered repository operator, a registered portal operator or a registered contracted service provider that holds records for the purposes of the My Health Record system (whether or not the records are also held for other purposes) or has access to information relating to such records, must not:

                     (a)  hold the records, or take the records, outside Australia; or

                     (b)  process or handle the information relating to the records outside Australia; or

                     (c)  cause or permit another person:

                              (i)  to hold the records, or take the records, outside Australia; or

                             (ii)  to process or handle the information relating to the records outside Australia.

             (2)  Despite subsection (1), the System Operator is authorised, for the purposes of the operation or administration of the My Health Record system:

                     (a)  to hold and take such records outside Australia, provided that the records do not include:

                              (i)  personal information in relation to a healthcare recipient or a participant in the My Health Record system; or

                             (ii)  identifying information of an individual or entity; and

                     (b)  to process and handle such information outside Australia, provided that the information is neither of the following:

                              (i)  personal information in relation to a healthcare recipient or a participant in the My Health Record system;

                             (ii)  identifying information of an individual or entity.

Fault‑based offence

          (2A)  A person commits an offence if the person contravenes subsection (1).

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Note:          Where a fault element for a physical element of an offence is not stated, see section 5.6 of the Criminal Code for the appropriate fault element.

Civil penalty

          (2B)  A person is liable to a civil penalty if the person contravenes subsection (1).

Civil penalty:          600 penalty units.

             (3)  This section does not limit the operation of section 99.

78  My Health Records Rules must not be contravened

                   A person that is, or has at any time been:

                     (a)  a registered healthcare provider organisation; or

                     (b)  a registered repository operator; or

                     (c)  a registered portal operator; or

                     (d)  a registered contracted service provider;

must not contravene a My Health Record Rule that applies to the person.

Civil penalty:          100 penalty units.

Part 6Enforcement

Division 1Civil penalties

79  Civil penalty provisions

Enforceable civil penalty provisions

             (1)  Each civil penalty provision of this Act is enforceable under Part 4 of the Regulatory Powers Act.

Note:          Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

             (2)  For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act.

Relevant court

             (3)  For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

             (4)  Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act, extends to every external Territory.

Liability of the Crown

             (5)  Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act, does not make the Crown liable to a pecuniary penalty.

Division 2Enforceable undertakings

80  Enforceable undertakings

Enforceable provisions

             (1)  This Act is enforceable under Part 6 of the Regulatory Powers Act.

Note:          Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

             (2)  For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:

                     (a)  the System Operator;

                     (b)  the Information Commissioner.

Relevant court

             (3)  For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on website

             (4)  An authorised person in relation to a provision of this Act may publish an undertaking given in relation to the provision on the authorised person’s website.

Extension to external Territories

             (5)  Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.

Division 3Injunctions

81  Injunctions

Enforceable provisions

             (1)  This Act is enforceable under Part 7 of the Regulatory Powers Act.

Note:          Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

             (2)  For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:

                     (a)  the System Operator;

                     (b)  the Information Commissioner.

Relevant court

             (3)  For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

             (4)  Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.

Part 8Other matters

Division 1Review of decisions

97  Review of decisions

             (1)  This section applies to the following decisions of the System Operator:

                     (a)  a decision under section 6 that a person is or is not the authorised representative of a healthcare recipient;

                     (b)  a decision under section 41 to refuse to register a healthcare recipient;

                     (c)  a decision under section 44 to refuse to register a health provider organisation or to impose a condition on such a registration;

                     (d)  a decision under section 49 to refuse to register a person as:

                              (i)  a repository operator; or

                             (ii)  a portal operator; or

                            (iii)  a contracted service provider;

                            or to impose a condition on such a registration;

                     (e)  a decision under section 49 to refuse to specify a repository as a repository to which the registration of a repository operator relates;

                      (f)  a decision under section 51 to cancel or suspend the registration of a healthcare recipient or other entity;

                     (g)  a decision under section 51 to refuse to cancel or suspend the registration of a healthcare recipient or other entity on request;

                     (h)  a decision under section 52 to vary the registration of a healthcare recipient or other entity on request;

                      (i)  a decision under section 52 to refuse to vary the registration of a healthcare recipient or other entity.

             (2)  The System Operator must take such steps as are reasonably necessary in the circumstances to give written notice of the decision to each person affected by the decision, including a statement:

                     (a)  that the person may apply to the System Operator to reconsider the decision; and

                     (b)  of the person’s rights to seek review under subsection (8) of a reconsidered decision.

             (3)  A failure of the System Operator to comply with subsection (2) does not affect the validity of the decision.

             (4)  A person who is given a written notice under subsection (2) may, by written notice given to the System Operator within 28 days after receiving the notice, ask the System Operator to reconsider the decision.

             (5)  A request under subsection (4) must mention the reasons for making the request.

             (6)  The System Operator must:

                     (a)  reconsider the decision within 28 days after receiving the request; and

                     (b)  give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result.

             (7)  The notice must include a statement that the person may apply to the Administrative Appeals Tribunal for review of the reconsideration.

             (8)  A person may apply to the Administrative Appeals Tribunal for review of a decision of the System Operator made under subsection (6).

Division 2Delegations

98  Delegations by the System Operator

             (1)  The System Operator may, by writing, delegate one or more of his or her functions and powers to any of the following:

                     (a)  an APS employee in the Department;

                     (b)  the Chief Executive Medicare;

                     (c)  any other person with the consent of the Minister.

             (2)  Despite subsection (1), the System Operator must not delegate the function referred to in paragraph 15(l) (advising the Minister).

             (3)  If the System Operator is not the Secretary, the System Operator may only delegate a function or power of the System Operator:

                     (a)  to an APS employee in the Department—with the agreement of the Secretary; and

                     (b)  to the Chief Executive Medicare—with the agreement of the Chief Executive Medicare.

             (4)  Each of the following must comply with any written directions of the System Operator:

                     (a)  a delegate;

                     (b)  if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section—a subdelegate.

Division 3Authorisations of entities also cover employees

99  Authorisations extend to employees etc.

                   An authorisation under this Act to an entity (the first entity) is also an authorisation of:

                     (a)  an individual:

                              (i)  who is an employee of the first entity; and

                             (ii)  whose duties involve doing an act that is authorised in relation to the first entity; or

                     (b)  a contracted service provider of a healthcare provider whose duties under a contract with a healthcare provider involve providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

                     (c)  a person (the contractor) performing services under a contract between the contractor and the first entity, if:

                              (i)  the first entity is a participant in the My Health Record system, other than a registered healthcare provider organisation or a registered contracted service provider; and

                             (ii)  the contract relates to the My Health Record system; or

                     (d)  an individual:

                              (i)  who is an employee of a contracted service provider to which paragraph (b) applies or a contractor to which paragraph (c) applies; and

                             (ii)  whose duties relate to the contract mentioned in whichever of those paragraphs applies.

Division 4Treatment of certain entities

100  Treatment of partnerships

             (1)  This Act applies to a partnership as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.

             (3)  An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

101  Treatment of unincorporated associations

             (1)  This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association’s committee of management instead, but may be discharged by any of the members.

             (3)  An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association’s committee of management, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

102  Treatment of trusts with multiple trustees

             (1)  If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.

             (3)  An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

104  Division does not apply to Division 3 of Part 3

                   This Division does not have effect for the purposes of Division 3 of Part 3.

Note:          An applicant for registration under that Division must be a legal person.

Division 5Alternative constitutional bases

105  Alternative constitutional bases

             (1)  Without limiting its effect apart from each of the following subsections of this section, this Act also has effect as provided by that subsection.

             (2)  This Act also has the effect it would have if the System Operator were expressly permitted to perform functions and duties, and exercise powers, under this Act only:

                     (a)  in connection with:

                              (i)  the provision of pharmaceutical, sickness or hospital benefits; or

                             (ii)  the provision of medical services or dental services (without any form of civil conscription); or

                     (b)  for purposes relating to census or statistics; or

                     (c)  in relation to a Territory or a place acquired by the Commonwealth for a public purpose.

             (3)  This Act also has the effect it would have if each reference to collection, use or disclosure of health information were expressly confined to collection, use or disclosure of health information:

                     (a)  in connection with trade or commerce:

                              (i)  between Australia and other countries; or

                             (ii)  among the States; or

                            (iii)  between a Territory and a State or another Territory; or

                     (b)  by means of a postal, telegraphic, telephonic or other like service; or

                     (c)  in connection with:

                              (i)  the provision of pharmaceutical, sickness or hospital benefits; or

                             (ii)  the provision of medical services or dental services (without any form of civil conscription); or

                     (d)  for purposes relating to census or statistics; or

                     (e)  in a Territory or a place acquired by the Commonwealth for a public purpose; or

                      (f)  in relation to a matter that is of international concern.

             (4)  This Act also has the effect it would have if each reference to collection, use or disclosure of health information were expressly confined to collection from or by, use by or disclosure by or to:

                     (a)  a corporation to which paragraph 51(xx) of the Constitution applies; or

                     (b)  the Commonwealth; or

                     (c)  an authority of the Commonwealth.

             (5)  This Act also has the effect it would have if each reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider were expressly confined to a reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider that:

                     (a)  is a corporation to which paragraph 51(xx) of the Constitution applies; or

                     (b)  is the Commonwealth; or

                     (c)  is an authority of the Commonwealth; or

                     (d)  is operating in a Territory or a place acquired by the Commonwealth for a public purpose.

             (6)  This Act also has the effect it would have if its operation in relation to each of the following were expressly confined to an operation for the purposes of giving effect to Australia’s obligations under an agreement between 2 or more countries:

                     (a)  the System Operator;

                     (b)  the Chief Executive Medicare;

                     (c)  the Secretary of the Human Services Department, the Veterans’ Affairs Department or the Defence Department;

                     (d)  a registered healthcare provider organisation;

                     (e)  a registered repository operator;

                      (f)  a registered portal provider;

                     (g)  a contracted service provider;

                     (h)  a healthcare recipient.

             (7)  This Act also has the effect it would have if each reference to a healthcare recipient were expressly confined to a reference to a healthcare recipient who is:

                     (a)  an alien; or

                     (b)  a resident of a Territory.

Definitions

             (8)  A term used in this section and the Constitution has the same meaning in this section as it has in the Constitution.

Division 6Annual reports and review of Act

106  Annual reports by Information Commissioner

             (1)  The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner’s activities during the financial year relating to the My Health Record system.

             (2)  The report must include:

                     (a)  statistics of the following:

                              (i)  complaints received by the Commissioner in relation to the My Health Record system;

                             (ii)  investigations made by the Commissioner in relation to My Health Records or the My Health Record system;

                            (iii)  enforceable undertakings accepted by the Commissioner under this Act;

                            (iv)  proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and

                     (b)  any other matter prescribed by the regulations.

             (3)  The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

             (4)  The Minister must table a copy of the report in each House of the Parliament within 15 sitting days after the Information Commissioner gives a copy of the report to the Minister.

107  Annual reports by the System Operator

                   The System Operator must include in any annual report prepared by the System Operator and given to the Minister under section 46 of the Public Governance, Performance and Accountability Act 2013:

                     (a)  statistics of the following:

                              (i)  registrations, and cancellations and suspensions of registrations, under this Act;

                             (ii)  use of the My Health Record system by healthcare providers and healthcare recipients;

                            (iii)  complaints received, and investigations undertaken, in relation to the My Health Record system;

                            (iv)  occurrences compromising the integrity or security of the My Health Record system;

                             (v)  enforceable undertakings accepted by the System Operator under this Act;

                            (vi)  proceedings taken by the System Operator in relation to enforceable undertakings or injunctions; and

                     (b)  any other matter prescribed by the regulations.

108  Review of the operation of the Act

             (1)  The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act.

             (2)  The individual appointed must give a report to the Minister within the later of:

                     (a)  3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015; or

                     (b)  if the Minister makes My Health Records Rules under clause 2 of Schedule 1 to this Act within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015—3 years after the day on which the Rules are made.

             (3)  The Minister must:

                     (a)  provide a copy of the report to the Ministerial Council; and

                     (b)  table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.

Division 7My Health Records Rules, regulations and other instruments

109  Minister may make My Health Records Rules

             (1)  The Minister may, by legislative instrument, make rules called the My Health Record Rules about matters required or permitted by this Act to be dealt with in the My Health Record Rules.

Consultation

             (2)  Before the Minister makes My Health Records Rules, the Minister must consult:

                     (a)  the System Operator; and

                     (b)  a subcommittee of the Ministerial Council, prescribed by the regulations for the purposes of this paragraph.

A failure to consult does not affect the validity of the Rules.

My Health Records Rules may relate to registration etc.

             (3)  The My Health Record Rules may specify the following:

                     (a)  requirements that a healthcare provider organisation must meet in order to be registered;

                     (b)  requirements that a person, or a repository or other facility (however described) owned or operated by the person, must meet for the person to be registered as a repository operator, a portal operator or a contracted service provider;

                     (c)  conditions on the registration of participants in the My Health Record system;

                     (d)  other requirements relating to the My Health Record system that apply to healthcare recipients or participants in the My Health Record system;

                     (e)  requirements relating to the establishment and the operation of a test environment for the My Health Record system, or another electronic system that interacts directly with the My Health Record system.

             (4)  Requirements referred to in subsection (3) include technical specifications and other requirements in relation to the following:

                     (a)  storage of data and records;

                     (b)  records management;

                     (c)  administration and day‑to‑day operations;

                     (d)  physical and information security;

                     (e)  uploading specified kinds of records.

My Health Records Rules may relate to agreements

          (4A)  The My Health Record Rules may specify that a person must enter into a specified kind of agreement in order to be, and remain, a registered healthcare provider organisation, registered repository operator, registered portal operator or registered contracted service provider.

             (5)  The My Health Record Rules may specify requirements relating to registration of healthcare recipients, including requirements relating to registering a healthcare recipient who has been issued with a healthcare identifier under a pseudonym, and for that purpose may specify such modifications of this Act as are necessary to facilitate such registration.

My Health Records Rules may relate to access control mechanisms

             (6)  The My Health Record Rules may specify matters relating to access control mechanisms, including the following:

                     (a)  the circumstances in which a nominated representative may set access controls;

                     (b)  the circumstances in which access to a healthcare recipient’s My Health Record is to be automatically suspended or cancelled;

                     (c)  default access controls.

My Health Records Rules may relate to authorised representatives and nominated representatives

             (7)  The My Health Record Rules may specify matters relating to authorised representatives and nominated representatives, including the following:

                     (a)  methods of establishing that an individual is an authorised representative or a nominated representative of a healthcare recipient;

                     (b)  requiring a healthcare recipient to verify his or her identity when the healthcare recipient ceases to have an authorised representative;

                     (c)  specifying circumstances in which an authorised representative or a nominated representative is not required to have been assigned a healthcare identifier under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010.

My Health Records Rules may relate to research

          (7A)  The My Health Record Rules may specify requirements with which the System Operator and other entities must comply in relation to the preparation and provision of de‑identified data for research or public health purposes.

My Health Records Rules may apply to specified classes of participants

             (8)  The My Health Record Rules may specify the classes of participants in the My Health Record system to whom, or to which, a particular My Health Record Rule applies.

Incorporation of other instruments

             (9)  Despite subsection 14(2) of the Legislative Instruments Act 2003, the My Health Records Rules may make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force or existing from time to time.

Scope of the My Health Records Rules rule‑making power

           (10)  To avoid doubt, the My Health Records Rules may not do the following:

                     (a)  create an offence or civil penalty;

                     (b)  provide powers of:

                              (i)  arrest or detention; or

                             (ii)  entry, search or seizure;

                     (c)  impose a tax;

                     (d)  set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

                     (e)  directly amend the text of this Act.

           (11)  My Health Records Rules that are inconsistent with the regulations have no effect to the extent of the inconsistency, but My Health Records Rules are taken to be consistent with the regulations to the extent that the Rules are capable of operating concurrently with the regulations.

110  Minister may determine a law of a State or Territory to be a designated privacy law

             (1)  The Minister may, by legislative instrument, determine that a law of a State or Territory is a designated privacy law for the purposes of this Act.

             (2)  A determination made under subsection (1) is a legislative instrument.

111  Guidelines relating to the Information Commissioner’s enforcement powers etc.

             (1)  In exercising a power conferred on the Information Commissioner by this Act, or a power under another Act that is related to such a power, the Information Commissioner must have regard to any relevant guidelines in force under subsection (2).

             (2)  The Information Commissioner must, by legislative instrument, formulate guidelines for the purposes of subsection (1).

Note:          For consultation requirements, see Part 3 of the Legislative Instruments Act 2003.

112  Regulations

             (1)  The Governor‑General may make regulations prescribing matters:

                     (a)  required or permitted by this Act to be prescribed; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

             (2)  Without limiting subsection (1), the Governor‑General may make regulations on any matter about which the Minister may make My Health Record Rules.

             (3)  Before the Governor‑General makes regulations, the Minister must consult the Ministerial Council.

             (4)  The regulations may prescribe penalties of not more than 50 penalty units for offences against the regulations.

             (5)  The regulations may provide for civil penalties for contraventions of the regulations, which must not be more than:

                     (a)  50 penalty units for an individual; or

                     (b)  250 penalty units for a body corporate.


Schedule 1My Health Records for all healthcare recipients

Note:       See section 4A.

Part 1Opt‑out model for the participation of healthcare recipients in the My Health Record system

  

1  Trial of opt‑out model

             (1)  The Minister may make My Health Records Rules applying Part 2 of this Schedule (the opt‑out model) to a class, or classes, of healthcare recipients.

             (2)  The Minister must not make rules under subclause (1), unless the Minister is satisfied that applying the opt‑out model to that class, or those classes, of healthcare recipients would provide evidence of whether the opt‑out model results in participation in the My Health Record system at a level that provides value for those using the My Health Record system.

             (3)  Before the Minister makes My Health Records Rules under this clause, the Minister must consult a subcommittee of the Ministerial Council, prescribed by the regulations for the purposes of this subclause.

2  Minister may apply the opt‑out model to all healthcare recipients after trial

             (1)  If, having applied the opt‑out model under clause 1, the Minister decides that the opt‑out model results in participation in the My Health Record system at a level that provides value for those using the My Health Record system, the Minister may make My Health Records Rules applying the opt‑out model to all healthcare recipients in Australia.

             (2)  In making the decision, the Minister may take into account:

                     (a)  the evidence obtained in applying the opt‑out model under clause 1; and

                     (b)  any other matter relevant to the decision.

             (3)  Before the Minister makes My Health Records Rules under this clause, the Minister must consult the Ministerial Council.

Part 2Registering all healthcare recipients

Division 1Registering healthcare recipients

3  Registration of a healthcare recipient by the System Operator

             (1)  The System Operator may register a healthcare recipient if:

                     (a)  the healthcare recipient is eligible for registration under clause 4; and

                     (b)  the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified; and

                     (c)  the System Operator is satisfied that:

                              (i)  the healthcare recipient has been given the opportunity, in accordance with clause 5, to make an election not to be registered; and

                             (ii)  no such election is in force.

             (2)  Despite subclause (1), the System Operator must not register a healthcare recipient:

                     (a)  if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules; or

                     (b)  in other circumstances prescribed by the My Health Records Rules.

4  When a healthcare recipient is eligible for registration

                   A healthcare recipient is eligible for registration if:

                     (a)  a healthcare identifier has been assigned to the healthcare recipient under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and

                     (b)  the System Operator has collected the following information in relation to the healthcare recipient:

                              (i)  full name;

                             (ii)  date of birth;

                            (iii)  healthcare identifier, Medicare card number or Department of Veterans’ Affairs file number;

                            (iv)  sex;

                             (v)  such other information as is prescribed by the regulations.

5  Healthcare recipient elects not to be registered

             (1)  A healthcare recipient may, by notice to the System Operator, elect not to be registered.

             (2)  The notice:

                     (a)  must be in the approved form; and

                     (b)  be lodged at a place, or by a means, specified in the form; and

                     (c)  if:

                              (i)  under the My Health Records Rules, it is provided that the election by a member of a class of healthcare recipients must be given within a period, or on the occurrence of an event, specified in those rules; and

                             (ii)  the healthcare recipient is a member of that class;

                            the notice of the election must be given to the System Operator within that period, or on the occurrence of that event.

             (3)  The election begins to be in force on the day on which the healthcare recipient gives notice of the election to the System Operator.

             (4)  The election ceases to be in force on the day on which an application is made under clause 6 to be registered.

6  Healthcare recipients may apply for registration

             (1)  A healthcare recipient may apply to the System Operator for registration of the healthcare recipient.

             (2)  The application must:

                     (a)  be in the approved form; and

                     (b)  include, or be accompanied by, the information and documents required by the form; and

                     (c)  be lodged at a place, or by a means, specified in the form.

             (3)  If:

                     (a)  a healthcare recipient makes an application in accordance with this clause; and

                     (b)  the healthcare recipient is eligible for registration under clause 4; and

                     (c)  the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified;

the System Operator must register the healthcare recipient.

             (4)  Despite subclause (3), the System Operator must not register a healthcare recipient:

                     (a)  if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules; or

                     (b)  in other circumstances prescribed by the My Health Records Rules.

Division 2Information sharing for the purposes of the opt‑out system

7  Collection, use and disclosure of health information by the System Operator

                   The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the My Health Record of a registered healthcare recipient.

8  Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives

             (1)  An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of the My Health Record system

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

System Operator

collect

use

disclose

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the collection, use or disclosure is for the purposes of the My Health Record system

2

System Operator

collect

use

disclose

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of determining whether a person is an authorised representative, or a nominated representative, of another person

3

registered repository operator

registered portal operator

collect

use

disclose to a participant in the My Health Record System

the healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient;

(d) a healthcare provider

the collection, use or disclosure is for the purposes of the My Health Record system

4

service operator for the purposes of the Healthcare Identifiers Act 2010

collect from the System Operator

use

disclose to the System Operator

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person

5

Chief Executive Medicare

collect from the System Operator

use

disclose to the System Operator

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is:

(a) for the purposes of assisting the System Operator to verify the identity of the person; or

(b) otherwise for the purposes of the My Health Record system

6

Chief Executive Medicare

collect from the System Operator

use

disclose to the System Operator

information relevant to whether a person is an authorised representative, or nominated representative, of another person

the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person

7

Chief Executive Medicare

collect

use

disclose to a participant in the My Health Record system

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

both of the following are satisfied:

(a) the collection, use or disclosure is for the purpose of including health information in the healthcare recipient’s My Health Record;

(b) an election is not currently in force under clause 13 not to have the healthcare recipient’s health information made available to the System Operator

8

Veterans’ Affairs Department

Defence Department

use

disclose to the System Operator

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person

9

Veterans’ Affairs Department

Defence Department

 

collect from the service operator under the Healthcare Identifiers Act 2010

use

disclose to a participant in the My Health Record system

identifying information about any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

healthcare identifier of any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

both of the following are satisfied:

(a) the collection, use or disclosure is for the purpose of including prescribed information in the healthcare recipient’s My Health Record;

(b) an election is not currently in force under clause 13 not to have the healthcare recipient’s health information made available to the System Operator

10

a prescribed entity

collect

use

disclose to another prescribed entity

identifying information about any person who is, or may be, any of the following:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(c) a nominated representative of a healthcare recipient

the collection, use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person

Note:          Under section 15 of the Healthcare Identifiers Act 2010, the service operator under that Act is authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare recipients and their representatives for the purposes of the My Health Record system. The service operator is also authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare providers under section 24 of that Act.

             (2)  If:

                     (a)  any of the following entities discloses information to the System Operator in circumstances in which the information is authorised to be disclosed under subclause (1):

                              (i)  the Chief Executive Medicare;

                             (ii)  the Veterans’ Affairs Department;

                            (iii)  the Defence Department;

                            (iv)  the service operator for the purposes of the Healthcare Identifiers Act 2010;

                             (v)  an entity prescribed for the purposes of item 10 of the table in subclause (1); and

                     (b)  the entity that disclosed the information becomes aware that the information has changed;

that entity must, as soon as practicable after becoming aware of the change, inform the System Operator of the change.

Division 3Handling health information for the purposes of a healthcare recipient’s My Health Record

Subdivision AHealthcare provider to upload health information

9  Authorisation for healthcare provider to upload health information

             (1)  A registered healthcare provider organisation is authorised to upload to the My Health Record system any record that includes health information about a registered healthcare recipient, subject to the following:

                     (a)  express advice given by the healthcare recipient to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded;

                     (b)  a law of a State or Territory that is prescribed by the regulations for the purposes of subclause (3).

             (2)  A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient) that includes health information about another healthcare recipient (the third party), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subclause (3).

             (3)  An authorisation referred to in subclause (1) or (2) has effect despite a law of a State or Territory that requires consent to the disclosure of particular health information:

                     (a)  given expressly; or

                     (b)  given in a particular way;

other than a law of a State or Territory prescribed by the regulations for the purposes of this subclause.

Subdivision BFunctions of the Chief Executive Medicare

10  Registered repository operator

                   It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the My Health Record system in accordance with this Division.

11  Uploading health information to the repository

                   At any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare may, at his or her discretion, upload health information held by the Chief Executive Medicare about a registered healthcare recipient to the repository operated by the Chief Executive Medicare.

12  Making health information available to the System Operator

             (1)  At any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare may, at his or her discretion, make available to the System Operator health information held by the Chief Executive Medicare about a registered healthcare recipient.

             (2)  Despite subclause (1), the Chief Executive Medicare must not make health information about a healthcare recipient available to the System Operator, if the healthcare recipient has elected under clause 13 not to have the information made available, and that election is in force.

13  Healthcare recipient may elect not to have health information disclosed to the System Operator

             (1)  A healthcare recipient may, by notice to the System Operator, elect not to have health information about the healthcare recipient held by the Chief Executive Medicare made available to the System Operator.

             (2)  The notice under subclause (1):

                     (a)  must be in the approved form; and

                     (b)  be lodged at a place, or by a means, specified in the form; and

                     (c)  if:

                              (i)  under the My Health Records Rules, it is provided that the election by a member of a class of healthcare recipients must be given within a period, or on the occurrence of an event, specified in those rules; and

                             (ii)  the healthcare recipient is a member of that class;

                            the notice of the election must be given to the System Operator within that period, or on the occurrence of that event.

             (3)  The election begins to be in force from the day on which the healthcare recipient gives notice of the election to the System Operator.

             (4)  The election ceases to be in force:

                     (a)  if the healthcare recipient notifies the System Operator that the healthcare recipient withdraws the election—from the day on which the notice is given; and

                     (b)  if another time is prescribed by the My Health Records Rules—at that time.

             (5)  The notice under subclause (4):

                     (a)  must be in the approved form; and

                     (b)  be lodged at a place, or by a means, specified in the form.

14  Health information uploaded or made available may include details of healthcare providers

                   The health information about a healthcare recipient uploaded under clause 11 or made available under clause 12 may include the name of one or more healthcare providers that have provided healthcare to the healthcare recipient.

15  Way in which repository operated not limited by this Division

                   Nothing in this Division limits the way in which the repository is to be operated.

Subdivision COther registered repository operators

16  Making health information available to the System Operator

                   A registered repository operator (other than the Chief Executive Medicare) may make available to the System Operator health information held by the registered repository operator about a registered healthcare recipient.

Part 3Other consequences of applying the opt‑out rules

  

17  References to other provisions of this Act

                   If Part 2 of this Schedule applies in relation to a healthcare recipient:

                     (a)  Division 4 of Part 2 of this Act does not apply in relation to the healthcare recipient; and

                     (b)  Division 1 of Part 3 of this Act does not apply in relation to the healthcare recipient; and

                     (c)  section 46 applies as if the reference to “this Part” were a reference to “Part 2 of Schedule 1 to this Act”; and

                     (d)  section 50D does not apply in relation to the healthcare recipient; and

                     (e)  paragraphs 51(2)(d) and (e) do not apply in relation to the healthcare recipient (consent to upload information to the My Health Record system); and

                      (f)  section 57 applies as if a reference to a decision under Part 3 to register a healthcare recipient were a reference to a decision under Part 2 of this Schedule to register the healthcare recipient; and

                     (g)  Division 6 of Part 3 of this Act does not apply in relation to the healthcare recipient; and

                     (h)  in relation to the healthcare recipient, the reference in paragraph 97(1)(b) to a decision under section 41 to refuse to register a healthcare recipient is taken to include a reference to a decision under Part 2 of this Schedule to refuse to register the healthcare recipient; and

                      (i)  if the healthcare recipient is registered under Part 2 of this Schedule—a reference in this Act to a registered healthcare recipient is taken to include a reference to the healthcare recipient.


Endnotes

Endnote 1—About the endnotes

The endnotes provide information about this compilation and the compiled law.

The following endnotes are included in every compilation:

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Endnotes about misdescribed amendments and other matters are included in a compilation only as necessary.

Abbreviation key—Endnote 2

The abbreviation key sets out abbreviations that may be used in the endnotes.

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe the amendment to be made. If, despite the misdescription, the amendment can be given effect as intended, the amendment is incorporated into the compiled law and the abbreviation “(md)” added to the details of the amendment included in the amendment history.

If a misdescribed amendment cannot be given effect as intended, the abbreviation “(md not incorp)” is added to the details of the amendment included in the amendment history.

Endnote 2—Abbreviation key

 

A = Act

o = order(s)

ad = added or inserted

Ord = Ordinance

am = amended

orig = original

amdt = amendment

par = paragraph(s)/subparagraph(s)

c = clause(s)

    /sub‑subparagraph(s)

C[x] = Compilation No. x

pres = present

Ch = Chapter(s)

prev = previous

def = definition(s)

(prev…) = previously

Dict = Dictionary

Pt = Part(s)

disallowed = disallowed by Parliament

r = regulation(s)/rule(s)

Div = Division(s)

Reg = Regulation/Regulations

exp = expires/expired or ceases/ceased to have

reloc = relocated

    effect

renum = renumbered

F = Federal Register of Legislative Instruments

rep = repealed

gaz = gazette

rs = repealed and substituted

LI = Legislative Instrument

s = section(s)/subsection(s)

LIA = Legislative Instruments Act 2003

Sch = Schedule(s)

(md) = misdescribed amendment can be given

Sdiv = Subdivision(s)

    effect

SLI = Select Legislative Instrument

(md not incorp) = misdescribed amendment

SR = Statutory Rules

    cannot be given effect

Sub‑Ch = Sub‑Chapter(s)

mod = modified/modification

SubPt = Subpart(s)

No. = Number(s)

underlining = whole or part not

 

    commenced or to be commenced

 

Endnote 3—Legislation history

 

Act

Number and year

Assent

Commencement

Application, saving and transitional provisions

Personally Controlled Electronic Health Records Act 2012

63, 2012

26 June 2012

s 3–112: 29 June 2012 (s 2(1) item 2)
Remainder: 26 June 2012 (s 2(1) item 1)

 

Privacy Amendment (Enhancing Privacy Protection) Act 2012

197, 2012

12 Dec 2012

Sch 5 (item 71) and Sch 6 (items 15–19): 12 Mar 2014 (s 2(1) items 3, 19)
Sch 6 (item 1): 12 Dec 2012 (s 2(1) item 16)

Sch 6 (items 1, 15–19)

as amended by

 

 

 

 

Statute Law Revision Act (No. 1) 2015

5, 2015

25 Feb 2015

Sch 2 (item 6): 12 Mar 2014 (s 2(1) item 7)

Federal Circuit Court of Australia (Consequential Amendments) Act 2013

13, 2013

14 Mar 2013

Sch 1 (item 465): 12 Apr 2013 (s 2(1) item 2)

Acts and Instruments (Framework Reform) (Consequential Provisions) Act 2015

126, 2015

10 Sept 2015

Sch 1 (item 475): awaiting commencement (s 2(1) item 2)

Health Legislation Amendment (eHealth) Act 2015

157, 2015

26 Nov 2015

Sch 1 (items 50–106, 111–136), Sch 2 (items 15–84) and Sch 3 (items 4–8): 27 Nov 2015 (s 2(1) item 2)
Sch 4 (item 1): awaiting commencement (s 2(1) item 3)

Sch 1 (items 111–136)

 

Endnote 4—Amendment history

 

Provision affected

How affected

Part 1

 

s 1...........................................

am No 157, 2015

s 3...........................................

am No 157, 2015

s 4...........................................

rs No 157, 2015

s 4A........................................

ad No 157, 2015

s 5...........................................

am No 13, 2013; No 157, 2015

s 6...........................................

am No 157, 2015

s 7...........................................

am No 157, 2015

s 7A........................................

ad No 157, 2015

s 8...........................................

am No 157, 2015

s 9...........................................

am No 157, 2015

s 10.........................................

am No 157, 2015

s 11.........................................

am No 157, 2015

s 13B......................................

ad No 157, 2015

Part 2

 

Part 2 heading.........................

rs No 157, 2015

Division 1

 

s 15.........................................

am No 157, 2015

s 16.........................................

rep No 157, 2015

s 17.........................................

am No 157, 2015

Division 2...............................

rep No 157, 2015

s 18.........................................

rep No 157, 2015

s 19.........................................

rep No 157, 2015

s 20.........................................

rep No 157, 2015

s 21.........................................

rep No 157, 2015

s 22.........................................

rep No 157, 2015

s 23.........................................

rep No 157, 2015

Division 3...............................

rep No 157, 2015

s 24.........................................

rep No 157, 2015

s 25.........................................

rep No 157, 2015

s 26.........................................

rep No 157, 2015

s 27.........................................

rep No 157, 2015

s 28.........................................

rep No 157, 2015

s 29.........................................

rep No 157, 2015

s 30.........................................

rep No 157, 2015

s 31.........................................

rep No 157, 2015

s 32.........................................

rep No 157, 2015

s 33.........................................

rep No 157, 2015

s 34.........................................

rep No 157, 2015

s 35.........................................

rep No 157, 2015

s 36.........................................

rep No 157, 2015

s 37.........................................

rep No 157, 2015

Division 4

 

s 38.........................................

am No 157, 2015

Part 3

 

Division 1

 

Division 1 heading..................

am No 157, 2015

Division 1...............................

am No 157, 2015

s 39.........................................

am No 157, 2015

s 40.........................................

am No 157, 2015

s 41.........................................

am No 157, 2015

Division 2

 

s 43.........................................

am No 157, 2015

s 44.........................................

am No 157, 2015

s 45.........................................

am No 157, 2015

s 45A......................................

ad No 157, 2015

s 45B......................................

ad No 157, 2015

s 45C......................................

ad No 157, 2015

s 46.........................................

am No 157, 2015

Division 3

 

s 48.........................................

am No 157, 2015

s 49.........................................

am No 157, 2015

s 50.........................................

am No 157, 2015

s 50A......................................

ad No 157, 2015

s 50B......................................

ad No 157, 2015

s 50C......................................

ad No 157, 2015

s 50D......................................

ad No 157, 2015

Division 4

 

s 51.........................................

am No 157, 2015

s 52.........................................

am No 157, 2015

s 53.........................................

am No 157, 2015

s 54.........................................

am No 157, 2015

s 55.........................................

am No 157, 2015

Division 5

 

s 57 ........................................

am No 157, 2015

Division 6

 

Division 6 heading..................

rs No 157, 2015

s 58.........................................

rs No 157, 2015

s 58A......................................

ad No 157, 2015

Part 4

 

Part 4 heading.........................

rs No 157, 2015

Division 1

 

Division 1 heading..................

rs No 157, 2015

s 59.........................................

am No 157, 2015

s 60.........................................

am No 157, 2015

Division 2

 

Subdivision A

 

s 61.........................................

am No 157, 2015

s 62.........................................

am No 157, 2015

Subdivision B

 

s 63.........................................

am No 157, 2015

s 64.........................................

am No 157, 2015

s 65.........................................

am No 157, 2015

s 66.........................................

am No 157, 2015

s 67.........................................

am No 157, 2015

s 68.........................................

am No 157, 2015

s 69.........................................

am No 157, 2015

s 70.........................................

am No 157, 2015

Division 3

 

Division 3 heading..................

rs No 157, 2015

s 71.........................................

am No 157, 2015

Division 4

 

s 72.........................................

am No 157, 2015

s 73.........................................

am No 197, 2012; No 157, 2015

s 73A......................................

am No 157, 2015

s 73B......................................

am No 157, 2015

Part 5

 

s 74.........................................

am No 157, 2015

s 75.........................................

rs No 157, 2015

s 77.........................................

am No 157, 2015

s 78.........................................

rs No 157, 2015

Part 6

 

Part 6......................................

rs No 157, 2015

Division 1

 

s 79.........................................

rs No 157, 2015

Division 2

 

s 80.........................................

rs No 157, 2015

Division 3

 

s 81.........................................

rs No 157, 2015

s 82.........................................

rep No 157, 2015

s 83.........................................

rep No 157, 2015

s 84.........................................

rep No 157, 2015

s 85.........................................

rep No 157, 2015

s 86.........................................

rep No 157, 2015

s 87.........................................

rep No 157, 2015

s 88.........................................

rep No 157, 2015

s 89.........................................

rep No 157, 2015

s 90.........................................

rep No 157, 2015

s 91.........................................

rep No 157, 2015

s 92.........................................

rep No 157, 2015

s 93.........................................

rep No 157, 2015

Part 7......................................

rep No 157, 2015

s 94.........................................

rep No 157, 2015

s 95.........................................

rep No 157, 2015

s 96.........................................

rep No 157, 2015

Part 8

 

Division 1

 

s 97.........................................

am No 157, 2015

Division 2

 

s 98.........................................

am No 157, 2015

Division 3

 

s 99.........................................

am No 157, 2015

Division 4

 

s 100.......................................

am No 157, 2015

s 101.......................................

am No 157, 2015

s 102.......................................

am No 157, 2015

s 103.......................................

rep No 157, 2015

Division 5

 

s 105.......................................

am No 157, 2015

Division 6

 

s 106.......................................

am No 157, 2015

s 107.......................................

rs No 157, 2015

s 108.......................................

rs No 157, 2015

Division 7

 

Division 7 heading..................

rs No 157, 2015

s 109.......................................

am No 157, 2015 (Sch 4 item 1)

s 111.......................................

am No 126, 2015

s 112.......................................

am No 157, 2015

Schedule 1

 

Schedule 1..............................

ad No 157, 2015

Part 1

 

c 1...........................................

ad No 157, 2015

c 2...........................................

ad No 157, 2015

Part 2

 

Division 1

 

c 3...........................................

ad No 157, 2015

c 4...........................................

ad No 157, 2015

c 5...........................................

ad No 157, 2015

c 6...........................................

ad No 157, 2015

Division 2

 

c 7...........................................

ad No 157, 2015

c 8...........................................

ad No 157, 2015

Division 3

 

Subdivision A

 

c 9...........................................

ad No 157, 2015

Subdivision B

 

c 10.........................................

ad No 157, 2015

c 11.........................................

ad No 157, 2015

c 12.........................................

ad No 157, 2015

c 13.........................................

ad No 157, 2015

c 14.........................................

ad No 157, 2015

c 15.........................................

ad No 157, 2015

Subdivision C

 

c 16.........................................

ad No 157, 2015

Part 3

 

c 17.........................................

ad No 157, 2015