Skip to main
Help and resources
Register
for My Account
Sign in
to My Account
Search
Australian Government
Federal Register of Legislation
Site navigation
Constitution
Acts
Legislative instruments
Notifiable instruments
Gazettes
Administrative Arrangements
Prerogative instruments
Norfolk Island
Home
Acts
In force
Text
Details
Authorises
Downloads
All versions
Interactions
My Health Records Act 2012
In force
Administered by
Department of Health, Disability and Ageing
Superseded version
View latest version
Order print copy
Save this title to My Account
Set up an alert
C2023C00382 (C12)
18 October 2023
-
05 July 2024
Legislation text
View document
Select value
Act
Filter active
Table of contents
Enter text to search the table of contents
Collapse
Part 1—Preliminary
1 Short title
2 Commencement
3 Object of Act
4 Simplified outline of this Act
4A Schedule 1
5 Definitions
6 Definition of authorised representative of a healthcare recipient
7 Definition of nominated representative of a healthcare recipient
7A Duties of authorised representative or nominated representative
8 Things done etc. under provisions of other Acts
9 Definition of identifying information
10 Definition of shared health summary
11 Act to bind the Crown
12 Concurrent operation of State laws
13 External Territories
13A System Operator may arrange for use of computer programs to make decisions
13B System Operator may use electronic communications
Collapse
Part 2—The System Operator and the functions of the Chief Executive Medicare
Collapse
Division 1—System Operator
14 Identity of the System Operator
15 Functions of the System Operator
16 Research or public health purposes
17 Retention and destruction of records uploaded to National Repositories Service
Division 4—Functions of Chief Executive Medicare
38 Registered repository operator
Collapse
Part 3—Registration
Collapse
Division 1—Registering healthcare recipients
39 Healthcare recipients may apply for registration
40 When a healthcare recipient is eligible for registration
41 Registration of a healthcare recipient by the System Operator
Collapse
Division 2—Registering healthcare provider organisations
42 Healthcare provider organisation may apply for registration
43 When a healthcare provider organisation is eligible for registration
44 Registration of a healthcare provider organisation
45 Condition of registration—uploading of records, etc.
45A Condition of registration—handling old records that are works subject to copyright
45B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright
45C Liability where work uploaded in breach of section 45A or 45B
46 Condition of registration—non discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.
Collapse
Division 3—Registering repository operators, portal operators and contracted service providers
47 Persons may apply for registration as a repository operator, a portal operator or a contracted service provider
48 When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider
49 Registration of a repository operator, a portal operator or a contracted service provider
50 Condition about provision of information to System Operator
50A Condition of registration—handling old records that are works subject to copyright
50B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright
50C Liability where work uploaded in breach of section 50A or 50B
50D Authorisation to make health information available to the System Operator
Collapse
Division 4—Cancellation, suspension and variation of registration
51 Cancellation or suspension of registration
52 Variation of registration
53 Notice of cancellation, suspension or variation of registration etc.
54 Effect of suspension
55 My Health Records Rules may specify requirements after registration is cancelled or suspended
Collapse
Division 5—The Register
56 The Register
57 Entries to be made in Register
Collapse
Division 6—Collection, use and disclosure of information for the purposes of the My Health Record System
58 Collection, use and disclosure of health information by the System Operator
58A Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives
Collapse
Part 4—Collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
Collapse
Division 1—Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
59 Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
59A Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose
60 Secondary disclosure
Collapse
Division 2—Authorised collection, use and disclosure
Collapse
Subdivision A—Collection, use and disclosure in accordance with access controls
61 Collection, use and disclosure for providing healthcare
62 Collection, use and disclosure to nominated representative
Subdivision B—Collection, use and disclosure other than in accordance with access controls
63 Collection, use and disclosure for management of My Health Record system
64 Collection, use and disclosure in the case of a serious threat
65 Collection, use and disclosure authorised by law
66 Collection, use and disclosure with healthcare recipient’s consent
67 Collection, use and disclosure by a healthcare recipient
68 Collection, use and disclosure for indemnity cover
69 Disclosure to courts and tribunals
69A Disclosure to designated entity under order by judicial officer
69B Judicial officers for orders under section 69A
70 Disclosure in relation to unlawful activity
Subdivision C—Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose
70A Definition of prohibited purpose
70B Use for prohibited purpose is unauthorised
Division 3—Prohibitions and authorisations limited to My Health Record system
71 Prohibitions and authorisations limited to health information collected by using the My Health Record system
Division 3A—Offences and penalties in relation to use of My Health Record derived information for prohibited purpose
71AA Definitions
71A Offence for use of My Health Record derived information for prohibited purpose
71B Civil penalty for use of My Health Record derived information for prohibited purpose
Division 4—Interaction with the Privacy Act 1988
72 Interaction with the Privacy Act 1988
73 Contravention of this Act is an interference with privacy
73A Information Commissioner may disclose details of investigations to System Operator
73B Obligations of System Operator in relation to correction, etc.
Collapse
Part 5—Other offences and civil penalty provisions
74 Registered healthcare provider organisations must ensure certain information is given to System Operator
75 Data breaches
76 Requirement to notify if cease to be eligible to be registered
77 Requirement not to hold or take records outside Australia
77A Enforceable requirements in My Health Records Rules must not be contravened: offence
78 My Health Records Rules must not be contravened: civil penalty
Collapse
Part 6—Enforcement
Collapse
Division 1—Civil penalties
79 Civil penalty provisions
Collapse
Division 2—Enforceable undertakings
80 Enforceable undertakings
Collapse
Division 3—Injunctions
81 Injunctions
Collapse
Part 7—Data Governance Board
Collapse
Division 1—Establishment and functions
82 Data Governance Board
83 Functions of the Board
Collapse
Division 2—Membership
84 Membership
85 Appointment of members
86 Qualifications and experience
87 Acting appointments
88 Term of appointment and other terms and conditions
89 Remuneration
90 Resignation
91 Termination of appointment
92 Leave of absence
93 Other paid work
Collapse
Division 3—Meetings of the Data Governance Board
94 Convening meetings
95 Presiding at meetings
96 Quorum
96A Voting at meetings
96B Conduct of meetings
96C Minutes
96D Decisions without meetings
Collapse
Division 4—Other matters relating to the Data Governance Board
96E Relationship between System Operator and Data Governance Board in relation to data for research or public health purposes
96F Board committees
96G Delegation of functions
96H Annual report
96J Board is part of the Department
Collapse
Part 8—Other matters
Collapse
Division 1—Review of decisions
97 Review of decisions
Collapse
Division 2—Delegations
98 Delegations by the System Operator
Collapse
Division 3—Authorisations of entities also cover employees
99 Authorisations extend to employees etc.
Collapse
Division 4—Treatment of certain entities
100 Treatment of partnerships
101 Treatment of unincorporated associations
102 Treatment of trusts with multiple trustees
104 Division does not apply to Division 3 of Part 3
Collapse
Division 5—Alternative constitutional bases
105 Alternative constitutional bases
Collapse
Division 6—Annual reports and review of Act
106 Annual reports by Information Commissioner
107 Annual reports by the System Operator
108 Review of the operation of the Act
Collapse
Division 7—My Health Records Rules, regulations and other instruments
109 Minister may make My Health Records Rules
109A My Health Records Rules relating to data for research or public health purposes
110 Minister may determine a law of a State or Territory to be a designated privacy law
111 Guidelines relating to the Information Commissioner’s enforcement powers etc.
112 Regulations
Collapse
Schedule 1—My Health Records for all healthcare recipients
Collapse
Part 1—Opt out model for the participation of healthcare recipients in the My Health Record system
1 Trial of opt out model
2 Minister may apply the opt out model to all healthcare recipients after trial
Collapse
Part 2—Registering all healthcare recipients
Collapse
Division 1—Registering healthcare recipients
3 Registration of a healthcare recipient by the System Operator
4 When a healthcare recipient is eligible for registration
5 Healthcare recipient elects not to be registered
6 Healthcare recipients may apply for registration
Collapse
Division 2—Information sharing for the purposes of the opt out system
7 Collection, use and disclosure of health information by the System Operator
8 Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives
Collapse
Division 3—Handling health information for the purposes of a healthcare recipient’s My Health Record
Collapse
Subdivision A—Healthcare provider to upload health information
9 Authorisation for healthcare provider to upload health information
Subdivision B—Functions of the Chief Executive Medicare
10 Registered repository operator
11 Uploading health information to the repository
12 Making health information available to the System Operator
13 Healthcare recipient may elect not to have health information disclosed to the System Operator
14 Health information uploaded or made available may include details of healthcare providers
15 Way in which repository operated not limited by this Division
Subdivision C—Other registered repository operators
16 Making health information available to the System Operator
Part 3—Other consequences of applying the opt out rules
17 References to other provisions of this Act
Endnotes
Endnote 1—About the endnotes
Endnote 2—Abbreviation key
Endnote 3—Legislation history
Endnote 4—Amendment history