An Act to provide for a system of access to electronic health records, and for related purposes
Part 1—Preliminary
1 Short title
This Act may be cited as the My Health Records Act 2012.
2 Commencement
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
| Commencement information |
| Column 1 | Column 2 | Column 3 |
| Provision(s) | Commencement | Date/Details |
| 1. Sections 1 and 2 and anything in this Act not elsewhere covered by this table | The day this Act receives the Royal Assent. | 26 June 2012 |
| 2. Sections 3 to 112 | A day or days to be fixed by Proclamation. However, if any of the provision(s) do not commence by the later of: (a) 1 July 2012; and (b) the day this Act receives the Royal Assent; they commence on the day after the later of those days. | 29 June 2012 (see F2012L01395) |
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
3 Object of Act
The object of this Act is to enable the establishment and operation of a voluntary national public system for the provision of access to health information relating to recipients of healthcare, to:
(a) help overcome the fragmentation of health information; and
(b) improve the availability and quality of health information; and
(c) reduce the occurrence of adverse medical events and the duplication of treatment; and
(d) improve the coordination and quality of healthcare provided to healthcare recipients by different healthcare providers.
4 Simplified outline of this Act
The My Health Record system is a national public system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.
A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt‑out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt‑out of the system.
The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient’s My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient’s My Health Record.
If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.
Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.
An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.
4A Schedule 1
Schedule 1 has effect.
Note: Schedule 1 deals with the opt‑out model for registering healthcare recipients in the My Health Record system.
5 Definitions
In this Act:
approved form means a form approved by the System Operator, in writing, for the purposes of the provision in which the expression occurs.
Australia, when used in a geographical sense, includes the external Territories.
authorised representative of a healthcare recipient has the meaning given by section 6.
Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.
cinematograph film has the same meaning as in the Copyright Act 1968.
civil penalty provision has the same meaning as in the Regulatory Powers Act.
contracted service provider of a healthcare provider organisation means an entity that provides:
(a) information technology services relating to the My Health Record system; or
(b) health information management services relating to the My Health Record system;
to the healthcare provider organisation under a contract with the healthcare provider organisation.
data custodian means the Australian Institute of Health and Welfare.
date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is.
date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is.
Defence Department means the Department that:
(a) deals with matters arising under section 1 of the Defence Act 1903; and
(b) is administered by the Minister who administers that section.
designated privacy law means a law determined under section 110 to be a designated privacy law.
employee of an entity includes the following:
(a) an individual who provides services for the entity under a contract for services;
(b) an individual whose services are made available to the entity (including services made available free of charge).
entity means:
(a) a person; or
(b) a partnership; or
(c) any other unincorporated association or body; or
(d) a trust; or
(e) a part of an entity (under a previous application of this definition).
genetic relative of an individual (the first individual) means another individual who is related to the first individual by blood, including a sibling, a parent or a descendant of the first individual.
healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.
healthcare provider means:
(a) an individual healthcare provider; or
(b) a healthcare provider organisation.
healthcare provider organisation means an entity that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).
Note: Because of paragraph (e) of the definition of entity, a healthcare provider organisation could be a part of an entity.
healthcare recipient means an individual who has received, receives, or may receive, healthcare.
healthcare recipient‑only notes, in relation to a healthcare recipient, means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient‑only notes (whether using that expression or an equivalent expression).
Health Department of a State or Territory means a Department of state that:
(a) deals with matters relating to health; and
(b) is administered by the State/Territory Health Minister of the State or Territory.
health information has the meaning given by subsection 6(1) of the Privacy Act 1988.
identifying information has the meaning given by section 9.
index service means the index service maintained by the System Operator for the purposes of the My Health Record system, as mentioned in paragraph 15(a).
individual healthcare provider means an individual who:
(a) has provided, provides, or is to provide, healthcare; or
(b) is registered by a registration authority as a member of a particular health profession.
Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.
My Health Record of a healthcare recipient means the record of information that is created and maintained by the System Operator in relation to the healthcare recipient, and information that can be obtained by means of that record, including the following:
(a) information included in the entry in the Register that relates to the healthcare recipient;
(b) health information connected in the My Health Record system to the healthcare recipient (including information included in a record accessible through the index service);
(c) other information connected in the My Health Record system to the healthcare recipient, such as information relating to auditing access to the record;
(d) back‑up records of such information.
My Health Records Rules has the meaning given by section 109.
My Health Record system means a system:
(a) that is for:
(i) the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act; and
(ii) the assembly of that information using telecommunications services and by other means so far is it is relevant to a particular healthcare recipient, so that it can be made available, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the healthcare recipient or for purposes specified in this Act; and
(b) that involves the performance of functions under this Act by the System Operator.
National Law means:
(a) for a State or Territory other than Western Australia—the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland, as it applies (with or without modification) as a law of the State or Territory; or
(b) for Western Australia—the Health Practitioner Regulation National Law (WA) Act 2010 of Western Australia, so far as that Act corresponds to the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland.
National Repositories Service means the service referred to in paragraph 15(i).
nominated healthcare provider: a healthcare provider is the nominated healthcare provider of a healthcare recipient if:
(a) an agreement is in force between the healthcare provider and the healthcare recipient that the healthcare provider is the healthcare recipient’s nominated healthcare provider for the purposes of this Act; and
(b) a healthcare identifier has been assigned to the healthcare provider under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; and
(c) the healthcare provider is an individual registered by a registration authority as one of the following:
(i) a medical practitioner within the meaning of the National Law;
(ii) a registered nurse within the meaning of the National Law;
(iii) an Aboriginal health practitioner, a Torres Strait Islander health practitioner or an Aboriginal and Torres Strait Islander health practitioner within the meaning of the National Law who is included in a class prescribed by the regulations for the purposes of this subparagraph;
(iv) an individual, or an individual included in a class, prescribed by the regulations for the purposes of this subparagraph.
nominated representative of a healthcare recipient has the meaning given by section 7.
parental responsibility: a person has parental responsibility for a healthcare recipient (the child) if, and only if:
(a) the person:
(i) is the child’s parent (including a person who is presumed to be the child’s parent because of a presumption (other than in section 69Q) in Subdivision D of Division 12 of Part VII of the Family Law Act 1975); and
(ii) has not ceased to have parental responsibility for the child because of an order made under the Family Law Act 1975 or a law of a State or Territory; or
(b) under a parenting order (within the meaning of the Family Law Act 1975):
(i) the child is to live with the person; or
(ii) the child is to spend time with the person; or
(iii) the person is responsible for the child’s long‑term or day‑to‑day care, welfare and development; or
(c) the person is entitled to guardianship or custody of, or access to, the child under a law of the Commonwealth, a State or a Territory.
Note: The presumptions in the Family Law Act 1975 include a presumption arising from a court finding that a person is the child’s parent, and a presumption arising from a man executing an instrument under law acknowledging that he is the father of the child.
participant in the My Health Record system means any of the following:
(a) the System Operator;
(b) a registered healthcare provider organisation;
(c) the operator of the National Repositories Service;
(d) a registered repository operator;
(e) a registered portal operator;
(f) a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.
personal information has the same meaning as in the Privacy Act 1988.
prohibited purpose has the meaning given by section 70A.
record includes a database, register, file or document that contains information in any form (including in electronic form).
Register has the meaning given by section 56.
registered contracted service provider means a contracted service provider that is registered under section 49.
registered healthcare provider organisation means a healthcare provider organisation that is registered under section 44.
registered healthcare recipient means a healthcare recipient who is registered under section 41.
registered portal operator means a person that:
(a) is the operator of an electronic interface that facilitates access to the My Health Record system; and
(b) is registered as a portal operator under section 49.
registered repository operator means a person that:
(a) holds, or can hold, records of information included in My Health Records for the purposes of the My Health Record system; and
(b) is registered as a repository operator under section 49.
registration authority means an entity that is responsible under a law for registering members of a particular health profession.
Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.
shared health summary has the meaning given by section 10.
sound recording has the same meaning as in the Copyright Act 1968.
State or Territory authority has the same meaning as in the Privacy Act 1988.
State/Territory Health Minister means:
(a) the Minister of a State; or
(b) the Minister of the Australian Capital Territory; or
(c) the Minister of the Northern Territory;
who is responsible, or principally responsible, for the administration of matters relating to health in the State or Territory, as the case may be.
System Operator has the meaning given by section 14.
this Act includes:
(a) regulations made under this Act; and
(b) the My Health Records Rules.
use health information included in a healthcare recipient’s My Health Record includes the following:
(a) access the information;
(b) view the information;
(c) modify the information;
(d) delete the information.
Veterans’ Affairs Department means the Department that:
(a) deals with matters arising under section 1 of the Veterans’ Entitlements Act 1986; and
(b) is administered by the Minister who administers that section.
Veterans’ Affairs Department file number means a number allocated to a healthcare recipient by the Veterans’ Affairs Department.
work has the same meaning as in the Copyright Act 1968.
6 Definition of authorised representative of a healthcare recipient
Healthcare recipients aged under 14
(1) For the purposes of this Act, each person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 14 is the authorised representative of the healthcare recipient.
(1A) Despite subsection (1), a person who has parental responsibility for a healthcare recipient aged under 18 is not the authorised representative of the healthcare recipient if the System Operator is satisfied that:
(a) under a court order or a law of the Commonwealth or a State or Territory, the person must be supervised while spending time with the healthcare recipient; or
(b) the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient.
(2) If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 14, or the only such persons are covered by subsection (1A), the authorised representative of the healthcare recipient is:
(a) a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient for the purposes of this Act under the law of the Commonwealth or a State or Territory, or a decision of an Australian court or tribunal; or
(b) if there is no such person—a person:
(i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or
(ii) who is prescribed by the regulations for the purposes of this paragraph.
Healthcare recipients aged between 14 and 17
(3) For the purposes of this Act, a person is the authorised representative of a healthcare recipient aged between 14 and 17 years if the healthcare recipient, by written notice given to the System Operator in the approved form, nominates the person to be his or her authorised representative.
Healthcare recipients aged at least 18
(4) For the purposes of this Act, if the System Operator is satisfied that a healthcare recipient aged at least 18 is not capable of making decisions for himself or herself, the authorised representative of the healthcare recipient is:
(a) a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient under the law of the Commonwealth or a State or Territory or a decision of an Australian court or tribunal; or
(b) if there is no such person—a person:
(i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or
(ii) who is prescribed by the regulations for the purposes of this paragraph.
(5) An authorisation referred to in paragraph (2)(a) or (4)(a) may be conferred by specific reference to the purposes of this Act, or conferred by words of general authorisation that are broad enough to cover that purpose.
(6) A person cannot be the authorised representative of a healthcare recipient unless:
(a) a healthcare identifier has been assigned to the person under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or
(b) the My Health Records Rules provide that a healthcare identifier is not required to have been so assigned.
Effect of being an authorised representative
(7) At a time when a healthcare recipient has an authorised representative:
(a) the authorised representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do; and
(b) the healthcare recipient is not entitled to do any thing that this Act would, apart from this subsection, authorise or require the healthcare recipient to do; and
(c) this Act has effect for all purposes, in relation to a thing done by an authorised representative, as if the healthcare recipient had done the thing.
(8) At a time when a healthcare recipient has one or more authorised representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient is to be done in relation to at least one of the healthcare recipient’s authorised representatives. This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient.
7 Definition of nominated representative of a healthcare recipient
(1) For the purposes of this Act, an individual is the nominated representative of a healthcare recipient if:
(a) an agreement is in force between the individual and the healthcare recipient that the individual is the healthcare recipient’s nominated representative for the purposes of this Act; and
(b) the healthcare recipient has notified the System Operator that the individual is his or her nominated representative.
Effect of being a nominated representative
(2) At a time when a healthcare recipient has a nominated representative:
(a) the nominated representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do, subject to any limitations:
(i) to which the healthcare recipient’s agreement is subject; and
(ii) that have been notified to the System Operator by the healthcare recipient; and
(b) this Act has effect for all purposes, in relation to a thing done by a nominated representative, as if the healthcare recipient had done the thing, subject to any modifications prescribed by the regulations.
Note: Despite this subsection, a nominated representative must not use information for a prohibited purpose within the meaning of section 70A (even though a healthcare recipient may do so): see subsections 59A(2), 70B(2), 71A(4) and 71B(3).
(3) Despite subsection (2), the System Operator must not permit a nominated representative of a healthcare recipient to set access controls in relation to the healthcare recipient’s My Health Record unless:
(a) a healthcare identifier has been assigned to the nominated representative under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or
(b) the My Health Records Rules provide that a healthcare identifier is not required to have been so assigned.
(4) The fact that a healthcare recipient has a nominated representative does not prevent the healthcare recipient doing any thing that this Act authorises or requires the healthcare recipient to do.
(5) At a time when a healthcare recipient has one or more nominated representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient may be done in relation to one of the healthcare recipient’s nominated representatives and not in relation to the healthcare recipient to the extent:
(a) agreed between the healthcare recipient and the nominated representative; and
(b) notified to the System Operator by the healthcare recipient.
This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient.
7A Duties of authorised representative or nominated representative
Duty to ascertain will and preferences
(1) An authorised representative or a nominated representative (a representative) of a healthcare recipient must make reasonable efforts to ascertain the recipient’s will and preferences in relation to the recipient’s My Health Record.
(2) If it is not possible to ascertain the healthcare recipient’s will and preferences, the representative must make reasonable efforts to ascertain the recipient’s likely will and preferences in relation to the recipient’s My Health Record.
(3) The healthcare recipient’s likely will and preferences may be ascertained from sources including the following:
(a) if the representative is a nominated representative—the agreement appointing the representative;
(b) to the extent legally possible, from consultation with people who may be expected to be aware of the recipient’s will and preferences.
Duty to give effect to will and preferences
(4) The representative must give effect to the healthcare recipient’s will and preferences, or likely will and preferences, ascertained in accordance with subsection (1) or (2).
(5) However, if to do so would pose a serious risk to the healthcare recipient’s personal and social wellbeing, the representative must instead act in a manner that promotes the personal and social wellbeing of the healthcare recipient.
Duty if will and preferences cannot be ascertained
(6) If the healthcare recipient’s will and preferences, or likely will and preferences, cannot be ascertained, the representative must act in a manner that promotes the personal and social wellbeing of the healthcare recipient.
8 Things done etc. under provisions of other Acts
(1) A reference in section 6 or 7 to any thing that this Act authorises or requires a healthcare recipient to do is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires a healthcare recipient to do.
(2) A reference in section 6 or 7 to any thing that this Act authorises or requires to be done in relation to a healthcare recipient is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires to be done in relation to a healthcare recipient.
9 Definition of identifying information
(1) Each of the following is identifying information of a healthcare provider who is an individual:
(a) the name of the healthcare provider;
(b) the address of the healthcare provider;
(c) the email address, telephone number and fax number of the healthcare provider;
(d) the date of birth, and the date of birth accuracy indicator, of the healthcare provider;
(e) the sex of the healthcare provider;
(f) the type of healthcare provider that the individual is;
(g) if the healthcare provider is registered by a registration authority—the registration authority’s identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled);
(h) other information that is prescribed by the regulations for the purpose of this paragraph.
(2) Each of the following is identifying information of a healthcare provider that is not an individual:
(a) the name of the healthcare provider;
(b) the address of the healthcare provider;
(c) the email address, telephone number and fax number of the healthcare provider;
(d) if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider;
(e) if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider;
(f) other information that is prescribed by the regulations for the purpose of this paragraph.
(3) Each of the following is identifying information of an individual, other than an individual in the capacity of a healthcare provider:
(a) if applicable, the Medicare number of the individual;
(b) if applicable, the Veterans’ Affairs Department file number of the individual;
(c) the name of the individual;
(d) the address of the individual;
(e) the date of birth, and the date of birth accuracy indicator, of the individual;
(f) the sex of the individual;
(g) if the individual was part of a multiple birth—the order in which the individual was born;
Example: The second of twins.
(h) if applicable, the date of death, and the date of death accuracy indicator, of the individual;
(i) other information that is prescribed by the regulations for the purpose of this paragraph.
10 Definition of shared health summary
The shared health summary of a registered healthcare recipient, at a particular time, is a record that:
(a) was prepared by the healthcare recipient’s nominated healthcare provider and described by him or her as the healthcare recipient’s shared health summary; and
(b) has been uploaded to the National Repositories Service; and
(c) at that time, is the most recent such record to have been uploaded to the National Repositories Service.
Note: This means that there is only one shared health summary for a healthcare recipient at a particular time.
11 Act to bind the Crown
(1) This Act binds the Crown in each of its capacities.
(2) This Act does not make the Crown liable to be prosecuted for an offence.
Note: Subsection (2) does not limit other rights and remedies.
12 Concurrent operation of State laws
It is the intention of the Parliament that this Act is not to apply to the exclusion of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.
13 External Territories
This Act extends to every external Territory.
13A System Operator may arrange for use of computer programs to make decisions
(1) The System Operator may arrange for the use, under the System Operator’s control, of computer programs for any purposes for which the System Operator may make decisions under this Act.
(2) A decision made by the operation of a computer program under an arrangement made under subsection (1) is taken to be a decision made by the System Operator.
13B System Operator may use electronic communications
(1) If under this Act the System Operator is required to give information in writing, that requirement is taken to have been met if the System Operator gives the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.
(2) If under this Act the System Operator is permitted to give information in writing, the System Operator is permitted to give the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.
Part 2—The System Operator and the functions of the Chief Executive Medicare
Division 1—System Operator
14 Identity of the System Operator
(1) The System Operator is:
(a) the Secretary of the Department; or
(b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator—that body.
(2) Before regulations are made for the purposes of paragraph (1)(b), the Minister must be satisfied that the Ministerial Council has been consulted in relation to the proposed regulations.
15 Functions of the System Operator
The System Operator has the following functions:
(a) to establish and maintain an index service, for the purposes of the My Health Record system, that:
(i) allows information in different repositories to be connected to registered healthcare recipients; and
(ii) facilitates the retrieval of such information when required, and ensures that registered healthcare recipients, and participants in the My Health Record system who are authorised to collect, use and disclose information, are able to do so readily;
(b) to establish and maintain mechanisms (access control mechanisms) that, subject to any requirements specified in the My Health Records Rules:
(i) enable each registered healthcare recipient to set controls on the healthcare provider organisations and nominated representatives who may obtain access to the healthcare recipient’s My Health Record; and
(ii) specify default access controls that apply if a registered healthcare recipient has not set such controls; and
(iii) specify circumstances in which access to a healthcare recipient’s My Health Record is to be automatically suspended or cancelled;
(c) without limiting paragraph (b), to ensure that the access control mechanisms enable each registered healthcare recipient to specify that access to a healthcare recipient’s My Health Record is only to be:
(i) by healthcare provider organisations and nominated representatives specified by the healthcare recipient; and
(ii) in accordance with any limitations specified by the healthcare recipient, including limitations on the kind of health information to be collected, used or disclosed by such healthcare provider organisations and nominated representatives;
(d) to establish and maintain a reporting service that allows assessment of the performance of the system against performance indicators;
(e) to establish and maintain the Register (see section 56);
(f) to register healthcare recipients and participants in the My Health Record system (see Part 3) and to manage and monitor, on an ongoing basis, the system of registration;
(g) to establish and maintain an audit service that records activity in respect of information in relation to the My Health Record system;
(h) without limiting paragraph (g)—to establish and maintain mechanisms:
(i) that enable each registered healthcare recipient to obtain electronic access to a summary of the flows of information in relation to his or her My Health Record; and
(ii) that enable each registered healthcare recipient to obtain a complete record of the flows of information in relation to his or her My Health Record, on application to the System Operator;
(i) to operate a National Repositories Service that stores key records that form part of a registered healthcare recipient’s My Health Record (including the healthcare recipient’s shared health summary);
(ia) to establish and operate a test environment for the My Health Record system, and other electronic systems that interact directly with the My Health Record system, in accordance with the requirements (if any) in the My Health Records Rules;
(j) to establish a mechanism for handling complaints about the operation of the My Health Record system;
(k) to ensure that the My Health Record system is administered so that problems relating to the administration of the system can be resolved;
(l) to advise the Minister on matters relating to the My Health Record system, including in relation to the matters to be included in the My Health Records Rules (see section 109);
(m) to educate healthcare recipients, participants in the My Health Record system and members of the public about the My Health Record system;
(ma) in accordance with the guidance and direction of the Board established under section 82, to prepare and provide de‑identified data, and, with the consent of the healthcare recipient, health information, for research or public health purposes;
(n) such other functions as are conferred on the System Operator by this Act or any other Act;
(o) to do anything incidental to or conducive to the performance of any of the above functions.
16 Research or public health purposes
The System Operator’s function under paragraph 15(ma) does not include providing de‑identified data or health information to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer.
17 Retention and destruction of records uploaded to National Repositories Service
Records
(1) This section applies to a record if:
(a) the record is uploaded to the National Repositories Service; and
(b) the record includes health information that is included in the My Health Record of a healthcare recipient.
Retention of records
(2) The System Operator must ensure that the record is retained for the period:
(a) beginning when the record is first uploaded to the National Repositories Service; and
(b) ending:
(i) 30 years after the death of the healthcare recipient; or
(ii) if the System Operator does not know the date of death of the healthcare recipient—130 years after the date of birth of the healthcare recipient; or
(iii) if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4).
Destruction of records after cancellation on request
(3) If the System Operator is required to cancel the registration of the healthcare recipient under subsection 51(1) (cancellation on request), the System Operator must destroy any record that includes health information that is included in the My Health Record of the healthcare recipient, other than the following information:
(a) the name and healthcare identifier of the healthcare recipient;
(b) the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient;
(c) the day the cancellation decision takes effect under subsection 51(7).
(4) The System Operator must comply with subsection (3):
(a) as soon as practicable after the cancellation decision takes effect under subsection 51(7); or
(b) if any of the following requirements apply before the records are destroyed under paragraph (a)—as soon as practicable after the conclusion of the matter to which the requirement relates:
(i) a court order requires the System Operator not to destroy records of the healthcare recipient;
(ii) the System Operator is required to disclose records of the healthcare recipient under section 69 or 69A;
(iii) the System Operator is required to disclose records of the healthcare recipient under a law covered by subsection 65(3).
(5) To avoid doubt, if the System Operator is required under subsection (3) to destroy a record that includes health information, the System Operator must also destroy the following:
(a) any copy of the record;
(b) any previous version of the record;
(c) any back‑up version of the record.
Division 4—Functions of Chief Executive Medicare
38 Registered repository operator
(1) It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the My Health Record system in accordance with subsection (2).
(2) Without limiting the way in which the repository is to be operated, at any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare:
(a) may at his or her discretion upload health information held by the Chief Executive Medicare about a registered healthcare recipient to the repository operated by the Chief Executive Medicare; and
(b) with the consent of a registered healthcare recipient—may at his or her discretion make available to the System Operator health information held by the Chief Executive Medicare about the healthcare recipient.
Note: Section 58 authorises the Chief Executive Medicare to disclose identifying information to the System Operator.
(3) The health information referred to in subsection (2) in relation to a healthcare recipient may include the name of one or more healthcare providers that have provided healthcare to the healthcare recipient.
Part 3—Registration
Division 1—Registering healthcare recipients
Note: This Division does not apply to a healthcare recipient if the opt‑out model applies to the healthcare recipient because of My Health Records Rules made under Schedule 1 to this Act.
39 Healthcare recipients may apply for registration
(1) A healthcare recipient may apply to the System Operator for registration of the healthcare recipient.
(2) The application must:
(a) be in the approved form; and
(b) include, or be accompanied by, the information and documents required by the form; and
(c) be lodged at a place, or by a means, specified in the form.
40 When a healthcare recipient is eligible for registration
A healthcare recipient is eligible for registration if:
(a) a healthcare identifier has been assigned to the healthcare recipient under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and
(b) the following information has been provided to the System Operator in relation to the healthcare recipient:
(i) full name;
(ii) date of birth;
(iii) healthcare identifier, Medicare card number or Department of Veterans’ Affairs file number;
(iv) sex;
(v) such other information as is prescribed by the regulations.
41 Registration of a healthcare recipient by the System Operator
(1) The System Operator must decide to register a healthcare recipient if:
(a) an application has been made under section 39 in relation to the healthcare recipient; and
(b) the healthcare recipient is eligible for registration under section 40; and
(c) the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified.
Note: The System Operator is not permitted to register a healthcare recipient in any other circumstances.
(2) Despite subsection (1), the System Operator is not required to register a healthcare recipient if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules.
(3) The System Operator is not required to register a healthcare recipient if the healthcare recipient does not consent to a registered healthcare provider organisation uploading to the My Health Record system any record that includes health information about the healthcare recipient, subject to the following:
(a) express advice given by the healthcare recipient to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded;
(b) a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).
(3A) A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient) that includes health information about another healthcare recipient (the third party), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).
(4) A consent referred to in subsection (3), and an authorisation given under subsection (3A), have effect despite a law of a State or Territory that requires consent to the disclosure of particular health information:
(a) to be given expressly; or
(b) to be given in a particular way;
other than a law of a State or Territory prescribed by the regulations for the purposes of this subsection.
(5) A decision under subsection (1) takes effect when it is made.
Division 2—Registering healthcare provider organisations
42 Healthcare provider organisation may apply for registration
(1) A healthcare provider organisation may apply to the System Operator for registration of the healthcare provider organisation.
(2) The application must:
(a) be in the approved form; and
(b) include, or be accompanied by, the information and documents required by the form; and
(c) be lodged at a place, or by a means, specified in the form.
43 When a healthcare provider organisation is eligible for registration
A healthcare provider organisation is eligible for registration if:
(a) a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010 to the healthcare provider organisation; and
(b) the healthcare provider organisation complies with such requirements as are specified in the My Health Records Rules; and
(c) the healthcare provider organisation has agreed to be bound by the conditions imposed by the System Operator on the registration.
44 Registration of a healthcare provider organisation
(1) The System Operator must decide to register a healthcare provider organisation if:
(a) the healthcare provider organisation has made an application under section 42; and
(b) the healthcare provider organisation is eligible for registration under section 43.
(2) Despite subsection (1), the System Operator is not required to register a healthcare provider organisation if the System Operator is satisfied that registering the healthcare provider organisation may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules.
(3) The System Operator may impose conditions on the registration.
(4) A decision under subsection (1) takes effect when it is made.
45 Condition of registration—uploading of records, etc.
It is a condition of registration of a healthcare provider organisation that the healthcare provider organisation does not, for the purposes of the My Health Record system:
(a) upload a record that includes health information about a registered healthcare recipient to a repository other than:
(i) a repository that forms part of the National Repositories Service; or
(ii) a repository to which a registered repository operator’s registration relates; or
(b) upload to a repository a record:
(i) that purports to be the shared health summary of a registered healthcare recipient, unless the record would, when uploaded, be the shared health summary of the registered healthcare recipient; or
(ii) that is a record of a kind specified in the My Health Records Rules for the purposes of this paragraph, unless the record has been prepared by an individual healthcare provider to whom a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; or
(ba) upload to a repository a record of a kind specified in the My Health Records Rules for the purposes of subparagraph (b)(ii) unless the record is prepared by a person who, at the time the record is prepared, is:
(i) an individual who is registered by a registration authority within the meaning of the Healthcare Identifiers Act 2010, and whose registration is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed in the My Health Records Rules); or
(ii) an individual who is a member of a professional association described in paragraph 9A(1)(b) of the Healthcare Identifiers Act 2010, and whose membership is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed by the My Health Records Rules); or
(c) upload a record to a repository if uploading the record would involve an infringement of a moral right of the author, within the meaning of the Copyright Act 1968; or
(d) upload to a repository a record that includes health information about a registered consumer if the consumer has advised that the record is not to be uploaded.
45A Condition of registration—handling old records that are works subject to copyright
Old works must not be uploaded if it would be an infringement of copyright to use the work for healthcare or related purposes
(1) Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.
Note: Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.
(2) A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the work if it would be an infringement of the copyright in the work for the organisation or another person to do, or authorise to be done, an act comprised in the copyright of the work:
(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or
(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or
(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or
(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.
(3) It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).
45B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright
(1) Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.
Note: Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.
(2) A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the sound recording or cinematograph film if it would be an infringement of the copyright in the recording or film for the organisation or another person to do an act comprised in the copyright of the recording or film:
(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or
(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or
(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or
(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.
(3) It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).
45C Liability where work uploaded in breach of section 45A or 45B
(1) If any person suffers loss or damage as a result of anything done by an entity that contravenes section 45A or 45B, the person may bring an action for the amount of the loss or damage against the entity in:
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
(2) The action must be brought within 6 years after the loss or damage was suffered.
(3) In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.
46 Condition of registration—non‑discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.
Healthcare recipient who is not registered
(1) It is a condition of registration of a healthcare provider organisation that the organisation does not:
(a) refuse to provide healthcare to a healthcare recipient because the healthcare recipient is not registered under this Part; or
(b) otherwise discriminate against a healthcare recipient in relation to the provision of healthcare because the healthcare recipient is not registered under this Part.
Registered healthcare recipient’s access controls
(2) It is a condition of registration of a healthcare provider organisation that the organisation does not:
(a) refuse to provide healthcare to a registered healthcare recipient because the healthcare recipient has set particular access controls on his or her My Health Record; or
(b) otherwise discriminate against a healthcare recipient in relation to the provision of healthcare because the healthcare recipient has set particular access controls on his or her My Health Record.
Division 3—Registering repository operators, portal operators and contracted service providers
47 Persons may apply for registration as a repository operator, a portal operator or a contracted service provider
(1) A person may apply to the System Operator for registration as any of the following:
(a) a repository operator;
(b) a portal operator;
(c) a contracted service provider.
(2) An application for registration as a repository operator must specify each repository to which the registration is proposed to relate.
48 When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider
A person is eligible for registration as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that:
(a) the person complies with any My Health Records Rules that apply in relation to registration of the particular kind; and
(b) the person has agreed to be bound by the conditions imposed by the System Operator on the person’s registration; and
(c) in the case of a repository operator or a portal operator—the central management and control of the repository operator or portal operator will be located in Australia at all times when the repository operator or portal operator is registered; and
(d) in the case of a repository operator or a portal operator that:
(i) is a State or Territory authority, or an instrumentality of a State or Territory; and
(ii) is not bound by a designated privacy law of the State or Territory;
the repository operator or portal operator is prescribed under section 6F of the Privacy Act 1988.
49 Registration of a repository operator, a portal operator or a contracted service provider
(1) The System Operator must decide to register a person as a repository operator, a portal operator or a contracted service provider if:
(a) the person has made an application under section 47 for registration of that kind; and
(b) the person is eligible for registration of that kind under section 48.
(2) Despite subsection (1), the System Operator is not required to register a person as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that registering the person may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules.
(3) The System Operator may impose conditions on the registration.
(4) If the System Operator decides to register a person as a repository operator, the decision must specify the repositories to which the registration relates.
(5) A decision under subsection (1) takes effect when it is made.
50 Condition about provision of information to System Operator
It is a condition of registration of a registered repository operator, a registered portal operator or a registered contracted service provider that it must provide to the System Operator information included in the My Health Record of a healthcare recipient if requested to do so by the System Operator.
50A Condition of registration—handling old records that are works subject to copyright
(1) Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.
Note: Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.
(2) A registered repository operator must not make the work available for the purposes of the My Health Record system, if it would be an infringement of the copyright in the work for the operator or another person to do, or authorise to be done, an act comprised in the copyright of the work:
(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or
(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or
(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or
(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.
(3) It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).
50B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright
(1) Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.
Note: Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.
(2) A registered repository operator must not, for the purposes of the My Health Record system, make the sound recording or cinematograph film available if it would be an infringement of the copyright in the recording or film for the operator or another person to do any act comprised in the copyright in the recording or film:
(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or
(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or
(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or
(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.
(3) It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).
50C Liability where work uploaded in breach of section 50A or 50B
(1) If any person suffers loss or damage as a result of anything done by an entity that contravenes section 50A or 50B, the person may bring an action for the amount of the loss or damage against the entity in:
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
(2) The action must be brought within 6 years after the loss or damage was suffered.
(3) In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.
50D Authorisation to make health information available to the System Operator
A registered repository operator (other than the Chief Executive Medicare) is authorised to make health information about a registered healthcare recipient that is held by the operator available to the System Operator.
Division 4—Cancellation, suspension and variation of registration
51 Cancellation or suspension of registration
Cancellation or suspension on request
(1) The System Operator must, in writing, decide to cancel or suspend the registration of a healthcare recipient or other entity if the healthcare recipient or other entity requests the System Operator, in writing, to cancel or suspend the registration.
Cancellation or suspension if healthcare recipient no longer eligible, etc.
(2) The System Operator may, in writing, decide to cancel or suspend the registration of a healthcare recipient if:
(a) the System Operator is no longer satisfied that the healthcare recipient is eligible to be registered; or
(b) the System Operator is no longer satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified; or
(c) the System Operator is satisfied that, unless the registration of the healthcare recipient is cancelled, the security or integrity of the My Health Record system may be compromised, having regard to the matters (if any) prescribed by the My Health Records Rules; or
(d) the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the healthcare recipient has been withdrawn; or
(e) the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the healthcare recipient was given by an authorised representative or nominated representative of the healthcare recipient, and:
(i) the authorised representative or nominated representative who gave the consent ceases to be an authorised representative or nominated representative of the healthcare recipient; and
(ii) the System Operator requests the healthcare recipient to give consent of the kind referred to in subsection 41(3); and
(iii) the healthcare recipient does not, within a reasonable period, give the consent.
Cancellation or suspension if other entity no longer eligible, etc.
(3) The System Operator may, in writing, decide to cancel or suspend the registration of an entity other than a healthcare recipient if:
(a) the System Operator is no longer satisfied that the entity is eligible to be registered; or
(b) the System Operator is satisfied that:
(i) the entity has contravened this Act or a condition of the entity’s registration; or
(ii) cancellation or suspension of registration is reasonably necessary to prevent such a contravention; or
(iii) cancellation or suspension of registration is otherwise appropriate, having regard to the need to protect the security and integrity of the My Health Record system.
Suspension while investigating action in relation to healthcare recipient’s registration
(4) The System Operator may, in writing, decide to suspend the registration of a healthcare recipient while the System Operator investigates whether to take action under subsection (2) in relation to the healthcare recipient’s registration.
Suspension while investigating action in relation to entity’s registration
(5) The System Operator may, in writing, decide to suspend the registration of an entity other than a healthcare recipient while the System Operator investigates whether to take action under subsection (3) in relation to the entity’s registration.
Cancellation of registration of healthcare recipient on death
(6) The System Operator must decide to cancel the registration of a healthcare recipient if the System Operator is satisfied that the healthcare recipient has died.
When cancellation or suspension takes effect
(7) A decision under this section takes effect:
(a) when it is made; or
(b) if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare recipient or other entity wishes the cancellation or suspension to occur at a specified future time—at that future time.
Note: Under section 53, the System Operator must give the healthcare recipient or other entity notice before cancelling, suspending or varying registration (except in urgent circumstances). The decision to cancel, suspend or vary registration cannot be made before the end of the period specified in the notice.
52 Variation of registration
(1) The System Operator may decide, on the System Operator’s initiative or on the request of a healthcare recipient or other entity, to vary the registration of the healthcare recipient or other entity:
(a) to impose conditions, or additional conditions, on the registration; or
(b) to vary or revoke conditions imposed on the registration; or
(c) in the case of a registered repository operator—to vary the repositories to which the registration relates; or
(d) to correct an error or omission in the registration.
(2) A decision under this section takes effect:
(a) when it is made; or
(b) if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare recipient or other entity wishes the variation to occur at a specified future time—at that future time.
Note: Under section 53, the System Operator must give the healthcare recipient or other entity notice before cancelling, suspending or varying registration (except in urgent circumstances). The decision to cancel, suspend or vary registration cannot be made before the end of the period specified in the notice.
53 Notice of cancellation, suspension or variation of registration etc.
Written notice before cancellation etc. other than in urgent circumstances
(1) The System Operator must give written notice to a healthcare recipient or other entity before:
(a) cancelling or suspending the registration of the healthcare recipient or entity under subsection 51(2), (3), (4) or (5); or
(b) varying the entity’s registration under section 52;
other than as mentioned in subsection (4) of this section (urgency).
(2) The notice:
(a) must state that the System Operator proposes to cancel, suspend or vary the registration and the reasons why; and
(b) in the case of an entity that the System Operator is satisfied has contravened or may contravene this Act or a condition of the entity’s registration—may specify steps that the entity must take in order to address the contravention or possible contravention; and
(c) must invite the healthcare recipient or other entity to make a written submission, within the period specified in the notice, to the System Operator in relation to the proposed cancellation, suspension or variation.
(3) If the System Operator gives written notice to a healthcare recipient or other entity under subsection (1), the System Operator must not decide to cancel, suspend or vary the registration until after the end of the period referred to in paragraph (2)(c).
Cancellation etc. in urgent circumstances
(4) If the System Operator is satisfied that it is necessary, because of the urgency of the circumstances, to cancel, suspend or vary the registration of a healthcare recipient or other entity without following the process outlined in subsections (1) to (3), the System Operator must give written notice to the healthcare recipient or other entity:
(a) cancelling or suspending the registration of the healthcare recipient or entity under subsection 51(2), (3), (4) or (5); or
(b) varying the entity’s registration under section 52.
(5) A decision under subsection (4) takes effect:
(a) when notice of the decision is given under that subsection; or
(b) if a later time is specified in the notice under that subsection—at that later time.
54 Effect of suspension
During any period when the registration of a healthcare recipient or other entity is suspended:
(a) the healthcare recipient or other entity is taken not to be registered for the purposes of Division 2 of Part 4 (authorised collection, use and disclosure of health information), other than:
(i) paragraph 63(b) (collection, use or disclosure on request of the System Operator); and
(ii) subsection 64(1) (serious threat); and
(b) if the entity is a registered repository operator, a registered portal operator or a registered contracted service provider—the entity is taken to be registered for the purposes of the remaining provisions of this Act.
55 My Health Records Rules may specify requirements after registration is cancelled or suspended
(1) The My Health Records Rules may specify the requirements to which the System Operator or another entity is subject after the registration of a healthcare recipient or other entity is cancelled or suspended.
(2) The My Health Records Rules cannot modify the effect of section 54.
(3) The requirements specified in the My Health Records Rules may include requirements relating to the following:
(a) retention, transfer or disposal of My Health Records;
(b) retention, transfer or disposal of other records.
Division 5—The Register
56 The Register
(1) The System Operator must establish and maintain a Register.
(2) The Register may be maintained in electronic form and may be divided into separate parts.
(3) The Register is not a legislative instrument.
57 Entries to be made in Register
If the System Operator decides under this Part to register a healthcare recipient or other entity or to cancel, suspend or vary such a registration, the System Operator must, as soon as practicable after making the decision, ensure that the following information is entered in the Register in relation to the healthcare recipient or other entity:
(a) such administrative information as is necessary for the purposes of the proper operation of the My Health Record system;
(b) such information (if any) as is specified in the My Health Records Rules for the purposes of this paragraph.
Division 6—Collection, use and disclosure of information for the purposes of the My Health Record System
58 Collection, use and disclosure of health information by the System Operator
The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the My Health Record of a registered healthcare recipient.
58A Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives
(1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
| Collection, use and disclosure for the purpose of the My Health Record system |
| Item | Column 1 Entity | Column 2 Permitted action | Column 3 Information | Column 4 Circumstances |
| 1 | System Operator | collect use disclose | identifying information about any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient; (d) a healthcare provider the healthcare identifier of any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient; (d) a healthcare provider | the collection, use or disclosure is for the purposes of the My Health Record system |
| 2 | System Operator | collect use disclose | information relevant to whether a person is an authorised representative, or nominated representative, of another person | the collection, use or disclosure is for the purposes of determining whether a person is an authorised representative, or a nominated representative, of another person |
| 3 | registered repository operator registered portal operator | collect use disclose to a participant in the My Health Record System | the healthcare identifier of any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient; (d) a healthcare provider | the collection, use or disclosure is for the purposes of the My Health Record system |
| 4 | service operator for the purposes of the Healthcare Identifiers Act 2010 | collect from the System Operator use disclose to the System Operator | information relevant to whether a person is an authorised representative, or nominated representative, of another person | the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person |
| 5 | Chief Executive Medicare | collect from the System Operator use disclose to the System Operator | identifying information about any person who is, or may be, any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient | the collection, use or disclosure is: (a) for the purposes of assisting the System Operator to verify the identity of the person; or (b) otherwise for the purposes of the My Health Record system |
| 6 | Chief Executive Medicare | collect from the System Operator use disclose to the System Operator | information relevant to whether a person is an authorised representative, or nominated representative, of another person | the collection, use or disclosure is for the purposes of assisting the System Operator to determine whether a person is an authorised representative, or a nominated representative, of another person |
| 7 | Chief Executive Medicare | collect use disclose to a participant in the My Health Record system | identifying information about any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient healthcare identifier of any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient | the collection, use or disclosure is for the purpose of including health information in the healthcare recipient’s My Health Record |
| 8 | Veterans’ Affairs Department Defence Department | use disclose to the System Operator | identifying information about any person who is, or may be, any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient | the use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person |
| 9 | Veterans’ Affairs Department Defence Department | collect from the service operator under the Healthcare Identifiers Act 2010 use disclose to a participant in the My Health Record system | identifying information about any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient healthcare identifier of any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient | the collection, use or disclosure is for the purpose of including prescribed information in the healthcare recipient’s My Health Record |
| 10 | a prescribed entity | collect use disclose to another prescribed entity | identifying information about any person who is, or may be, any of the following: (a) a healthcare recipient; (b) an authorised representative of a healthcare recipient; (c) a nominated representative of a healthcare recipient | the collection, use or disclosure is for the purposes of assisting the System Operator to verify the identity of the person |
Note: Under section 15 of the Healthcare Identifiers Act 2010, the service operator under that Act is authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare recipients and their representatives for the purposes of the My Health Record system. The service operator is also authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare providers under section 24 of that Act.
(2) If:
(a) any of the following entities discloses information to the System Operator in circumstances in which the information is authorised to be disclosed under subsection (1):
(i) the Chief Executive Medicare;
(ii) the Veterans’ Affairs Department;
(iii) the Defence Department;
(iv) the service operator for the purposes of the Healthcare Identifiers Act 2010;
(v) an entity prescribed for the purposes of item 10 of the table in subsection (1); and
(b) the entity that disclosed the information becomes aware that the information has changed;
that entity must, as soon as practicable after becoming aware of the change, inform the System Operator of the change.
Part 4—Collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
Division 1—Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
59 Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record
(1) A person must not collect from the My Health Record system health information included in a healthcare recipient’s My Health Record if the collection by the person is not authorised under Division 2, and the person knows or is reckless as to that fact.
(2) A person must not use or disclose health information included in a healthcare recipient’s My Health Record if:
(a) the person obtained the information by using or gaining access to the My Health Record system; and
(b) the use or disclosure is not authorised under Division 2, and the person knows or is reckless as to that fact.
Fault‑based offence
(3) A person commits an offence if the person contravenes subsection (1) or (2).
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
Civil penalty
(4) A person is liable to a civil penalty if the person contravenes subsection (1) or (2).
Civil penalty: 1,500 penalty units.
59A Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose
(1) A person must not use health information included in a healthcare recipient’s My Health Record for a prohibited purpose, if the person obtained the information by using or gaining access to the My Health Record system.
Note: For prohibited purpose, see section 70A.
Civil penalty: 1,500 penalty units.
(2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
60 Secondary disclosure
(1) A person must not use or disclose health information included in a healthcare recipient’s My Health Record if:
(a) the information was disclosed to the person in contravention of subsection 59(2); and
(b) the person knows that, or is reckless as to whether, the disclosure of the information to the person contravened that subsection.
(2) Subsection (1) does not apply if the person discloses the information for the purpose of an appropriate authority investigating the contravention mentioned in paragraph (1)(a).
Fault‑based offence
(3) A person commits an offence if the person contravenes subsection (1).
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
Civil penalty
(4) A person is liable to a civil penalty if the person contravenes subsection (1).
Civil penalty: 1,500 penalty units.
Division 2—Authorised collection, use and disclosure
Subdivision A—Collection, use and disclosure in accordance with access controls
61 Collection, use and disclosure for providing healthcare
(1) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient’s My Health Record if the collection, use or disclosure of the health information is:
(a) for the purpose of providing healthcare to the registered healthcare recipient; and
(b) in accordance with:
(i) the access controls set by the registered healthcare recipient; or
(ii) if the registered healthcare recipient has not set access controls—the default access controls specified by the My Health Records Rules or, if the My Health Records Rules do not specify default access controls, by the System Operator.
(2) Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose health information included in healthcare recipient‑only notes.
62 Collection, use and disclosure to nominated representative
A participant in the My Health Record system is authorised to disclose health information included in a registered healthcare recipient’s My Health Record for any purpose if the disclosure of the health information is:
(a) to the registered healthcare recipient’s nominated representative; and
(b) in accordance with:
(i) the access controls set by the registered healthcare recipient; or
(ii) if the healthcare recipient has not set access controls—the default access controls specified by the My Health Records Rules or, if the My Health Records Rules do not specify default access controls, by the System Operator.
Subdivision B—Collection, use and disclosure other than in accordance with access controls
63 Collection, use and disclosure for management of My Health Record system
A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if:
(a) the collection, use or disclosure is undertaken for the purpose of the management or operation of the My Health Record system, if the healthcare recipient would reasonably expect the participant to collect, use or disclose the health information for that purpose; or
(b) the collection, use or disclosure is undertaken in response to a request by the System Operator for the purpose of performing a function or exercising a power of the System Operator.
Note: For example, the System Operator might make a request under paragraph (b) for the purposes of section 69, 69A or 70.
64 Collection, use and disclosure in the case of a serious threat
(1) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient’s My Health Record if:
(a) the participant reasonably believes that:
(i) the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; and
(ii) it is unreasonable or impracticable to obtain the healthcare recipient’s consent to the collection, use or disclosure; and
(b) unless the participant is the System Operator—the participant advises the System Operator of the matters in paragraph (a); and
(c) the collection, use or disclosure occurs not later than 5 days after that advice is given.
(2) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if the participant reasonably believes that the collection, use or disclosure by the participant is necessary to lessen or prevent a serious threat to public health or public safety.
(3) Subsections (1) and (2) do not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient‑only notes.
65 Collection, use and disclosure authorised by law
(1) Subject to section 69, a participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record if the collection, use or disclosure is required or authorised by a Commonwealth, State or Territory law covered by subsection (3).
Note: No State or Territory laws are covered by subsection (3).
(2) Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient‑only notes.
(3) This subsection covers the following laws:
(a) this Act;
(b) the Auditor‑General Act 1997;
(c) the Ombudsman Act 1976;
(d) a law of the Commonwealth to the extent that the law requires or authorises the collection, use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the My Health Record system.
66 Collection, use and disclosure with healthcare recipient’s consent
(1) A participant in the My Health Record system is authorised to disclose for any purpose health information included in a healthcare recipient’s My Health Record to the healthcare recipient.
(2) A participant in the My Health Record system is authorised to collect, use and disclose for any purpose health information included in a healthcare recipient’s My Health Record with the consent of the healthcare recipient.
67 Collection, use and disclosure by a healthcare recipient
A healthcare recipient is authorised to collect, use and disclose, for any purpose, health information included in his or her My Health Record.
Note: The information the healthcare recipient can collect through the My Health Record system after cancellation of the healthcare recipient’s registration on request may be limited because of the retention and destruction requirements under section 17.
68 Collection, use and disclosure for indemnity cover
(1) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a healthcare recipient’s My Health Record for purposes relating to the provision of indemnity cover for a healthcare provider.
(2) Subsection (1) does not authorise a participant in the My Health Record system to collect, use or disclose healthcare recipient‑only notes.
69 Disclosure to courts and tribunals
(1) If:
(a) a court or tribunal other than a coroner orders or directs the System Operator to disclose health information included in a healthcare recipient’s My Health Record to the court or tribunal; and
(b) the order or direction is given in the course of proceedings relating to:
(i) this Act; or
(ii) unauthorised access to information through the My Health Record system; or
(iii) the provision of indemnity cover to a healthcare provider; and
(c) apart from this Part, the System Operator would be required to comply with the order or direction;
the System Operator must comply with the order or direction.
(2) If a coroner orders or directs the System Operator to disclose health information included in a healthcare recipient’s My Health Record to the coroner, the System Operator must comply with the order or direction.
(3) Except as mentioned in subsection (1) or (2), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a court or tribunal.
(4) Except as mentioned in subsection (1) or (2), the System Operator is not authorised to disclose health information included in a healthcare recipient’s My Health Record to a court or tribunal unless the healthcare recipient consents.
(5) Subsections (1) and (2) do not authorise the System Operator to disclose healthcare recipient‑only notes.
69A Disclosure to designated entity under order by judicial officer
Disclosure to designated entity under order by judicial officer
(1) If an entity that is:
(a) an agency, or a State or Territory authority, within the meaning of the Privacy Act 1988; and
(b) not a court, tribunal or coroner;
(a designated entity) presents to the System Operator an order made under this section, the System Operator must comply with the order.
(2) Except as mentioned in subsection (1) or in accordance with a law covered by subsection 65(3), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a designated entity.
(3) This section does not authorise the System Operator to use or disclose healthcare recipient‑only notes.
(4) If the System Operator uses or discloses personal information under this section, the System Operator must make a written note of the use or disclosure.
Application for and making of order
(5) A designated entity may apply to any of the following judicial officers:
(a) a magistrate of a State or Territory;
(b) a judge who is eligible under subsection 69B(2);
for an order under this section in relation to the disclosure, to the entity, of health information included in a healthcare recipient’s My Health Record.
(6) The judicial officer may make the order if:
(a) the designated entity satisfies the judicial officer, by information on oath or affirmation, that:
(i) the designated entity has powers or duties of the kind mentioned in subsection (7); and
(ii) if the designated entity has powers of the kind mentioned in paragraph (7)(a)—the designated entity has exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate; and
(iii) in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity; and
(iv) there is no effective means for the designated entity to obtain the particular information, other than an order under this section; and
(b) the judicial officer is satisfied that, having regard to the matter mentioned in subparagraph (a)(iii) and the privacy of the healthcare recipient, the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient.
(7) A designated entity has powers or duties of the kind mentioned in this subsection if:
(a) the designated entity has power under a law of the Commonwealth or a State or Territory (other than a law covered by subsection 65(3)) to require persons to give information to the designated entity; or
(b) officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents.
(8) The judicial officer must not make the order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.
(9) The order must:
(a) identify the healthcare recipient; and
(b) specify the particular information to be disclosed; and
(c) authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity; and
(d) specify the day (not more than 6 months after the making of the order) on which the order ceases to have effect; and
(e) state the purpose for which the order is made.
69B Judicial officers for orders under section 69A
Eligible judge of a court created by the Parliament
(1) A judge of a court created by the Parliament may, by writing, consent to be nominated by the Attorney‑General under subsection (2).
(2) The Attorney‑General may, by writing, nominate a judge of a court created by the Parliament in relation to whom a consent is in force under subsection (1) to be eligible for the purposes of paragraph 69A(5)(b).
(3) A nomination under subsection (2) is not a legislative instrument.
Magistrates
(4) A magistrate need not accept the functions conferred by section 69A.
(5) The Governor‑General may:
(a) arrange with the Governor of a State for the performance, by all or any of the persons who from time to time hold office as magistrates of that State, of the functions of a magistrate conferred by section 69A; or
(b) arrange with the Chief Minister of the Australian Capital Territory for the performance, by all or any of the persons who from time to time hold office as magistrates of the Australian Capital Territory, of the functions of a magistrate conferred by section 69A; or
(c) arrange with the Administrator of the Northern Territory for the performance, by all or any of the persons who from time to time hold office as Judges of the Local Court of the Northern Territory, of the functions of a magistrate conferred by section 69A.
Judicial officers exercising powers in personal capacity
(6) The functions conferred on a judicial officer by section 69A are conferred on the judicial officer:
(a) in a personal capacity; and
(b) not as a court or a member of a court.
(7) A judicial officer performing a function conferred by section 69A has the same protection and immunity as if the judicial officer were performing the function:
(a) as the court of which the judicial officer is a member; or
(b) as a member of the court of which the judicial officer is a member.
70 Disclosure in relation to unlawful activity
(3) The System Operator is authorised to use or (subject to subsection (3A)) disclose health information included in a healthcare recipient’s My Health Record if the System Operator:
(a) has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in; and
(b) reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities.
(3A) The System Operator is authorised to disclose under subsection (3) only the information the relevant person or authority mentioned in paragraph (3)(b) needs to identify the matter or concerns mentioned in that paragraph with sufficient certainty to:
(a) initiate consideration of the matter or concerns; and
(b) if necessary, apply for an order under section 69A in relation to the matter or concerns.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
(5) This section does not authorise the System Operator to use or disclose healthcare recipient‑only notes.
Subdivision C—Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose
70A Definition of prohibited purpose
(1) Information included in a healthcare recipient’s My Health Record is used for a prohibited purpose if the person who uses the information does so for any one or more of the following purposes:
(a) the purpose of:
(i) underwriting a contract of insurance that covers the healthcare recipient; or
(ii) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(iii) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(iv) an employer employing, or continuing or ceasing to employ, the healthcare recipient;
(b) a purpose prescribed by the regulations.
(2) If the person uses information for purposes that include, or for a purpose that includes, a purpose mentioned in subsection (1), the person is taken to be using the information for a prohibited purpose.
(3) To avoid doubt, use of information is not for a prohibited purpose if the use is solely for:
(a) the purpose of providing healthcare to the healthcare recipient; or
(b) purposes relating to the provision of indemnity cover for a healthcare provider.
(5) References in paragraph (1)(a) to insurance do not include State insurance that does not extend beyond the limits of the State concerned.
(6) For the purposes of this section, using information for a purpose includes requesting or requiring the information for that purpose.
70B Use for prohibited purpose is unauthorised
(1) Despite Subdivisions A and B, a person is not authorised under this Division to use health information included in a registered healthcare recipient’s My Health Record for a prohibited purpose.
(2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
Division 3—Prohibitions and authorisations limited to My Health Record system
71 Prohibitions and authorisations limited to health information collected by using the My Health Record system
(1) The prohibitions and authorisations under Divisions 1 and 2 in respect of the collection, use and disclosure of health information included in a healthcare recipient’s My Health Record are limited to the collection, use or disclosure of health information obtained by using the My Health Record system.
(2) If health information included in a healthcare recipient’s My Health Record can also be obtained by means other than by using the My Health Record system, such a prohibition or authorisation does not apply to health information lawfully obtained by those other means, even if the health information was originally obtained by using the My Health Record system.
Information stored for more than one purpose
(3) Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if:
(a) the health information is stored in a repository operated both for the purposes of the My Health Record system and other purposes; and
(b) the person lawfully obtained the health information directly from the repository for those other purposes.
Note: For example, information that is included in a registered healthcare recipient’s My Health Record may be stored in a repository operated by a State or Territory for purposes related to the My Health Record system and other purposes. When lawfully obtained directly from the repository for those other purposes, the prohibitions and authorisations in this Part will not apply.
Information originally obtained by means of My Health Record system
(4) Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if:
(a) the health information was originally obtained by a participant in the My Health Record system by means of the My Health Record system in accordance with this Act; and
(b) after the health information was so obtained, it was stored in such a way that it could be obtained other than by means of the My Health Record system; and
(c) the person subsequently obtained the health information by those other means.
Note: For example, information that is included in a registered healthcare recipient’s My Health Record may be downloaded into the clinical health records of a healthcare provider and later obtained from those records.
Division 3A—Offences and penalties in relation to use of My Health Record‑derived information for prohibited purpose
71AA Definitions
In this Division:
My Health Record of a healthcare recipient includes a My Health Record of the healthcare recipient that has been cancelled or suspended.
use information for a purpose includes request or require the information for that purpose.
71A Offence for use of My Health Record‑derived information for prohibited purpose
(1) A person commits an offence if:
(a) the person uses information; and
(b) the person does so for a prohibited purpose, and the person knows or is reckless as to that fact; and
(c) the information is health information; and
(d) the information is or was included in a healthcare recipient’s My Health Record; and
(e) the person is not the healthcare recipient.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2): see subsection 13.3(3) of the Criminal Code.
(3) Strict liability applies to paragraphs (1)(d) and (e).
Note: For strict liability, see section 6.1 of the Criminal Code.
(4) Despite paragraph (1)(e) and subsection 7(2), subsection (1) of this section applies to a person who is the nominated representative of the healthcare recipient.
71B Civil penalty for use of My Health Record‑derived information for prohibited purpose
(1) A person must not use health information that is or was included in a healthcare recipient’s My Health Record for a prohibited purpose.
Civil penalty: 1,500 penalty units.
(2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.
Note: A person bears an evidential burden in relation to the matter in subsection (2): see section 96 of the Regulatory Powers (Standard Provisions) Act 2014.
(3) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
Division 4—Interaction with the Privacy Act 1988
72 Interaction with the Privacy Act 1988
An authorisation to collect, use or disclose health information under this Act is also an authorisation to collect, use or disclose the health information for the purposes of the Privacy Act 1988.
73 Contravention of this Act is an interference with privacy
(1) An act or practice that contravenes this Act in connection with health information included in a healthcare recipient’s My Health Record or a provision of Part 4 or 5, or would contravene this Act but for a requirement relating to the state of mind of a person, is taken to be:
(a) for the purposes of the Privacy Act 1988, an interference with the privacy of a healthcare recipient; and
(b) covered by section 13 of that Act.
(2) The respondent to a complaint under the Privacy Act 1988 about an act or practice, other than an act or practice of an agency or organisation, is the individual who engaged in the act or practice.
(3) In addition to the Information Commissioner’s functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the My Health Record system:
(a) to investigate an act or practice that may be an interference with the privacy of a healthcare recipient under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;
(b) to do anything incidental or conducive to the performance of those functions.
(4) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (3).
Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
73A Information Commissioner may disclose details of investigations to System Operator
The Information Commissioner is authorised to disclose to the System Operator any information or documents that relate to an investigation the Information Commissioner conducts because of the operation of section 73, if the Information Commissioner is satisfied that to do so will enable the System Operator to monitor or improve the operation or security of the My Health Record system.
73B Obligations of System Operator in relation to correction, etc.
(1) The System Operator may, in order to meet its obligations under the Privacy Act 1988 in relation to the correction and alteration of records:
(a) request a participant in the My Health Record system to correct personal information contained in a record included in the My Health Record system and, if the participant does so, to upload the corrected record to the My Health Record system; and
(b) if the participant refuses to do so—direct the participant to attach to the record a note prepared by the healthcare recipient in relation to personal information included in the record, and to upload the record and note to the My Health Record system.
(2) A participant in the My Health Record system who is given a direction under paragraph (1)(b) must comply with the direction.
Part 5—Other offences and civil penalty provisions
74 Registered healthcare provider organisations must ensure certain information is given to System Operator
(1) A registered healthcare provider organisation is liable for a civil penalty if:
(a) an individual requests access to a healthcare recipient’s My Health Record on behalf or purportedly on behalf of the registered healthcare provider organisation; and
(b) the individual does not give enough information to the System Operator to enable the System Operator to identify the individual who made the request without seeking further information from another person.
Civil penalty: 100 penalty units.
(2) Subsection (1) does not require an individual to give more than the minimum information necessary to identify the individual by name.
75 Data breaches
(1) This section applies to an entity if:
(a) the entity is, or has at any time been, the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or
(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.
Notifying the System Operator or Information Commissioner
(2) If:
(a) the entity is a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and
(b) the entity becomes aware that:
(i) the contravention or event referred to in subsection (1) has or may have occurred; or
(ii) the circumstances referred to in subsection (1) have or may have arisen;
then, as soon as practicable after becoming aware, the entity must notify:
(c) in the case of an entity that is a State or Territory authority or an instrumentality of a State or Territory—the System Operator; or
(d) otherwise—both the System Operator and the Information Commissioner.
Civil penalty: 1,500 penalty units.
(3) If:
(a) the entity is the System Operator; and
(b) the entity becomes aware that:
(i) the contravention or event referred to in subsection (1) has or may have occurred; or
(ii) the circumstances referred to in subsection (1) have or may have arisen;
then, as soon as practicable after becoming aware, the entity must notify the Information Commissioner.
(4) If an entity has given notice under subsection (2) or (3) on becoming aware that the contravention, event or circumstances may have occurred or arisen then, despite subsection (2) or (3), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.
Steps to be taken if contravention, event or circumstances may have occurred or arisen
(5) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:
(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;
(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;
(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one healthcare recipient:
(i) if the entity is not the System Operator—ask the System Operator to notify all healthcare recipients that would be affected; or
(ii) if the entity is the System Operator—notify all healthcare recipients that would be affected.
Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).
Steps to be taken if contravention or event has occurred or the circumstances have arisen
(6) The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) if the entity is the System Operator:
(i) notify all affected healthcare recipients; and
(ii) if a significant number of healthcare recipients are affected, notify the general public;
(d) if the entity is not the System Operator—ask the System Operator:
(i) to notify all affected healthcare recipients; and
(ii) if a significant number of healthcare recipients are affected, to notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraph (1)(b).
Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).
(7) If an entity has given notice, or requested that the System Operator give notice, under paragraph (5)(c) then, despite paragraphs (6)(c) and (d), the entity need not give notice or request the System Operator to give notice under paragraphs (6)(c) and (d).
(8) The System Operator must comply with a request under paragraph (5)(c) or (6)(d).
76 Requirement to notify if cease to be eligible to be registered
A registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider must give written notice to the System Operator within 14 days of ceasing to be eligible to be so registered.
Civil penalty: 1,500 penalty units.
77 Requirement not to hold or take records outside Australia
(1) The System Operator, a registered repository operator, a registered portal operator or a registered contracted service provider that holds records for the purposes of the My Health Record system (whether or not the records are also held for other purposes) or has access to information relating to such records, must not:
(a) hold the records, or take the records, outside Australia; or
(b) process or handle the information relating to the records outside Australia; or
(c) cause or permit another person:
(i) to hold the records, or take the records, outside Australia; or
(ii) to process or handle the information relating to the records outside Australia.
(2) Despite subsection (1), the System Operator is authorised, for the purposes of the operation or administration of the My Health Record system:
(a) to hold and take such records outside Australia, provided that the records do not include:
(i) personal information in relation to a healthcare recipient or a participant in the My Health Record system; or
(ii) identifying information of an individual or entity; and
(b) to process and handle such information outside Australia, provided that the information is neither of the following:
(i) personal information in relation to a healthcare recipient or a participant in the My Health Record system;
(ii) identifying information of an individual or entity.
Fault‑based offence
(2A) A person commits an offence if the person contravenes subsection (1).
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
Note: Where a fault element for a physical element of an offence is not stated, see section 5.6 of the Criminal Code for the appropriate fault element.
Civil penalty
(2B) A person is liable to a civil penalty if the person contravenes subsection (1).
Civil penalty: 1,500 penalty units.
(3) This section does not limit the operation of section 99.
77A Enforceable requirements in My Health Records Rules must not be contravened: offence
(1) An entity commits an offence if:
(a) the entity does an act or omits to do an act; and
(b) the result is that the entity contravenes a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A) and the entity is reckless as to that result; and
(c) the My Health Records Rules provide that the requirement is enforceable for the purposes of this paragraph; and
(d) the entity is not the System Operator, the Data Governance Board established by section 82 or the data custodian.
Penalty: 100 penalty units.
(2) Strict liability applies to paragraphs (1)(c) and (d).
Note: For strict liability, see section 6.1 of the Criminal Code.
78 My Health Records Rules must not be contravened: civil penalty
(1) A person that is, or has at any time been:
(a) a registered healthcare provider organisation; or
(b) a registered repository operator; or
(c) a registered portal operator; or
(d) a registered contracted service provider;
must not contravene a My Health Records Rule that applies to the person.
Civil penalty: 100 penalty units.
(2) An entity (other than the System Operator, the Data Governance Board established by section 82 or the data custodian) must not contravene a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A), if the My Health Records Rules provide that the requirement is enforceable for the purposes of this subsection.
Civil penalty: 100 penalty units.
Part 6—Enforcement
Division 1—Civil penalties
79 Civil penalty provisions
Enforceable civil penalty provisions
(1) Each civil penalty provision of this Act is enforceable under Part 4 of the Regulatory Powers Act.
Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.
Authorised applicant
(2) For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act.
Relevant court
(3) For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act:
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Extension to external Territories
(4) Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act, extends to every external Territory.
Liability of the Crown
(5) Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act, does not make the Crown liable to a pecuniary penalty.
Division 2—Enforceable undertakings
80 Enforceable undertakings
Enforceable provisions
(1) This Act is enforceable under Part 6 of the Regulatory Powers Act.
Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.
Authorised person
(2) For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:
(a) the System Operator;
(b) the Information Commissioner.
Relevant court
(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Enforceable undertaking may be published on website
(4) An authorised person in relation to a provision of this Act may publish an undertaking given in relation to the provision on the authorised person’s website.
Extension to external Territories
(5) Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.
Division 3—Injunctions
81 Injunctions
Enforceable provisions
(1) This Act is enforceable under Part 7 of the Regulatory Powers Act.
Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.
Authorised person
(2) For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:
(a) the System Operator;
(b) the Information Commissioner.
Relevant court
(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:
(a) the Federal Court of Australia;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Extension to external Territories
(4) Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.
Part 7—Data Governance Board
Division 1—Establishment and functions
82 Data Governance Board
The Data Governance Board is established by this section.
83 Functions of the Board
(1) The functions of the Data Governance Board are:
(a) to oversee the operation of the framework prescribed by My Health Records Rules made for the purposes of subsection 109(7A), including by:
(i) assessing applications for the collection, use or disclosure of de‑identified data and health information for research or public health purposes; and
(ii) guiding and directing the System Operator in the performance of its function under paragraph 15(ma) (preparing and providing de‑identified data and health information); and
(iii) taking steps to ensure the ongoing protection of de‑identified data and health information used by, or disclosed to, persons for research or public health purposes and that the data and information is being used and disclosed only for those purposes; and
(b) any other functions conferred on the Board by this Act or the My Health Records Rules.
(2) The Board does not have any functions, and must not perform any role, in relation to the day‑to‑day operation of the My Health Record system.
Division 2—Membership
84 Membership
The Data Governance Board consists of the following members:
(a) the Chair of the Data Governance Board;
(b) the Deputy Chair of the Data Governance Board;
(c) at least 7, and no more than 10, other members.
85 Appointment of members
(1) Members are to be appointed by the Minister by written instrument, on a part‑time basis.
(2) The Minister must appoint one member to be the Chair and another member to be the Deputy Chair.
86 Qualifications and experience
(1) The Minister must appoint the following as members:
(a) a person who represents the System Operator;
(b) a person who represents the data custodian;
(c) a person who is an Aboriginal person or a Torres Strait Islander.
(2) A person (including a person appointed in accordance with subsection (1)) is not eligible for appointment as a member of the Data Governance Board unless the person has skills or experience in, or knowledge of, one or more of the following fields:
(a) population health and epidemiology;
(b) medical or health research;
(c) health services delivery;
(d) technology;
(e) data science;
(f) data governance;
(g) privacy;
(h) consumer advocacy.
87 Acting appointments
(1) The Minister may, by written instrument, appoint a person to act as the Chair:
(a) during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.
(2) The Minister may, by written instrument, appoint a person to act as the Deputy Chair:
(a) during a vacancy in the office of Deputy Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Deputy Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.
88 Term of appointment and other terms and conditions
(1) A member of the Data Governance Board holds office for the period specified in the instrument of appointment. The period must not exceed 5 years.
(2) A member of the Data Governance Board holds office on the terms and conditions (if any) in relation to matters not covered by this Part that are determined by the Minister.
89 Remuneration
(1) A member of the Data Governance Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by an instrument made under subsection (4).
(2) A member is to be paid the allowances that are prescribed by an instrument made under subsection (4).
(3) This section has effect subject to the Remuneration Tribunal Act 1973.
(4) The Minister may, by legislative instrument, prescribe:
(a) remuneration for the purposes of subsection (1); and
(b) allowances for the purposes of subsection (2).
90 Resignation
(1) A member of the Data Governance Board may resign the member’s appointment by giving the Minister a written resignation.
(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.
91 Termination of appointment
(1) The Minister may terminate the appointment of a member of the Data Governance Board:
(a) for misbehaviour; or
(b) if the member is unable to perform the duties of the member’s office because of physical or mental incapacity.
(2) The Minister may terminate the appointment of a member of the Data Governance Board if:
(a) the member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the member’s creditors; or
(iv) makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or
(b) the member is absent, except on leave of absence, from 3 consecutive meetings of the Board; or
(c) the member engages in paid work (within the meaning of section 93) that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties (see section 93); or
(d) the member fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.
92 Leave of absence
The Minister may grant leave of absence to any member of the Data Governance Board on the terms and conditions that the Minister determines.
93 Other paid work
(1) A member of the Data Governance Board must not engage in any paid work that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties.
(2) In subsection (1):
paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).
Division 3—Meetings of the Data Governance Board
94 Convening meetings
(1) The Data Governance Board must hold such meetings as are necessary for the efficient performance of its functions.
(2) The Chair of the Data Governance Board:
(a) may convene a meeting at any time; and
(b) must convene a meeting within 30 days after receiving a written request to do so from another member of the Board.
95 Presiding at meetings
(1) The Chair of the Data Governance Board must preside at all meetings at which the Chair is present.
(2) If the Chair is not present at a meeting at which the Deputy Chair is present, the Deputy Chair must preside.
(3) If neither the Chair nor the Deputy Chair is present at a meeting, the other members present must appoint one of themselves to preside.
96 Quorum
(1) At a meeting of the Data Governance Board, a quorum is constituted by a majority of members of the Board.
(2) However, if:
(a) a member of the Board is required by rules made for the purposes of section 29 of the Public Governance, Performance and Accountability Act 2013 not to be present during the deliberations, or to take part in any decision, of the Board with respect to a particular matter; and
(b) when the member leaves the meeting concerned there is no longer a quorum present;
the remaining members at the meeting constitute a quorum for the purpose of any deliberation or decision at that meeting with respect to that matter.
96A Voting at meetings
(1) A question arising at a meeting of the Data Governance Board is to be determined by a majority of the votes of the members of the Board present and voting.
(2) The person presiding at a meeting of the Board has a deliberative vote and, if the votes are equal, a casting vote.
96B Conduct of meetings
The Data Governance Board may, subject to this Division, regulate proceedings at its meetings as it considers appropriate.
Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.
96C Minutes
The Data Governance Board must keep minutes of its meetings.
96D Decisions without meetings
(1) The Data Governance Board is taken to have made a decision at a meeting if:
(a) without meeting, a majority of the members of the Board entitled to vote on the proposed decision indicate agreement with the decision; and
(b) that agreement is indicated in accordance with the method determined by the Board under subsection (2); and
(c) all the members were informed of the proposed decision, or reasonable efforts were made to inform all the members of the proposed decision.
(2) Subsection (1) applies only if the Board:
(a) has determined that it may make decisions of that kind without meeting; and
(b) has determined the method by which members are to indicate agreement with proposed decisions.
(3) For the purposes of paragraph (1)(a), a member is not entitled to vote on a proposed decision if the member would not have been entitled to vote on that proposal if the matter had been considered at a meeting of the Board.
(4) The Board must keep a record of decisions made in accordance with this section.
Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.
Division 4—Other matters relating to the Data Governance Board
96E Relationship between System Operator and Data Governance Board in relation to data for research or public health purposes
(1) In performing the function mentioned in paragraph 15(ma), the System Operator must comply with a direction from, and follow the guidance of, the Data Governance Board.
(2) If rules made for the purposes of subsection 109(7A) require the Data Governance Board to take steps to ensure that de‑identified data and health information disclosed to persons for research or public health purposes is being used only for those purposes, the System Operator must not take any steps of its own to ensure that the data and information is being used only for those purposes.
(3) Subsection (2) does not imply that the System Operator has a duty to take steps in relation to use of data and information at a time when there are no rules of the kind mentioned in subsection (2).
96F Board committees
(1) The Data Governance Board may establish a committee or committees to assist in carrying out the functions of the Board.
(2) The Board may dissolve a committee at any time.
(3) The functions of a committee are as determined by the Board.
(4) In performing its functions, a committee must comply with any directions given to the committee by the Board.
(5) A question arising at a meeting of a committee is to be determined by a majority of the votes of committee members present.
(6) A committee must inform the other members of the Board of its decisions.
(7) A committee may regulate proceedings at its meetings as it considers appropriate.
(8) A committee must ensure that minutes of its meetings are kept.
96G Delegation of functions
(1) If the Secretary of the Department consents to the Data Governance Board delegating functions to APS employees in the Department, the Board may delegate any or all of its functions to such an APS employee.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(2) If the chief executive officer (however described) of the data custodian consents to the Board delegating functions to members of the staff mentioned in subsection 19(1) of the Australian Institute of Health and Welfare Act 1987, the Board may delegate all or any of its functions to such a member of staff.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(3) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Board.
(4) The delegation continues in force despite a change in the membership of the Board.
(5) The delegation may be varied or revoked by the Board (whether or not there has been a change in the membership of the Board).
96H Annual report
(1) As soon as practicable after the end of each financial year, the Data Governance Board must prepare and give a report to the Minister, for presentation to the Parliament, on the Board’s activities during the financial year.
Note: See also section 34C of the Acts Interpretation Act 1901, which contains extra rules about annual reports.
(2) A report on the Department’s activities given under section 46 of the Public Governance, Performance and Accountability Act 2013 does not need to include a report on the activities of the Board.
96J Board is part of the Department
For the purposes of paragraph (a) of the definition of Department of State in section 8 of the Public Governance, Performance and Accountability Act 2013, the Data Governance Board is prescribed in relation to the Department.
Part 8—Other matters
Division 1—Review of decisions
97 Review of decisions
(1) This section applies to the following decisions of the System Operator:
(a) a decision under section 6 that a person is or is not the authorised representative of a healthcare recipient;
(b) a decision under section 41 to refuse to register a healthcare recipient;
(c) a decision under section 44 to refuse to register a health provider organisation or to impose a condition on such a registration;
(d) a decision under section 49 to refuse to register a person as:
(i) a repository operator; or
(ii) a portal operator; or
(iii) a contracted service provider;
or to impose a condition on such a registration;
(e) a decision under section 49 to refuse to specify a repository as a repository to which the registration of a repository operator relates;
(f) a decision under section 51 to cancel or suspend the registration of a healthcare recipient or other entity;
(g) a decision under section 51 to refuse to cancel or suspend the registration of a healthcare recipient or other entity on request;
(h) a decision under section 52 to vary the registration of a healthcare recipient or other entity on request;
(i) a decision under section 52 to refuse to vary the registration of a healthcare recipient or other entity.
(2) The System Operator must take such steps as are reasonably necessary in the circumstances to give written notice of the decision to each person affected by the decision, including a statement:
(a) that the person may apply to the System Operator to reconsider the decision; and
(b) of the person’s rights to seek review under subsection (8) of a reconsidered decision.
(2A) However, the System Operator is not required to give notice of the decision to a person if the System Operator is satisfied that doing so would put at risk the life, health or safety of a person.
(3) A failure of the System Operator to comply with subsection (2) does not affect the validity of the decision.
(4) A person who is given a written notice under subsection (2) may, by written notice given to the System Operator within 28 days after receiving the notice, ask the System Operator to reconsider the decision.
(5) A request under subsection (4) must mention the reasons for making the request.
(6) The System Operator must:
(a) reconsider the decision within 28 days after receiving the request; and
(b) give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result.
(7) The notice must include a statement that the person may apply to the Administrative Appeals Tribunal for review of the reconsideration.
(8) A person may apply to the Administrative Appeals Tribunal for review of a decision of the System Operator made under subsection (6).
Division 2—Delegations
98 Delegations by the System Operator
(1) The System Operator may, by writing, delegate one or more of his or her functions and powers to any of the following:
(a) an APS employee in the Department;
(b) the Chief Executive Medicare.
(2) Despite subsection (1), the System Operator must not delegate the function referred to in paragraph 15(l) (advising the Minister).
(3) If the System Operator is not the Secretary, the System Operator may only delegate a function or power of the System Operator:
(a) to an APS employee in the Department—with the agreement of the Secretary; and
(b) to the Chief Executive Medicare—with the agreement of the Chief Executive Medicare.
(4) Each of the following must comply with any written directions of the System Operator:
(a) a delegate;
(b) if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section—a subdelegate.
Division 3—Authorisations of entities also cover employees
99 Authorisations extend to employees etc.
An authorisation under this Act to an entity (the first entity) is also an authorisation of:
(a) an individual:
(i) who is an employee of the first entity; and
(ii) whose duties involve doing an act that is authorised in relation to the first entity; or
(b) a contracted service provider of a healthcare provider whose duties under a contract with a healthcare provider involve providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or
(c) a person (the contractor) performing services under a contract between the contractor and the first entity, if:
(i) the first entity is a participant in the My Health Record system, other than a registered healthcare provider organisation or a registered contracted service provider; and
(ii) the contract relates to the My Health Record system; or
(d) an individual:
(i) who is an employee of a contracted service provider to which paragraph (b) applies or a contractor to which paragraph (c) applies; and
(ii) whose duties relate to the contract mentioned in whichever of those paragraphs applies.
Division 4—Treatment of certain entities
100 Treatment of partnerships
(1) This Act applies to a partnership as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.
(3) An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:
(a) did the relevant act or made the relevant omission; or
(b) aided, abetted, counselled or procured the relevant act or omission; or
(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).
(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.
101 Treatment of unincorporated associations
(1) This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association’s committee of management instead, but may be discharged by any of the members.
(3) An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association’s committee of management, at the time the offence was committed, who:
(a) did the relevant act or made the relevant omission; or
(b) aided, abetted, counselled or procured the relevant act or omission; or
(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).
(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.
102 Treatment of trusts with multiple trustees
(1) If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.
(3) An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:
(a) did the relevant act or made the relevant omission; or
(b) aided, abetted, counselled or procured the relevant act or omission; or
(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).
(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.
104 Division does not apply to Division 3 of Part 3
This Division does not have effect for the purposes of Division 3 of Part 3.
Note: An applicant for registration under that Division must be a legal person.
Division 5—Alternative constitutional bases
105 Alternative constitutional bases
(1) Without limiting its effect apart from each of the following subsections of this section, this Act also has effect as provided by that subsection.
(2) This Act also has the effect it would have if the System Operator, Data Governance Board and data custodian were expressly permitted to perform functions and duties, and exercise powers, under this Act only:
(a) in connection with:
(i) the provision of pharmaceutical, sickness or hospital benefits; or
(ii) the provision of medical services or dental services (without any form of civil conscription); or
(b) for purposes relating to census or statistics; or
(c) in relation to a Territory or a place acquired by the Commonwealth for a public purpose.
(3) This Act also has the effect it would have if each reference to collection, use or disclosure of de‑identified data or health information were expressly confined to collection, use or disclosure of de‑identified data or health information:
(a) in connection with trade or commerce:
(i) between Australia and other countries; or
(ii) among the States; or
(iii) between a Territory and a State or another Territory; or
(b) by means of a postal, telegraphic, telephonic or other like service; or
(ba) in connection with insurance, other than State insurance that does not extend beyond the limits of the State concerned; or
(c) in connection with:
(i) the provision of pharmaceutical, sickness or hospital benefits; or
(ii) the provision of medical services or dental services (without any form of civil conscription); or
(d) for purposes relating to census or statistics; or
(e) in a Territory or a place acquired by the Commonwealth for a public purpose; or
(f) in relation to a matter that is of international concern.
(4) This Act also has the effect it would have if each reference to collection, use or disclosure of de‑identified data or health information were expressly confined to collection from or by, use by or disclosure by or to:
(a) a corporation to which paragraph 51(xx) of the Constitution applies; or
(b) the Commonwealth; or
(c) an authority of the Commonwealth.
(5) This Act also has the effect it would have if each reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider were expressly confined to a reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider that:
(a) is a corporation to which paragraph 51(xx) of the Constitution applies; or
(b) is the Commonwealth; or
(c) is an authority of the Commonwealth; or
(d) is operating in a Territory or a place acquired by the Commonwealth for a public purpose.
(6) This Act also has the effect it would have if its operation in relation to each of the following were expressly confined to an operation for the purposes of giving effect to Australia’s obligations under an agreement between 2 or more countries:
(a) the System Operator;
(aa) the Data Governance Board;
(ab) the data custodian;
(b) the Chief Executive Medicare;
(ba) the Chief Executive Officer of Services Australia;
(c) the Secretary of the Veterans’ Affairs Department or the Defence Department;
(d) a registered healthcare provider organisation;
(e) a registered repository operator;
(f) a registered portal provider;
(g) a contracted service provider;
(h) a healthcare recipient.
(7) This Act also has the effect it would have if each reference to a healthcare recipient were expressly confined to a reference to a healthcare recipient who is:
(a) an alien; or
(b) a resident of a Territory.
Definitions
(8) A term used in this section and the Constitution has the same meaning in this section as it has in the Constitution.
Division 6—Annual reports and review of Act
106 Annual reports by Information Commissioner
(1) The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner’s activities during the financial year relating to the My Health Record system.
(2) The report must include:
(a) statistics of the following:
(i) complaints received by the Commissioner in relation to the My Health Record system;
(ii) investigations made by the Commissioner in relation to My Health Records or the My Health Record system;
(iii) enforceable undertakings accepted by the Commissioner under this Act;
(iv) proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
(b) any other matter prescribed by the regulations.
(3) The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.
(4) The Minister must table a copy of the report in each House of the Parliament within 15 sitting days after the Information Commissioner gives a copy of the report to the Minister.
107 Annual reports by the System Operator
The System Operator must include in any annual report prepared by the System Operator and given to the Minister under section 46 of the Public Governance, Performance and Accountability Act 2013:
(a) statistics of the following:
(i) registrations, and cancellations and suspensions of registrations, under this Act;
(ii) use of the My Health Record system by healthcare providers and healthcare recipients;
(iii) complaints received, and investigations undertaken, in relation to the My Health Record system;
(iv) occurrences compromising the integrity or security of the My Health Record system;
(v) enforceable undertakings accepted by the System Operator under this Act;
(vi) proceedings taken by the System Operator in relation to enforceable undertakings or injunctions; and
(b) any other matter prescribed by the regulations.
108 Review of the operation of the Act
(1) The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act.
(2) The individual appointed must give a report to the Minister within the later of:
(a) 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015; or
(b) if the Minister makes My Health Records Rules under clause 2 of Schedule 1 to this Act within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015—3 years after the day on which the Rules are made.
(3) The Minister must:
(a) provide a copy of the report to the Ministerial Council; and
(b) table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.
Division 7—My Health Records Rules, regulations and other instruments
109 Minister may make My Health Records Rules
(1) The Minister may, by legislative instrument, make rules called the My Health Records Rules about matters required or permitted by this Act to be dealt with in the My Health Records Rules.
Consultation
(2) Before the Minister makes My Health Records Rules, the Minister must consult:
(a) the System Operator; and
(b) a subcommittee of the Ministerial Council, prescribed by the regulations for the purposes of this paragraph.
A failure to consult does not affect the validity of the Rules.
My Health Records Rules may relate to registration etc.
(3) The My Health Records Rules may specify the following:
(a) requirements that a healthcare provider organisation must meet in order to be registered;
(b) requirements that a person, or a repository or other facility (however described) owned or operated by the person, must meet for the person to be registered as a repository operator, a portal operator or a contracted service provider;
(c) conditions on the registration of participants in the My Health Record system;
(d) other requirements relating to the My Health Record system that apply to healthcare recipients or participants in the My Health Record system;
(e) requirements relating to the establishment and the operation of a test environment for the My Health Record system, or another electronic system that interacts directly with the My Health Record system.
(4) Requirements referred to in subsection (3) include technical specifications and other requirements in relation to the following:
(a) storage of data and records;
(b) records management;
(c) administration and day‑to‑day operations;
(d) physical and information security;
(e) uploading specified kinds of records.
My Health Records Rules may relate to agreements
(4A) The My Health Records Rules may specify that a person must enter into a specified kind of agreement in order to be, and remain, a registered healthcare provider organisation, registered repository operator, registered portal operator or registered contracted service provider.
(5) The My Health Records Rules may specify requirements relating to registration of healthcare recipients, including requirements relating to registering a healthcare recipient who has been issued with a healthcare identifier under a pseudonym, and for that purpose may specify such modifications of this Act as are necessary to facilitate such registration.
My Health Records Rules may relate to access control mechanisms
(6) The My Health Records Rules may specify matters relating to access control mechanisms, including the following:
(a) the circumstances in which a nominated representative may set access controls;
(b) the circumstances in which access to a healthcare recipient’s My Health Record is to be automatically suspended or cancelled;
(c) default access controls.
My Health Records Rules may relate to authorised representatives and nominated representatives
(7) The My Health Records Rules may specify matters relating to authorised representatives and nominated representatives, including the following:
(a) methods of establishing that an individual is an authorised representative or a nominated representative of a healthcare recipient;
(b) requiring a healthcare recipient to verify his or her identity when the healthcare recipient ceases to have an authorised representative;
(c) specifying circumstances in which an authorised representative or a nominated representative is not required to have been assigned a healthcare identifier under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010.
My Health Records Rules may relate to research or public health purposes
(7A) The My Health Records Rules may, in accordance with section 109A, prescribe a framework to guide the collection, use and disclosure of de‑identified data and, with the consent of healthcare recipients, health information, for research or public health purposes.
My Health Records Rules may apply to specified classes of participants
(8) The My Health Records Rules may specify the classes of participants in the My Health Record system to whom, or to which, a particular My Health Records Rule applies.
Incorporation of other instruments
(9) Despite subsection 14(2) of the Legislation Act 2003, My Health Records Rules made for purposes other than subsection (7A) may make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force or existing from time to time.
Scope of the My Health Records Rules rule‑making power
(10) To avoid doubt, the My Health Records Rules may not do the following:
(a) create an offence or civil penalty;
(b) provide powers of:
(i) arrest or detention; or
(ii) entry, search or seizure;
(c) impose a tax;
(d) set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;
(e) directly amend the text of this Act.
(11) My Health Records Rules that are inconsistent with the regulations have no effect to the extent of the inconsistency, but My Health Records Rules are taken to be consistent with the regulations to the extent that the Rules are capable of operating concurrently with the regulations.
109A My Health Records Rules relating to data for research or public health purposes
Examples of what the rules may do
(1) Without limiting subsection 109(7A), My Health Records Rules made for the purposes of that subsection (the rules) may do any or all of the following:
(a) impose requirements on the System Operator, the Data Governance Board established by section 82, the data custodian and other entities, including procedures that must be followed, in relation to preparing, providing, collecting, accessing, using and disclosing health information and de‑identified data;
(b) provide that any or all such requirements are enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2);
(c) make provision in relation to the performance of the Board’s functions set out in paragraph 83(1)(a);
(d) authorise the Board to make written policies and guidelines to be followed by other entities for the purposes of giving effect to the prescribed framework.
Functions of data custodian
(2) The data custodian has the following functions, and the rules may make provision in relation to the performance of those functions:
(a) under the direction of the Data Governance Board and in accordance with this Act—helping to implement the prescribed framework by:
(i) receiving de‑identified data and health information from the My Health Record system; and
(ii) as necessary—de‑identifying health information; and
(iii) as necessary—providing data linkage services (within the meaning of the rules); and
(iv) preparing and providing de‑identified data and health information to users of data and information whose use has been approved by the Data Governance Board; and
(v) ensuring that users of de‑identified data and health information are subject to conditions of use;
(b) any other functions conferred on the data custodian by this Act or the rules.
Limits on rules
(3) The rules:
(a) must not allow the health information of a healthcare recipient to be collected, used or disclosed otherwise than with the consent of the healthcare recipient; and
(b) must not allow de‑identified data or health information to be provided to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer (with or without the consent of the healthcare recipient); and
(c) must not provide that any of the following is enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2):
(i) a provision of a policy, guideline or other instrument made under the rules;
(ii) a provision of the rules that requires an entity to comply with such a policy, guideline or instrument.
Constitutional limits on rules
(4) If the rules make provision for the disclosure of de‑identified data or health information obtained by using or gaining access to the My Health Record system, the rules must have the effect that the data or information is to be disclosed only:
(a) by means of a postal, telegraphic, telephonic or other like service; or
(b) by or to a corporation to which paragraph 51(xx) of the Constitution applies; or
(c) by or to a person within a Territory or a place acquired by the Commonwealth for a public purpose; or
(d) by or to the Commonwealth or an authority of the Commonwealth.
(5) The rules may make other provision in relation to de‑identified data or health information only:
(a) to ensure that collection, use and disclosure of data or information does not result in an interference with privacy of the kind the Commonwealth has international obligations to protect against, including under the International Covenant on Civil and Political Rights (in particular Article 17 of the Covenant); or
Note: The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2018, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au).
(b) for purposes related to collecting, preparing, analysing or publishing statistics; or
(c) by providing for data or information to be collected from or by, used by or disclosed by or to, any of the following:
(i) a corporation to which paragraph 51(xx) of the Constitution applies;
(ii) a person within a Territory or a place acquired by the Commonwealth for a public purpose;
(iii) the Commonwealth or an authority of the Commonwealth.
110 Minister may determine a law of a State or Territory to be a designated privacy law
(1) The Minister may, by legislative instrument, determine that a law of a State or Territory is a designated privacy law for the purposes of this Act.
(2) A determination made under subsection (1) is a legislative instrument.
111 Guidelines relating to the Information Commissioner’s enforcement powers etc.
(1) In exercising a power conferred on the Information Commissioner by this Act, or a power under another Act that is related to such a power, the Information Commissioner must have regard to any relevant guidelines in force under subsection (2).
(2) The Information Commissioner must, by legislative instrument, formulate guidelines for the purposes of subsection (1).
Note: For consultation requirements, see section 17 of the Legislation Act 2003.
112 Regulations
(1) The Governor‑General may make regulations prescribing matters:
(a) required or permitted by this Act to be prescribed; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.
(2) Without limiting subsection (1), the Governor‑General may make regulations on any matter about which the Minister may make My Health Records Rules.
(3) Before the Governor‑General makes regulations, the Minister must consult the Ministerial Council.
(4) The regulations may prescribe penalties of not more than 50 penalty units for offences against the regulations.
(5) The regulations may provide for civil penalties for contraventions of the regulations, which must not be more than:
(a) 50 penalty units for an individual; or
(b) 250 penalty units for a body corporate.