This instrument is the My Health Records Rules 2026.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this instrument	1 April 2026.	1 April 2026

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under the My Health Records Act 2012.

4 Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

5 Definitions

Note: A number of expressions used in this instrument are defined in the Act, including the following:

(a) access control mechanisms (see paragraph 15(b) of the Act);

(b) My Health Record;

(d) participant in the My Health Record system;

(e) record.

In this instrument:

access list, for a healthcare recipient’s My Health Record: see paragraph 9(2)(b).

Act means the My Health Records Act 2012.

advance care planning information, for a healthcare recipient, means a document prepared by, or on behalf of, the recipient that states the recipient’s expressed wishes about the future provision of healthcare to the recipient.

contracted service provider officer: see subsection 31(2).

healthcare identifier has the same meaning as the Healthcare Identifiers Act 2010.

healthcare recipient‑entered personal health summary means the summary of information, including medications and allergies, entered into a healthcare recipient’s My Health Record by the healthcare recipient.

interoperability requirements, for the My Health Record system, means the conformance requirements and standards applicable to that system, published by the Australian Digital Health Agency, as existing from time to time.

Note: The interoperability requirements could in 2026 be viewed on the Australian Digital Health Agency’s website (https://www.digitalhealth.gov.au).

linked has the same meaning as in the Healthcare Identifiers Act 2010.

material change, in relation to a participant in the My Health Record system, includes the following:

(a) the participant enters into administration or becomes insolvent;

(b) a change in the participant’s legal name;

(d) the participant being involved in a merger or acquisition.

network of healthcare provider organisations has the same meaning as in the Healthcare Identifiers Act 2010.

network organisation within a network has the same meaning as in the Healthcare Identifiers Act 2010.

operator officer: see subsection 26(2).

opt‑out model: see section 71.

organisation maintenance officer for a healthcare provider organisation has the same meaning as in the Healthcare Identifiers Act 2010.

professional representative of a healthcare recipient means:

(a) an individual who is an authorised representative of the healthcare recipient only as a result of the individual’s employment; or

(b) an individual who is a nominated representative of the healthcare recipient if the agreement referred to in paragraph 7(1)(a) of the Act would not have been entered into but for the individual’s employment.

responsible officer for a healthcare provider organisation has the same meaning as in the Healthcare Identifiers Act 2010.

seed organisation for a network has the same meaning as in the Healthcare Identifiers Act 2010.

service operator has the same meaning as in the Healthcare Identifiers Act 2010.

support service has the same meaning as in the Healthcare Identifiers Act 2010.

6 Definition of authorised representative of a healthcare recipient—persons to which healthcare identifier not required to have been assigned

For the purposes of paragraph 6(6)(b) of the Act, a healthcare identifier is not required to have been assigned to a person if the person is a professional representative of a healthcare recipient.

7 Definition of nominated representative of a healthcare recipient—persons to which healthcare identifier not required to have been assigned

For the purposes of paragraph 7(3)(b) of the Act, a healthcare identifier is not required to have been assigned to a person if the person is a professional representative of a healthcare recipient.

Part 2—The System Operator and the functions of the Chief Executive Medicare

Division 1—Functions of the System Operator—requirements for access control mechanisms

8 Access controls set by registered healthcare recipients for access by healthcare provider organisations and nominated representatives

Purpose

(1) For the purposes of paragraph 15(b) of the Act, this section specifies requirements to which access control mechanisms referred to in subparagraph 15(b)(i) of the Act are subject.

Application of default access controls

(2) The access control mechanisms must apply the default access controls specified in section 9 to a registered healthcare recipient’s My Health Record to the extent that the recipient has not set controls as described in this section.

Controls for access to a recipient’s My Health Record

(3) The access control mechanisms must enable a registered healthcare recipient to do the following:

(a) restrict access to the recipient’s My Health Record;

(b) lift the restriction on a particular occasion.

Controls for access to certain information or records in a recipient’s My Health Record

(4) The access control mechanisms must enable a registered healthcare recipient to do the following in relation to health information, information about support services provided, or to be provided, to a recipient, or a record, in the recipient’s My Health Record (other than a shared health summary, a healthcare recipient‑entered personal health summary and advance care planning information):

(a) restrict access to information or a record;

(b) lift the restriction on a particular occasion.

(5) The access control mechanisms must ensure that if the recipient has restricted access to information or a record, a healthcare provider organisation providing healthcare to the recipient is not able to determine that the information or record exists solely by viewing the recipient’s My Health Record unless:

(a) both:

(i) the organisation is on the access list for the recipient’s My Health Record; and

(ii) the recipient has specified that the organisation may access the information or record; or

(b) the recipient lifts the restriction on a particular occasion for the organisation; or

(6) If the recipient has restricted access to information or a record, the access control mechanisms must ensure that the healthcare provider organisation that uploaded the information or record to the My Health Record system will still be able to access the information or record without the need for the recipient to lift the restriction.

Electronic notification of accessing or viewing of information

(7) The access control mechanisms must permit a registered healthcare recipient to be notified by means of an electronic communication when:

(a) a healthcare provider organisation does any of the following:

(i) if the organisation is not on the access list for the recipient’s My Health Record—first accesses the recipient’s My Health Record;

(ii) accesses the recipient’s My Health Record for the purposes of section 64 of the Act; or

(b) a nominated representative of the recipient views health information included in the recipient’s My Health Record.

9 Default access controls

Purpose

(1) For the purposes of paragraph 15(b) of the Act, this section specifies requirements to which access control mechanisms referred to in subparagraph 15(b)(ii) of the Act are subject.

Default access controls for access by healthcare provider organisations, authorised representatives and nominated representatives

(2) The access control mechanisms must specify default access controls that:

(a) permit a healthcare provider organisation providing healthcare to a registered healthcare recipient to access the recipient’s My Health Record; and

(b) include a list (an access list) of the healthcare provider organisations that are permitted to access the recipient’s My Health Record because the organisations are providing healthcare to the recipient; and

(d) remove a healthcare provider organisation from the access list for the recipient’s My Health Record if the organisation has not accessed the recipient’s My Health Record for a period of 3 years; and

(e) permit a healthcare provider organisation that is no longer on the access list for the healthcare recipient’s My Health Record to access records in the recipient’s My Health Record on request made to the System Operator if the organisation uploaded the records to the recipient’s My Health Record.

Default access controls permitting healthcare recipients to delete health information

(3) The access control mechanisms must specify default access controls that permit a registered healthcare recipient to delete health information or a record included in the recipient’s My Health Record.

10 Circumstances for automatic suspension of access to a healthcare recipient’s My Health Record

Purpose

(1) For the purposes of paragraph 15(b) of the Act, this section specifies requirements to which access control mechanisms referred to in subparagraph 15(b)(iii) of the Act are subject.

Circumstances

(2) The access control mechanisms must specify the circumstances mentioned in column 1 of an item of the following table as circumstances in which access to a healthcare recipient’s My Health Record is to be automatically suspended for an entity mentioned in column 2 of the item.

Circumstances for automatic suspension of access for specified entities
Item	Column 1 Circumstances	Column 2 Entities
1	The System Operator is notified by the service operator that the status of the healthcare identifier for an authorised representative of the recipient has been changed to deceased	The following: (a) the authorised representative; (b) if the authorised representative was not a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative; (c) if the authorised representative was a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative, unless there is another professional representative of the recipient who is employed by the same employer as the authorised representative
2	The System Operator is notified by the service operator that the status of the healthcare identifier for a nominated representative of the recipient has been changed to deceased	The nominated representative
3	The System Operator is investigating whether a person remains a nominated representative of the recipient	The person
4	The System Operator is investigating whether to cancel access to the recipient’s My Health Record by an authorised representative of the recipient	The authorised representative and each nominated representative of the recipient nominated by the authorised representative
5	The System Operator is investigating whether to cancel access to the recipient’s My Health Record by a nominated representative of the recipient	The nominated representative
6	The System Operator receives information that questions the basis on which the System Operator was satisfied of a matter under section 6 of the Act relating to whether a person is an authorised representative of the recipient	The person and each nominated representative of the recipient nominated by the person
7	The System Operator is notified by an entity that continuing access to the recipient’s My Health Record by an authorised representative poses, or is likely to pose, a serious risk to an individual’s life, health or safety	The authorised representative and each nominated representative of the recipient nominated by the authorised representative
8	The System Operator is notified by an entity that continuing access to the recipient’s My Health Record by a nominated representative poses, or is likely to pose, a serious risk to an individual’s life, health or safety	The nominated representative

11 Circumstances for automatic cancellation of access to a healthcare recipient’s My Health Record

Purpose

(1) For the purposes of paragraph 15(b) of the Act, this section specifies requirements to which access control mechanisms referred to in subparagraph 15(b)(iii) of the Act are subject.

Circumstances

(2) The access control mechanisms must specify the circumstances mentioned in column 1 of an item of the following table as circumstances in which access to a healthcare recipient’s My Health Record is to be automatically cancelled for an entity mentioned in column 2 of the item.

Circumstances for automatic cancellation of access for specified entities
Item	Column 1 Circumstances	Column 2 Entities
1	The System Operator is notified by the service operator that the status of the healthcare identifier for an authorised representative of the recipient has been changed to retired	The following: (a) the authorised representative; (b) if the authorised representative was not a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative; (c) if the authorised representative was a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative, unless there is another professional representative of the recipient who is employed by the same employer as the authorised representative
2	The System Operator is notified by the service operator that the status of the healthcare identifier for a nominated representative of the recipient has been changed to retired	The nominated representative
3	The System Operator is notified that a nominated representative of the recipient has died	The nominated representative
4	Both: (a) a person ceases to be an authorised representative of the recipient under subsection 6(1) or (2) of the Act (which relate to healthcare recipients aged under 14); and (b) the System Operator is not satisfied that the person will be an authorised representative of the recipient under subsection 6(4) of the Act (which relates to healthcare recipients not capable of making decisions for themselves) when the healthcare recipient turns 18	The following: (a) the person; (b) each nominated representative of the recipient nominated by the person
5	The recipient turns 18 and the System Operator is not satisfied under subsection 6(4) of the Act (which relates to healthcare recipients not capable of making decisions for themselves) in relation to the recipient	Each person (if any) who was an authorised representative of the recipient and each nominated representative of the recipient nominated by the person
6	A person ceases to be an authorised representative of the recipient under subsection 6(3) of the Act (which relates to healthcare recipients aged between 14 and 17 years) because: (a) the recipient turns 18; or (b) the recipient, by written notice given to the System Operator, withdraws the nomination of the person given under that subsection	The following: (a) the person; (b) each nominated representative of the recipient nominated by the person
7	A person is no longer an authorised representative of the recipient because the System Operator is no longer satisfied of a matter under section 6 of the Act relating to whether the person is an authorised representative of the recipient	The following: (a) the person; (b) if the person was not a professional representative of the recipient—each nominated representative of the recipient nominated by the person; (c) if the person was a professional representative of the recipient—each nominated representative of the recipient nominated by the person, unless there is another professional representative of the recipient who is employed by the same employer as the person
8	The System Operator is notified by an authorised representative of the recipient that the authorised representative no longer wishes to act as an authorised representative of the recipient	The following: (a) the authorised representative; (b) if the authorised representative was not a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative; (c) if the authorised representative was a professional representative of the recipient—each nominated representative of the recipient nominated by the authorised representative, unless there is another professional representative of the recipient who is employed by the same employer as the authorised representative
9	The System Operator is notified by a nominated representative of the recipient that the nominated representative no longer wishes to act as the nominated representative of the recipient	The nominated representative
10	A person is no longer an authorised representative of the recipient for a reason not mentioned in another item of this table	The following: (a) the person; (b) if the person was not a professional representative of the recipient—each nominated representative of the recipient nominated by the person; (c) if the person was a professional representative of the recipient—each nominated representative of the recipient nominated by the person, unless there is another professional representative of the recipient who is employed by the same employer as the person
11	A person is no longer a nominated representative of the recipient for a reason not mentioned in another item of this table	The person

Division 2—Functions of the System Operator—other functions conferred by this instrument

12 Purpose of this Division

For the purposes of paragraph 15(n) of the Act, this Division confers other functions on the System Operator.

13 Deleting information or a record in the My Health Record system in certain circumstances

The System Operator may delete, or may direct another participant in the My Health Record system to delete, information or a record in the My Health Record system if the System Operator reasonably believes that:

(a) the information or record contains a defamatory statement; or

(b) the information or record affects, or is likely to affect, the security or integrity of the My Health Record system; or

(i) the information or record was uploaded in contravention of paragraph 45(ba) of the Act;

(ii) the information or record should be deleted to reduce the clinical risk that is, or may be, faced by a healthcare recipient if the information or record is not deleted.

Example: The System Operator may decide to delete information or a record under paragraph (c) if the authoring individual healthcare provider’s registration with the national registration authority (within the meaning of the Healthcare Identifiers Act 2010) has been suspended for professional negligence, and the System Operator considers that deleting the record would reduce the clinical risk faced by the healthcare recipient to whom the record relates.

14 Suspending access to the My Health Record system if security, integrity or operations are or may be compromised

Suspension for certain entities

(1) If the System Operator considers that the security, integrity or operations of the My Health Record system have been, or may be, compromised, the System Operator may suspend access to the My Health Record system for any of the following entities, or for a class or classes of any of the following entities:

(a) a healthcare recipient;

(b) an authorised representative of a healthcare recipient;

(d) a participant in the My Health Record system.

(2) Without limiting subsection (1), the security, integrity or operations of the My Health Record system may be compromised if:

(a) there is a security problem with the information technology systems of a participant in the My Health Record system, or with the credentials that enable the participant’s identity to be authenticated in electronic communications; or

(b) there is an issue with verification of the identity of a healthcare recipient or an authorised representative or a nominated representative of the recipient; or

(3) If a participant has failed to comply with the interoperability requirements for the My Health Record system, the System Operator may suspend the access to the My Health Record system by the participant in full or in part.

Example: Under subsection 14(3), the System Operator may decide to suspend all access by a participant. Alternatively, the System Operator may decide to partially suspend access to the My Health Record system by preventing the participant uploading a class of documents (such as shared health summaries) until the participant complies with the interoperability requirements for the My Health Record system.

Notice requirements

(4) Unless subsection (6) or (7) applies, the System Operator must notify an entity whose access to the My Health Record system has been suspended under subsection (1) in accordance with subsection (5).

(5) The notice must:

(a) be in writing; and

(b) be given as soon as practicable after the suspension occurs; and

(i) the reasons for the suspension; and

(ii) the steps, if any, that the System Operator requires the entity to take before the entity’s access to the My Health Record system is restored.

(6) This subsection applies if the System Operator reasonably believes that the suspension of access relates to minor operational matters and is unlikely to last for more than 24 hours.

(7) This subsection applies if:

(a) the System Operator reasonably believes that the suspension of access affects a significant number of healthcare recipients; and

(b) the System Operator notifies the general public.

Restoring access following suspension

(8) The System Operator must restore access to the My Health Record system for the entity as soon as practicable after the System Operator is satisfied that the security, integrity or operations (as applicable) of the My Health Record system are no longer compromised or are no longer at risk of compromise.

15 Providing a mechanism to access My Health Record system

The System Operator may provide a mechanism that permits registered healthcare provider organisations to access the My Health Record system.

Part 3—Registration

Division 1—Registering healthcare recipients

16 Matters System Operator to have regard to

For the purposes of paragraph 41(1)(c) of the Act, and paragraphs 3(1)(b) and 6(3)(c) of Schedule 1 to the Act, the matters are the following:

(a) if the healthcare recipient is a child—whether:

(i) the birth mother of the recipient has a healthcare identifier; and

(ii) the service operator has evidence confirming the identity of the birth mother;

(b) otherwise—whether:

(i) the healthcare recipient has a healthcare identifier; and

(ii) the service operator has evidence confirming the identity of the recipient.

Division 2—Registering healthcare provider organisations

Subdivision A—When organisations are eligible for registration—requirements organisations must comply with

17 Purpose of this Subdivision

For the purposes of paragraphs 43(b) and 109(3)(a) of the Act, this Subdivision specifies requirements that a healthcare provider organisation must comply with to be eligible for registration.

18 Organisation officers must have authority to act on behalf of organisation

Organisations that are seed organisations for a network or are not part of a network

(1) Subsection (2) applies to a healthcare provider organisation that is a seed organisation for a network, or is not part of a network.

(2) The following persons must be authorised to act on behalf of the organisation in the organisation’s dealings with the System Operator:

(a) the responsible officer for the organisation;

(b) the organisation maintenance officer for the organisation.

Organisations that are network organisations within a network

(3) Subsection (4) applies to a healthcare provider organisation that is a network organisation within a network.

(4) The following persons must be authorised to act on behalf of the organisation in the organisation’s dealings with the System Operator:

(a) the responsible officer for the organisation;

(b) the organisation maintenance officer for the organisation;

19 Organisation must give System Operator and service operator certain information

(1) A healthcare provider organisation must:

(a) give the System Operator a list of all identified healthcare providers (within the meaning of the Healthcare Identifiers Act 2010) that are individual healthcare providers and will be authorised to access the My Health Record system via or on behalf of the organisation using a mechanism provided by the System Operator under section 15 of this instrument; and

(b) if the organisation is a seed organisation for a network—give the service operator a record of the linkages between healthcare provider organisations within the network.

(2) The list mentioned in paragraph (1)(a) and the record mentioned in paragraph (1)(b) must be in the approved form.

20 Organisations that are network organisations—seed organisation for network must be a registered healthcare provider organisation

(1) This section applies to a healthcare provider organisation that is a network organisation within a network.

(2) The seed organisation for the network must be a registered healthcare provider organisation.

21 Organisation must have security and access policy

(1) A healthcare provider organisation must have a written security and access policy that:

(a) addresses the matters mentioned in subsection (2); and

(b) is drafted in such a manner that the organisation’s performance can be audited against the policy to determine if the organisation has complied with the policy.

(2) For the purposes of paragraph (1)(a), the matters are the following:

(a) the procedures the organisation will use to authorise a person (a user) to access the My Health Record system, or use health information included in a healthcare recipient’s My Health Record, via or on behalf of the organisation, including procedures for creating and modifying user accounts, and how a user’s account will be suspended or deactivated if:

(i) the user leaves the organisation; or

(ii) the user’s security is compromised; or

(iii) the user’s duties no longer require the user to access the My Health Record system; or

(iv) the user is an individual healthcare provider that ceases to be linked to the organisation;

(b) the training, that must include the training referred to in subsection (3), that will be provided to a user:

(i) before the user is authorised to access the My Health Record system; and

(ii) annually; and

(iii) following any significant changes to the Act, regulations made under the Act, this instrument or the My Health Record system;

(c) the processes that the organisation will use to ensure that the organisation does not contravene section 74 or 75 of the Act;

(d) the physical security, information security, cybersecurity and technical and organisational measures that the organisation will implement, including the following:

(i) user account management practices for information technology systems that are used by users to access the My Health Record system via or on behalf of the organisation, that must include the practices referred to in subsection (4);

(ii) regular system maintenance;

(iii) data protection, including data encryption and regular back‑up;

(iv) monitoring and reviewing the measures;

(e) the strategies that the organisation will use to ensure that security risks in relation to the My Health Record system will be promptly identified, acted upon and reported to the organisation’s management.

Training to be provided to users

(3) For the purposes of paragraph (2)(b), the training is training in relation to the following:

(a) how to use the My Health Record system accurately and responsibly;

(b) the legal obligations of healthcare provider organisations and users using the My Health Record system;

User account management practices to be implemented

(4) For the purposes of subparagraph (2)(d)(i), the user account management practices for information technology systems that are used by users to access the My Health Record system via or on behalf of the organisation are the following:

(a) restricting access to only users who require access as part of their duties;

(b) uniquely identifying users using the organisation’s information technology systems and protecting the identity of users with a password or equivalent protection mechanism;

(c) having password or other equivalent protection mechanisms that are sufficiently secure and robust given the security and privacy risks associated with unauthorised access to the My Health Record system;

(d) deactivating the account of a user who is no longer authorised by the organisation to access the My Health Record system via or on behalf of the organisation;

(e) suspending the access of a user as soon as practicable after becoming aware that the account or the password or other equivalent protection mechanism has been compromised;

(f) reviewing the practices at least annually;

(g) ensuring that users are aware of, and trained in, the practices.

22 Organisation must give System Operator security and access policy on request

A healthcare provider organisation must, on request by the System Operator, give the System Operator a copy of the organisation’s security and access policy.

Subdivision B—Condition of registration—uploading of records, etc

23 Kinds of records

For the purposes of subparagraph 45(b)(ii) of the Act, the kind of record specified is records other than the following:

(a) a record mentioned in subparagraph 45(b)(i) of the Act;

(b) advance care planning information.

24 Prescribed circumstances

(1) For the purposes of subparagraph 45(ba)(i) of the Act, the circumstances are that, at the time the record is prepared, fees to maintain the individual’s registration are not more than 6 months overdue.

(2) For the purposes of subparagraph 45(ba)(ii) of the Act, the circumstances are that, at the time the record is prepared, fees to maintain the individual’s credentials are not more than 6 months overdue.

Division 3—Registering repository operators and portal operators

25 Purpose of this Division

For the purposes of paragraphs 48(a) and 109(3)(b) of the Act, this Division specifies requirements that a person must comply with to be eligible for registration as a repository operator or a portal operator.

26 Person must have an operator officer

(1) The person must have at least one, but no more than three, operator officers.

(2) An individual is the operator officer for a person if:

(a) the individual is an employee of the person; and

(b) the individual’s duties include the following:

(i) receiving communications from the System Operator about the operation of the My Health Record system;

(ii) acting as a liaison between the System Operator and the person;

(iii) maintaining the System Operator’s records of the professional and business details of the person and the individual.

27 Person must have security and access policy

(1) A person must have a written security and access policy that:

(a) addresses the matters mentioned in subsection (2); and

(b) is drafted in such a manner that the person’s performance can be audited against the policy to determine if the person has complied with the policy.

(2) For the purposes of paragraph (1)(a), the matters are the following:

(a) the procedures the person will use to authorise a person (a user) to access the My Health Record system, or use health information included in a healthcare recipient’s My Health Record, via or on behalf of the person, including procedures for creating and modifying user accounts, and how a user’s account will be suspended or deactivated if:

(i) the user leaves the person; or

(ii) the user’s security is compromised; or

(iii) the user’s duties no longer require the user to access the My Health Record system;

(b) the training, that must include the training referred to in subsection (3), that will be provided to a user:

(i) before the user is authorised to access the My Health Record system; and

(ii) annually; and

(iii) following any significant changes to the Act, regulations made under the Act, this instrument or the My Health Record system;

(d) the physical security, information security, cybersecurity and technical and organisational measures that the person will implement, including the following:

(i) user account management practices for information technology systems that are used by users to access the My Health Record system via or on behalf of the person, that must include the practices referred to in subsection (4);

(ii) regular system maintenance;

(iii) data protection, including data encryption and regular back‑up;

(iv) monitoring and reviewing the measures;

(e) the strategies that the person will use to ensure that security risks in relation to the My Health Record system will be promptly identified, acted upon and reported to the person’s management.

Training to be provided to users

(3) For the purposes of paragraph (2)(b), the training is training in relation to the following:

(a) how to use the My Health Record system accurately and responsibly;

(b) the legal obligations of repository operators or portal operators (as applicable) and users using the My Health Record system;

User account management practices to be implemented

(a) restricting access to only users who require access as part of their duties;

(b) uniquely identifying users using the person’s information technology systems and protecting the identity of users with a password or equivalent protection mechanism;

(d) deactivating the account of a user who is no longer authorised by the person to access the My Health Record system via or on behalf of the person;

(e) suspending the access of a user as soon as practicable after becoming aware that the account or the password or other equivalent protection mechanism has been compromised;

(f) reviewing the practices at least annually;

(g) ensuring users are aware of, and trained in, the practices.

28 Person must give security and access policy to System Operator with application for registration

The person must give the System Operator a copy of the person’s security and access policy with the person’s application for registration as a repository operator or a portal operator.

29 Person must have technical and after‑hours contacts

The person must have:

(a) a point of contact and technical support for the person during ordinary business hours Monday to Friday, other than public holidays; and

(b) at least 2 points of contact who have the authority, and are able, to resolve, or coordinate the resolution of, any technical, security or operational issues affecting the person outside ordinary business hours and on public holidays.

Division 4—Registering contracted service providers

30 Purpose of this Division

For the purposes of paragraphs 48(a) and 109(3)(b) of the Act, this Division specifies requirements that a person must comply with to be eligible for registration as a contracted service provider.

31 Person must have a contracted service provider officer

(1) The person must have at least one, but no more than three, contracted service provider officers.

(2) An individual is the contracted service provider officer for a person if:

(a) the individual is an employee of the person; and

(b) the individual’s duties include the following:

(i) receiving communications from the System Operator about the operation of the My Health Record system;

(ii) acting as a liaison between the System Operator and the person;

(iii) maintaining the System Operator’s records of the professional and business details of the person and the individual.

32 Person must have security and access policy

(1) A person must have a written security and access policy that:

(a) addresses the matters mentioned in subsection (2); and

(b) is drafted in such a manner that the person’s performance can be audited against the policy to determine if the person has complied with the policy.

(2) For the purposes of paragraph (1)(a), the matters are the following:

(i) the user leaves the person; or

(ii) the user’s security is compromised; or

(iii) the user’s duties no longer require the user to access the My Health Record system;

(b) the training, that must include the training referred to in subsection (3), that will be provided to a user:

(i) before the user is authorised to access the My Health Record system; and

(ii) annually; and

(iii) following any significant changes to the Act, regulations made under the Act, this instrument or the My Health Record system;

(d) the physical security, information security, cybersecurity and technical and organisational measures that the person will implement, including the following:

(ii) regular system maintenance;

(iii) data protection, including data encryption and regular back‑up;

(iv) monitoring and reviewing the measures;

(e) the strategies that the person will use to ensure that security risks in relation to the My Health Record system will be promptly identified, acted upon and reported to the person’s management.

Training to be provided to users

(3) For the purposes of paragraph (2)(b), the training is training in relation to the following:

(a) how to use the My Health Record system accurately and responsibly;

(b) the legal obligations of contracted service providers and users using the My Health Record system;

User account management practices to be implemented

(a) restricting access to only users who require access as part of their duties;

(b) uniquely identifying users using the person’s information technology systems and protecting the identity of users with a password or equivalent protection mechanism;

(d) deactivating the account of a user who is no longer authorised by the person to access the My Health Record system via or on behalf of the person;

(e) suspending the access of a user as soon as practicable after becoming aware that the account or the password or other equivalent protection mechanism has been compromised;

(f) reviewing the practices at least annually;

(g) ensuring users are aware of, and trained in, the practices.

33 Person must give security and access policy to System Operator with application for registration

The person must give the System Operator a copy of the person’s security and access policy with the person’s application for registration as a contracted service provider.

Division 5—Cancellation, suspension and variation of registration

34 Requirements after registration is cancelled or suspended—retention, transfer or disposal of records

(1) For the purposes of subsection 55(1) of the Act, this section applies to an entity that was a registered portal operator or a registered repository operator if the registration of the entity was cancelled under Division 4 of Part 3 of the Act.

(2) The requirements to which an entity that was a registered portal operator is subject are that the entity must not retain access to a record held by the entity in relation to a healthcare recipient’s My Health Record without the prior written approval of the System Operator.

(3) The requirements to which an entity that was a registered repository operator is subject are that the entity must not transfer or dispose of information held by the entity in relation to a healthcare recipient’s My Health Record without the prior written approval of the System Operator.

Part 4—Other matters—conditions on the registration of participants in the My Health Record system

Division 1—Preliminary

35 Purpose of this Part

For the purposes of paragraph 109(3)(c) of the Act, this Part specifies conditions on the registration of participants in the My Health Record system.

Division 2—Registered healthcare provider organisations

36 Complying with directions to delete information or a record

A registered healthcare provider organisation must comply with a direction given to the organisation by the System Operator under section 13.

37 Uploading records

(1) A registered healthcare provider organisation must take reasonable steps to ensure that a record is not uploaded to the My Health Record system by the following entities if the record is inaccurate, incorrect, misleading, defamatory or out of date:

(a) the organisation;

(b) an employee of the organisation;

(2) Subsection (1) does not apply in relation to a record if:

(a) the record was created by a person who was not, at the time the record was created, an employee of the organisation; and

(b) there is nothing in the record that would indicate to a reasonable person in the circumstances that the record was not accurate, correct or up‑to‑date, or was misleading or defamatory.

(3) This section does not affect any other obligation of an entity referred to in subsection (1) to:

(a) keep clinical records about a healthcare recipient; or

(b) communicate health information to a healthcare recipient.

38 Notifying System Operator of certain matters

(1) If circumstances mentioned in column 1 of an item of the following table apply in relation to a registered healthcare provider organisation, the organisation must notify the System Operator of the matter mentioned in column 2 of the item.

Circumstances and matters
Item	Column 1 Circumstances	Column 2 Matter
1	the organisation becomes aware or suspects that there is a non‑clinical error relating to information or a record that has been accessed via, or downloaded from, the My Health Record system by the organisation or an employee of the organisation	details of the error
2	the organisation undergoes a material change	details of the change
3	there is a change in a responsible officer for the organisation or an organisation maintenance officer for the organisation	details of the change
4	there is a change in the contact details for a responsible officer for the organisation or an organisation maintenance officer for the organisation	details of the change
5	an entity becomes a contracted service provider of the organisation	the entity’s name, ABN (if known) and ACN (if known), and the date the entity became a contracted service provider of the organisation
6	an entity ceases to be a contracted service provider of the organisation	the entity’s name, ABN (if known) and ACN (if known), and the date the entity ceased to be a contracted service provider of the organisation

Example: A registered healthcare provider organisation must notify the System Operator under item 1 if the organisation or an employee of the organisation becomes aware of an uploaded record that appears to have been corrupted during upload.

(2) The notification referred to in subsection (1) must be given to the System Operator:

(a) in writing; and

(b) within 2 business days of the circumstance occurring.

39 Compliance with interoperability requirements

A registered healthcare provider organisation must comply with the interoperability requirements for the My Health Record system.

40 Providing assistance to the System Operator on request

(1) A registered healthcare provider organisation must, on request by the System Operator, promptly provide all necessary assistance in relation to any inquiry, audit, review, assessment, investigation or complaint in connection with the My Health Record system conducted, handled, requested or facilitated by the System Operator.

(2) Subsection (1) does not apply unless the System Operator gives the organisation reasonable notice of the assistance required.

41 Uploading advance care planning information

(1) A registered healthcare provider organisation may upload to a repository advance care planning information for a healthcare recipient only if the recipient instructs the organisation to upload the information.

(2) If the organisation uploads advance care planning information in accordance with subsection (1), the organisation must keep a record of:

(a) the recipient’s instructions; and

(b) how the recipient’s instructions were provided.

42 Organisations that are network organisations—seed organisation for network must be a registered healthcare provider organisation

(1) This section applies to a healthcare provider organisation that is a network organisation within a network.

(2) The seed organisation for the network must be a registered healthcare provider organisation.

43 Security and access policy—general

Communicating and making policy accessible

(1) A registered healthcare provider organisation must communicate the organisation’s security and access policy, and ensure that the policy remains readily accessible, to the following entities:

(a) an employee of the organisation;

(b) a healthcare provider to whom the organisation supplies services under contract;

Complying with policy

(2) The organisation must:

(a) comply with the policy; and

(b) take all reasonable steps to ensure that the entities mentioned in subsection (1) comply with the policy.

Keeping policy up‑to‑date

(3) The organisation must ensure the following:

(a) the policy is kept up‑to‑date;

(b) each iteration of the policy contains a unique version number and the date the iteration comes into effect;

(i) at least annually; and

(ii) when any material new or changed risks are identified; and

(iii) on request by the System Operator;

(d) a review mentioned in paragraph (c) must include consideration of:

(i) factors that might result in:

(A) unauthorised access to the My Health Record system using the organisation’s information systems; or

(B) the misuse or unauthorised disclosure of information from a healthcare recipient’s My Health Record by persons authorised to access the My Health Record system via or on behalf of the organisation; or

(ii) any changes to the My Health Record system that may affect the organisation; and

(iii) any relevant legal or regulatory changes that have occurred since the last review.

Record‑keeping

(4) The organisation must keep a record of each iteration of the policy for 5 years starting on the day the iteration comes into effect.

44 Security and access policy—giving to System Operator on request

(1) A registered healthcare provider organisation must comply with a request from the System Operator under this section within 7 days of the organisation receiving the request.

(2) The System Operator may request in writing that a registered healthcare provider organisation give it a copy of the organisation’s security and access policy. The request may be for the organisation’s current policy or an iteration of the policy that was in effect on a specified date.

45 Security and access policy—application record‑keeping

(1) A registered healthcare provider organisation must keep a record of the following:

(a) the organisation’s application of the procedures mentioned in paragraph 21(2)(a);

(b) the organisation’s provision of the training mentioned in paragraph 21(2)(b);

(d) the organisation’s application of the measures mentioned in paragraph 21(2)(d).

Example: The kinds of records the organisation must keep under this section include:

(a) records of the creation, modification, suspension and deactivation of user accounts; and

(b) logs of individuals’ access to the My Health Record system.

(2) The organisation must retain a record mentioned in paragraph (1)(a) or (b) for 5 years starting on the day the record was created.

(3) The organisation must retain a record mentioned in paragraph (1)(c) or (d) for 2 years starting on the day the record was created.

46 Security and access policy—giving application records to System Operator on request

(1) A registered healthcare provider organisation must comply with a request from the System Operator under this section within 7 days of the organisation receiving the request.

(2) The System Operator may request in writing that a registered healthcare provider organisation give it a copy of a record mentioned in section 45.

Division 3—Registered repository operators and portal operators

47 Application

This Division applies to a person who is a registered repository operator or portal operator.

48 Complying with directions to delete information or a record

The person must comply with a direction given to the person by the System Operator under section 13.

49 Ensuring operator officer carries out duties

The person must ensure that its operator officers carry out the duties referred to in paragraph 26(2)(b).

50 Notifying System Operator of certain matters

(1) If circumstances mentioned in column 1 of an item of the following table apply in relation to a person, the person must notify the System Operator of the matter mentioned in column 2 of the item.

Circumstances and matters
Item	Column 1 Circumstances	Column 2 Matter
1	the person becomes aware or suspects that there is a non‑clinical error relating to information or a record that has been accessed via, or downloaded from, the My Health Record system by the person or an employee of the person	details of the error
2	the person undergoes a material change	details of the change
3	there is a change in an operator officer for the person	details of the change
4	there is a change in the contact details for an operator officer for the person	details of the change

Example: A person must notify the System Operator if the person or an employee of the person becomes aware of an uploaded record that appears to have been corrupted during upload.

(2) The notification referred to in subsection (1) must be given to the System Operator:

(a) in writing; and

(b) within 2 business days of the circumstance occurring.

51 Compliance with interoperability requirements

The person must comply with the interoperability requirements for the My Health Record system.

52 Providing assistance to the System Operator on request

(1) The person must, on request by the System Operator, promptly provide all necessary assistance in relation to any inquiry, audit, review, assessment, investigation or complaint in connection with the My Health Record system conducted, handled, requested or facilitated by the System Operator.

(2) Subsection (1) does not apply unless the System Operator gives the person reasonable notice of the assistance required.

53 Security and access policy—general

Communicating and making policy accessible

(1) The person must communicate the person’s security and access policy, and ensure that the policy remains readily accessible, to the following entities:

(a) each employee of the person;

(b) each user (within the meaning of paragraph 27(2)(a)).

Complying with policy

(2) The person must:

(a) comply with the policy; and

(b) take all reasonable steps to ensure that the entities mentioned in subsection (1) comply with the policy.

Keeping policy up‑to‑date

(3) The person must ensure the following:

(a) the policy is kept up‑to‑date;

(b) each iteration of the policy contains a unique version number and the date the iteration comes into effect;

(i) at least annually; and

(ii) when any material new or changed risks are identified; and

(iii) on request by the System Operator;

(d) a review mentioned in paragraph (c) must include consideration of:

(i) factors that might result in:

(A) unauthorised access to the My Health Record system using the person’s information systems; or

(ii) any changes to the My Health Record system that may affect the person; and

(iii) any relevant legal or regulatory changes that have occurred since the last review.

Record‑keeping

(4) The person must keep a record of each iteration of the policy for 5 years starting on the day the iteration comes into effect.

54 Security and access policy—giving to System Operator on request

(1) The person must comply with a request from the System Operator under this section within 7 days of the person receiving the request.

(2) The System Operator may request in writing that a person give it a copy of the person’s security and access policy. The request may be for the person’s current policy or an iteration of the policy that was in effect on a specified date.

55 Security and access policy—application record‑keeping

(1) The person must keep a record of the following:

(a) the person’s application of the procedures mentioned in paragraph 27(2)(a);

(b) the person’s provision of the training mentioned in paragraph 27(2)(b);

(d) the person’s application of the measures mentioned in paragraph 27(2)(d).

Example: The kinds of records the person must keep under this section include:

(a) records of the creation, modification, suspension and deactivation of user accounts; and

(b) logs of individuals’ access to the My Health Record system.

(2) The person must retain a record mentioned in paragraph (1)(a) or (b) for 5 years starting on the day the record was created.

(3) The person must retain a record mentioned in paragraph (1)(c) or (d) for 2 years starting on the day the record was created.

56 Security and access policy—giving application records to System Operator on request

(1) The person must comply with a request from the System Operator under this section within 7 days of the person receiving the request.

(2) The System Operator may request in writing that a person give it a copy of a record mentioned in section 55.

Division 4—Registered contracted service providers

57 Application

This Division applies to a person who is a registered contracted service provider.

58 Complying with directions to delete information or a record

The person must comply with a direction given to the person by the System Operator under section 13.

59 Ensuring contracted service provider officer carries out duties

The person must ensure that its contracted service provider officers carry out the duties referred to in paragraph 31(2)(b).

60 Notifying System Operator of certain matters

(1) If circumstances mentioned in column 1 of an item of the following table apply in relation to a person, the person must notify the System Operator of the matters mentioned in column 2 of the item.

Circumstances and matters
Item	Column 1 Circumstances	Column 2 Matters
1	the person becomes aware or suspects that there is a non‑clinical error relating to information or a record that has been accessed via, or downloaded from, the My Health Record system by the person or an employee of the person	details of the error
2	the person undergoes a material change	details of the change
3	there is a change in a contracted service provider officer for the person	details of the change
4	there is a change in the contact details for a contracted service provider officer for the person	details of the change
5	the person becomes the contracted service provider of a registered healthcare provider organisation	the following: (a) the name of the provider; (b) the organisation’s business name on the register established under section 22 of the Business Names Registration Act 2011 (if applicable); (c) the healthcare identifier assigned to the organisation under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010
6	the person ceases to be the contracted service provider of a registered healthcare provider organisation	the following: (a) the name of the provider; (b) the organisation’s business name on the register established under section 22 of the Business Names Registration Act 2011 (if applicable); (c) the healthcare identifier assigned to the organisation under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010

Example: A person must notify the System Operator if the person or an employee of the person becomes aware of an uploaded record that appears to have been corrupted during upload.

(2) The notification referred to in subsection (1) must be given to the System Operator:

(a) in writing; and

(b) within 2 business days of the circumstance occurring.

61 Compliance with interoperability requirements

The person must comply with the interoperability requirements for the My Health Record system.

62 Providing assistance to the System Operator on request

(2) Subsection (1) does not apply unless the System Operator gives the person reasonable notice of the assistance required.

63 Security and access policy—general

Communicating and making policy accessible

(1) The person must communicate the person’s security and access policy, and ensure that the policy remains readily accessible, to the following entities:

(a) each employee of the person;

(b) each user (within the meaning of paragraph 32(2)(a)).

Complying with policy

(2) The person must:

(a) comply with the policy; and

(b) take all reasonable steps to ensure that the entities mentioned in subsection (1) comply with the policy.

Keeping policy up‑to‑date

(3) The person must ensure the following:

(a) the policy is kept up‑to‑date;

(b) each iteration of the policy contains a unique version number and the date the iteration comes into effect;

(i) at least annually; and

(ii) when any material new or changed risks are identified; and

(iii) on request by the System Operator;

(d) a review mentioned in paragraph (c) must include consideration of:

(i) factors that might result in:

(A) unauthorised access to the My Health Record system using the person’s information systems; or

(ii) any changes to the My Health Record system that may affect the person; and

(iii) any relevant legal or regulatory changes that have occurred since the last review.

Record‑keeping

(4) The person must keep a record of each iteration of the policy for 5 years starting on the day the iteration comes into effect.

64 Security and access policy—giving to System Operator on request

(1) The person must comply with a request from the System Operator under this section within 7 days of the person receiving the request.

65 Security and access policy—application record‑keeping

(1) The person must keep a record of the following:

(a) the person’s application of the procedures mentioned in paragraph 32(2)(a);

(b) the person’s provision of the training mentioned in paragraph 32(2)(b);

(d) the person’s application of the measures mentioned in paragraph 32(2)(d).

Example: The kinds of records the person must keep under this section include:

(a) records of the creation, modification, suspension and deactivation of user accounts; and

(b) logs of individuals’ access to the My Health Record system.

(2) The person must retain a record mentioned in paragraph (1)(a) or (b) for 5 years starting on the day the record was created.

(3) The person must retain a record mentioned in paragraph (1)(c) or (d) for 2 years starting on the day the record was created.

66 Security and access policy—giving application records to System Operator on request

(1) The person must comply with a request from the System Operator under this section within 7 days of the person receiving the request.

(2) The System Operator may request in writing that a person give it a copy of a record mentioned in section 65.

67 Accessing the My Health Record system or using health information included in a healthcare recipient’s My Health Record

(1) This section applies if the person is a contracted service provider of a healthcare provider organisation.

(2) The person must access the My Health Record system, or use health information included in a healthcare recipient’s My Health Record, only to the extent the person has been instructed to do so by the organisation.

(3) If the person accesses the My Health Record system, or uses health information included in a healthcare recipient’s My Health Record, the person must give the System Operator the healthcare identifier of the healthcare provider organisation that instructed the person to access the system or to use the health information.

Part 5—Other requirements relating to the My Health Record system

68 Purpose of this Part

For the purposes of paragraph 109(3)(d) of the Act, this Part specifies requirements relating to the My Health Record system that apply to healthcare recipients or participants in the My Health Record system.

69 Requirements for System Operator—system availability

The System Operator must, on request by another participant in the My Health Record system, provide the participant with details of when the My Health Record system was unavailable.

Part 6—Other matters—authorised representatives and nominated representatives

70 Requirement for System Operator—identity verification for healthcare recipients on ceasing to have an authorised representative

(1) This section is made for the purposes of paragraph 109(7)(b) of the Act.

(2) This section applies if:

(a) a healthcare recipient ceases to have any authorised representatives; and

(b) the recipient has not previously verified the recipient’s identity with the System Operator.

(3) The System Operator must require the recipient to verify the recipient’s identity before the recipient is able to access their My Health Record.

Part 7—Opt‑out model for the participation of healthcare recipients in the My Health Record system

71 Opt‑out model applies to all healthcare recipients in Australia

For the purposes of clause 2 of Schedule 1 to the Act, Part 2 of that Schedule (the opt‑out model) applies to all healthcare recipients in Australia.

Part 8—Application, transitional and saving provisions

Division 1—Provisions for this instrument as originally made

72 Security and access policy requirements for certain registered entities existing immediately before 1 April 2026

(1) This section applies to an entity if, immediately before 1 April 2026, the entity was any of the following:

(a) a registered healthcare provider organisation;

(b) a registered repository operator;

(d) a registered contracted service provider.

(2) The following sections of the My Health Records Rule 2016 (as applicable), as in force immediately before 1 April 2026, continue to apply to the entity on and after 1 April 2026 until immediately before 1 October 2026:

(a) for a registered healthcare provider organisation—sections 42 and 44;

(b) for a registered repository operator or a registered portal operator—sections 59 and 61;

(3) Section 21, 27 or 32 of this instrument (as applicable) applies to the entity on and after 1 October 2026.