Penalties in place for accessing health information without permission from My Health Record?
Dear Department of Health,
Please advise of legislated penalties for anyone accessing a My Health Record without the permission of the recipient of care.
Yours faithfully,
Sue Q
Attention: Sue Q
I refer to your email of 27 June 2018 to the Department of Health (Department) regarding the unauthorised access to My Health Record information.
The My Health Records Act 2012 specifies penalties that apply to the unauthorised collection, use or disclosure of health information in a My Health Record.
Sections 59 and 60 of the Act prohibit the collection, use or disclosure of such information unless it is authorised by Division 2 of Part 4 of the Act. Contravention of these prohibitions is subject to serious penalties – the civil penalty is up to $126,000 for an individual ($630,000 for bodies corporate), and the criminal penalty is up to two years’ imprisonment and/or up to $25,200 for individuals ($126,000 for bodies corporate).
While a consumer may give consent to the collection, use or disclosure of their health information for any purpose (section 66 of the Act refers), this is only one circumstance in which an entity may be authorised. There are other circumstances set out in Division 2 of Part 4 of the Act in which a particular entity is authorised to collect, use or disclose this information for particular purposes, including for the purposes of providing healthcare to the consumer, responding to a direction by a court or coroner, and law enforcement.
The default access controls on a My Health Record allow any healthcare provider organisation to access that My Health Record if they are providing care to the consumer. A consumer can set these access controls to restrict access by healthcare provider organisations. If a consumer has restricted access (such as through the use of a Record Access Code), access to that My Health Record for health purposes must be in accordance with those access controls – that is, the organisation needs the code in order to access the record – except in an emergency. Emergency access, as with any type of access to a consumer’s My Health Record, is monitored by the My Health Record System Operator to check for suspicious activity, and the consumer can check their access log at any time and be automatically notified of activity.
I hope this information is helpful. If you have any further questions about the legislative framework for the My Health Record system, you can write to [email address]. Questions about the My Health Record system more generally can be directed to the Australian Digital Health Agency’s My Health Record hotline on 1800 723 471.
Regards
FOI Officer
Legal Advice & Legislation Branch
Legal & Assurance Division
Australian Government Department of Health
T: (02) 6289 1666 | E: [Health request email]
PO Box 9848, Canberra ACT 2601, Australia
The Department of Health acknowledges the traditional owners of country throughout Australia, and their continuing connection to land, sea and community. We pay our respects to them and their cultures, and to elders both past and present.
-----Original Message-----
From: Sue Q [mailto:[FOI #4669 email]]
Sent: Wednesday, 27 June 2018 10:00 PM
To: FOI
Subject: Freedom of Information request - Penalties in place for accessing health information without permission from My Health Record? [SEC=No Protective Marking]
Dear Department of Health,
Please advise of legislated penalties for anyone accessing a My Health Record without the permission of the recipient of care.
Yours faithfully,
Sue Q
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #4669 email]
Is [Health request email] the wrong address for Freedom of Information requests to Department of Health? If so, please contact us using this form:
https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
______________________________________________________________________
"Important: This transmission is intended only for the use of the addressee and may contain confidential or legally privileged information. If you are not the intended recipient, you are notified that any use or dissemination of this communication is strictly prohibited. If you receive this transmission in error please notify the author immediately and delete all copies of this transmission."