Skip to main content

My Health Record and your patients – Understanding consent, privacy and security

To align with Privacy Awareness Week we have prepared some information about consent, patient privacy and your role in keeping patient health information secure when using the My Health Record system. You can make sure your patient’s allergy information is secure and available wherever it is needed by uploading it to their My Health Record.

My Health Record, consent, privacy and security at a glance 

  • My Health Record is a safe and secure system that stores health information.
  • You don’t need a patient’s consent each time you access their My Health Record. Be aware that adolescents gain control of My Health Record from their parent/s or guardian/s at age 14.
  • A patient cannot edit any document that has been uploaded by their healthcare providers to their My Health Record.
  • Patients can take further steps to control privacy by limiting who has access to their record. 
  • There are two ways patients can control access to specific health documents in My Health Record:
    1. Restricting a document to prevent healthcare providers and nominated representatives viewing certain information.
    2. Removing a document so that only the patient and the person who added it to My Health Record can see it.
  • Information that a patient has restricted will be available to healthcare providers during an emergency. This enables doctors and emergency staff to access vital health information, such as medications, so they can provide the best treatment.
  • Healthcare providers won't be able to view personal health notes or documents that have been removed from a patient’s record.
  • All access to a patient’s My Health Record during an emergency is recorded in their access history which they can view at any time. The patient can also choose to get an SMS or email if their record is accessed in an emergency. 

My Health Record consent, privacy and security responsibilities for private practice

Any registered healthcare provider can view a patient’s My Health Record for the purpose of providing healthcare services. In addition to clinicians, a healthcare organisation may authorise other staff to access the My Health Record system as part of their role in healthcare delivery.

Healthcare provider organisations can view information in a patient’s My Health Record without the patient being present, provided that access is for the purpose of providing healthcare. For example, a specialist may choose to review clinical documents in a patient’s My Health Record prior to a telehealth consultation.

A patient’s My Health Record provides the activity history related to their record, called the access history. The access history displays the name of the healthcare organisation that accessed the individual’s My Health Record, when it accessed the record and the nature of that access.

It is the responsibility of your healthcare organisation to understand how to prevent a document from being uploaded and how to remove a document that has uploaded. Your organisation is responsible for ensuring that the systems you use to access the My Health Record system are secure.  

To assist you, the Australian Digital Health Agency and Stay Smart Online have developed the Information Security Guide for small healthcare businesses (downloadable booklet). This offers five simple steps to protect health, personal and financial information when using computers and other internet connected devices.

For more information see:

My Health Record System Security

Security Practices and Policies Checklist

Kind regards,

Dr William Smith and Ms Karen Wong
Project Co-leads, National Allergy Strategy MHR Project

The National Allergy Strategy is a collaboration between the Australasian Society of Clinical Immunology and Allergy (ASCIA) and Allergy & Anaphylaxis Australia (A&AA).

The National Allergy Strategy is working with the Australian Digital Health Agency to improve the quality of patient allergy information in My Health Record. More information is available at