In Short
- The My Health Records Act 2012 (Cth) forbids the storage, processing, or handling of health information from the national digital health record system outside Australia.
- Breaching these provisions can lead to civil penalties, including fines up to $630,000 for individuals and $3.15 million for bodies corporate.
- Healthcare providers should review their data management practices to ensure all health information remains within Australia and consider seeking legal advice to navigate these obligations effectively.
Tips for Businesses
Ensure your data storage and processing systems are fully compliant with the My Health Records Act by keeping all health information within Australian borders. Regularly audit your data management practices and consult legal professionals to avoid substantial penalties for non-compliance.
The My Health Records Act 2012 (Cth) (the Act) specifies which entities can collect, use and disclose information in the My Health Record system. It also sets out the penalties for improper information handling. The Act generally applies to health information included in or obtained through the My Health Record system.
Navigating the intersection of the Act and the Privacy Act 1988 is essential for healthcare providers in the digital health landscape. The My Health Record system is primarily governed by federal laws. State and territory health privacy laws also play a crucial role in regulating health information management. These include the:
- Health Records and Information Privacy Act 2002 (NSW) and;
- the Health Records Act 2001 (VIC).
These laws work together to protect patient privacy while enabling the benefits of a national digital health record system. The Act builds upon the Privacy Act’s broad principles, introducing specific, often more stringent rules for handling health information within the national system.
For healthcare providers, this means adhering to general privacy standards and the tailored requirements of the Act when handling national digital health records. Understanding the interplay between these laws is crucial, as compliance with one act does not guarantee adherence to the other. One critical difference between these legislative instruments is their approach to overseas disclosure.
Overseas Disclosure
The Act takes a stringent approach to handling health information outside Australia, with significant implications for healthcare providers. It prohibits the holding, taking, processing, or handling information from the national digital health record system outside Australian borders. This restriction applies not only to the organisation managing the system but also to registered healthcare providers. It also applies to organisations that store or provide access to health records, and their contracted service providers.
This legislation creates a clear mandate for healthcare providers. All national digital health record system data must remain on Australian soil.
These provisions have significant implications for IT infrastructure and data management. Healthcare providers must ensure that all systems storing or processing data from the national digital health record system are in Australia. This includes backup and disaster recovery solutions. Cloud-based services and software-as-a-service (SaaS) solutions, which often leverage global infrastructure, must be carefully vetted to ensure compliance.
The Act also affects how healthcare providers access and use the national digital health record system. Providers travelling internationally or offering telehealth services overseas are prohibited from accessing the system.
These restrictions can be particularly challenging for healthcare providers who belong to multinational organisations or participate in international research collaborations. These organisations may need to implement separate systems and processes for handling data from the national digital health record system, distinct from their global operations. International research projects involving Australian health data may need restructured to ensure all data remains within the country.
Exceptions
The organisation managing the system can handle certain non-personal information overseas for operational purposes, but this exception does not extend to healthcare providers. The Act does not explicitly address de-identified or aggregate data sharing overseas, which may be permissible if it complies with other legal requirements.
Importantly, consent is notably absent as a factor that can override the strict prohibitions. The Act’s approach to overseas disclosure is uncompromising, regardless of patient preferences or permissions. Healthcare providers cannot send or access patients’ health information overseas, even if the patient explicitly consents. This contrasts with other areas of the Act where patient consent plays a significant role in controlling access to and use of their health information.
Continue reading this article below the formPenalties for Non-Compliance
The Act takes a firm stance on overseas disclosure of health information.
Recommendations
These restrictions reflect Australia’s commitment to maintaining control over sensitive health information and protecting it from potential overseas threats. For healthcare providers, understanding and adhering to these regulations is crucial for legal compliance and maintaining patient trust in the national digital health record system.
Compliance with these regulations requires robust governance and oversight. Healthcare providers must implement strict policies and procedures to prevent any inadvertent overseas disclosure of information from the national digital health record system. This includes:
- comprehensive staff training;
- regular audits of data handling practices; and
- careful vetting of all software and services used in connection with the system.
Providers should be prepared to explain to patients that while they have significant control over their health information in many respects, no one can waive the prohibition on overseas disclosure. Even with explicit patient consent, it is absolute.
The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
The My Health Records Act 2012 (Cth) prohibits healthcare providers from handling data from the national digital health record system outside Australia, requiring them to keep all IT and operations domestic. Providers cannot rely on patient consent to bypass this rule and face fines exceeding $2 million for non-compliance. To comply, providers must enforce:
- strict governance;
- audit practices;
- train staff;
- vet systems; and
- clearly explain these requirements to patients.
If you need help navigating overseas disclosure for healthcare providers, our experienced healthcare lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
No, healthcare providers cannot handle My Health Record system data outside Australia. The Act strictly requires all data, including storage, processing, and access, to remain within Australian borders.
No, patient consent cannot override the prohibition on overseas disclosure. The Act does not permit sending or accessing health information abroad, even with explicit patient consent.
We appreciate your feedback – your submission has been successfully received.
