Download the Annual report
OAIC_Digital-Health-Report-2022-23 (PDF, 7698 KB)Last updated: 20 October 2023
Executive summary
This annual report sets out the Australian Information Commissioner’s digital health compliance and regulatory activity during 2022–23, in accordance with section 106 of the My Health Records Act 2012 (My Health Records Act) and section 30 of the Healthcare Identifiers Act 2010 (HI Act).
Digital health is an increasingly significant part of the healthcare system, and while the use of digital health information continues to grow, it is it is critical that privacy measures are upheld.
The Australian Government has established two key services to underpin digital health in Australia: the Healthcare Identifiers Service (HI Service), and the My Health Record system. Both involve the management of personal information – and for the purposes of this report, we refer to them collectively as ‘digital health’.
Healthcare identifiers are assigned to individuals, healthcare providers, and healthcare provider organisations. They help healthcare providers communicate accurately with each other and identify and access patient records in the My Health Record system.
The My Health Record system is an online summary of an individual’s health information, including their medicines, immunisations, allergies and medical history. Registered healthcare providers, including doctors, nurses and allied health professionals involved in their care can view and add information to it, subject to legislative obligations and any individual access controls.
Following the earlier establishment of the HI Service, the My Health Record system commenced in 2012 as an opt-in system: people needed to register in order to establish and share their record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.
Privacy is critical to ensuring trust in digital health, and the legislation establishing the My Health Record system and HI Service include important privacy provisions which are regulated by the Office of the Australian Information Commissioner (OAIC). These provisions recognise the special sensitivity of health information, and protect and restrict its collection, use and disclosure. We work to ensure that healthcare providers understand and comply with their privacy obligations.
This report provides information about digital health activities undertaken by the OAIC, including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.
In 2022–23, the OAIC received 10 privacy complaints relating to the My Health Record system with 11 complaints ongoing at the end of the reporting period, including 6 complaints received in previous reporting periods. We finalised 8 My Health Record system complaints, including 3 complaints from previous reporting periods.
We received 5 new privacy complaints relating to the HI Service in 2022–23, of which we finalised 1, as well as another 7 complaints from the previous year.
Over the reporting period, the OAIC has continued its focus on regulatory policy work in relation to the HI Service and continued to handle complaints and enquiries about healthcare identifiers. These complaints and enquiries primarily concerned the inclusion of Individual Healthcare Identifiers (IHIs) on COVID-19 digital vaccination certificates (vaccination certificates). On 3 December 2022, IHIs were removed from vaccination certificates and we updated our published privacy guidance to assist entities and individuals who had collected vaccination certificates containing an IHI.
We received 10 data breach notifications during the reporting period in relation to the My Health Record system and closed 10 notifications.
We also carried out other digital health-related work including:
- commencing one assessment regarding the My Health Record system and finalising 2 further assessments as part of the My Health Record access security policy assessment program
- providing advice to stakeholders, including the Australian Digital Health Agency (ADHA), Services Australia and the Department of Health and Aged Care about privacy-related matters relevant to the My Health Record system and HI Service
- developing and promoting guidance materials, including publishing a template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016 and updating our My Health Record emergency access function guidance
- engaging with the Department of Health and Aged Care regarding the proposed amendments to the Healthcare Identifiers Regulations 2020 and the HI Act , and
- monitoring developments in the My Health Record system and the HI Service.