-
On this page
Download the 2023–24 annual digital health report
Digital Health report 2024 (PDF, 1518 KB)Last updated: 28 October 2024
The 2023-24 year has highlighted the potential of digital health to improve both patient outcomes and the healthcare system. New technologies, and increasing demand for interoperability and access to data, all require strong consideration of how privacy can be supported and strengthened to realise health benefits while protecting Australians’ most sensitive information.
The Australian Government has established two key services to underpin digital health in Australia: the Healthcare Identifiers Service (HI Service), and the My Health Record system. Both involve the management of personal information – and for the purposes of this report, we refer to them collectively as ‘digital health’.
Privacy is critical to ensuring trust in digital health. The Office of the Australian Information Commissioner (OAIC) is the independent privacy regulator for the My Health Record system and the HI Service. The legislation establishing the My Health Record system and HI Service include important privacy provisions, which recognise the special sensitivity of health information, and protect and restrict its collection, use and disclosure.
This report provides information about digital health activities undertaken by the OAIC, including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice, and liaison with key stakeholders.
In 2023–24, the OAIC received 13 privacy complaints relating to the My Health Record system with 16 complaints ongoing at the end of the reporting period, including 7 complaints received in previous reporting periods. We finalised 8 My Health Record system complaints, including 4 complaints from previous reporting periods.
We received one new privacy complaint relating to the HI Service in 2023–24, which has been finalised, along with another 6 complaints from the previous year.
Over the reporting period, the OAIC has continued its focus on regulatory policy work in relation to the My Health Record system. As the My Health Record system is updated to assist in creating a connected and digitally-enabled healthcare system, our focus is to ensure that these new systems are built with privacy by design. We engaged with the implementation of the National Digital Health Strategy set out by the Australian Digital Health Agency to keep privacy at the forefront of planned national health system reforms.
We received 39 data breach notifications during the reporting period in relation to the My Health Record system and closed 38 notifications.
We also carried out other digital health-related work including:
- commencing and finalising one assessment regarding the My Health Record system. There remains one ongoing My Health Record assessment from the 2022-23 financial year
- providing advice to stakeholders, including the Australian Digital Health Agency, Services Australia and the Department of Health and Aged Care about privacy-related matters relevant to the My Health Record system and HI Service
- developing and promoting guidance materials, including publishing an updated template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016, and participating in an Australian Digital Health Agency podcast
- engaging with the Department of Health and Aged Care regarding the proposed My Health Record Share by Default project
- monitoring developments in the My Health Record system and the HI Service.
Part 1: Introduction
Regulatory work of the OAIC
The Australian Information Commissioner (Information Commissioner) is the independent regulator of the privacy provisions relevant to the My Health Record system and HI Service. In addition to this compliance and enforcement role, the OAIC performs proactive education and guidance functions. In 2023–24, the OAIC’s regulatory work included:
- regulatory oversight of the My Health Record system, including responding to enquiries and complaints, handling data breach notifications, providing privacy advice and conducting privacy assessments and investigations
- publishing an updated template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016
- collaborating with the Australian Digital Health Agency to release a podcast to support users of the OAIC’s security and access policy template
- publishing a new My Health Records data breach notification page, Report a My Health Record Data breach, along with updates to the Guidelines for reporting a data breach under the My Health Records Act
- providing feedback on revised versions of the My Health Record Guidelines for Residential Aged Care published by the Aged Care Industry Information Technology Council
- engaging with the Department of Health and Aged Care on proposed amendments to the HI Act and modernising My Health Record through improved sharing of pathology and diagnostic imaging information, as well as proposals for using My Health Record data for research and public health purposes
- making a submission to the COVID-19 Response Inquiry highlighting our role and making recommendations for future pandemic responses.
Year in review summary
The table below summarises the digital health activities (relating to the My Health Record system and the HI Service) undertaken by the OAIC during the 2023–24 financial year.
Activity | My Health Record | HI Service |
|---|---|---|
Telephone enquiries | 21 | 2 |
Written enquiries | 3 | 0 |
Complaints[1] received | 13 | 1 |
Complaints finalised | 8 | 7 |
Commissioner-investigated investigations finalised | 0 | 0 |
Regulatory policy advices | 34 | 2 |
Assessments completed or in progress | 2 | 0 |
Data breach notifications received | 39 | N/A[2] |
Data breach notifications finalised | 38 | N/A[3] |
Media enquiries | 0 | 0 |
Part 2: The OAIC and the My Health Record system
The Information Commissioner has the following roles and responsibilities under the My Health Records Act and the Privacy Act:
- respond to complaints received relating to the privacy aspects of the My Health Record system, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
- investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a healthcare recipient’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act
- receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
- investigate failures to notify data breaches
- exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
- conduct assessments of participants in the system to ensure they are complying with their privacy obligations
- produce statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the Australian Digital Health Agency.
- maintain guidance for exercising the powers available to the Commissioner in relation to the My Health Record system.
We also respond to enquiries and requests for regulatory policy advice from a broad range of stakeholders about the privacy framework for the My Health Record system and the appropriate handling of My Health Record information. These activities are an important component of the OAIC’s regulatory role under the My Health Record system.
The OAIC liaises with external stakeholders, including professional industry bodies in the health sector, in the course of handling enquiries and providing regulatory policy advice.
Information about the OAIC’s compliance and regulatory activities, as well as our advice, development of guidance materials and liaison with key stakeholders, is provided below.
OAIC compliance and regulatory activities
Complaints and investigations relating to the My Health Record system
The OAIC received 13 complaints about the My Health Record system during 2023-24, which is an increase of 18% on the previous year.[4] We finalised 4 of those 13 complaints, in addition to 3 complaints from 2022-23 and one complaint from 2021-22.
As of 30 June 2024, the OAIC has opened investigations into 2 complaints received from individuals about the My Health Record system, out of the 16 complaints on hand.
During the reporting period, the Australian Information Commissioner (Commissioner) or her delegate made 4 determinations under the Privacy Actfollowing Commissioner-initiated investigations into healthcare provider organisations’ compliance with the My Health Records Act.[5]
Each of those investigations, which were commenced in the previous reporting period, resulted in findings that the relevant healthcare provider organisation contravened Part 5 of the My Health Records Act by failing to have a written policy which met the requirements of Rule 42 of the My Health Records Rule 2016. In 3 of those matters, the Commissioner or her delegate made declarations requiring that the organisation address the deficiencies in its written policy and provide an updated copy to the OAIC. Declarations to that effect were not required in the fourth matter because the organisation had already implemented a written policy which met the requirements of Rule 42.
Assessments relating to the My Health Record system
In 2023-24, the OAIC commenced and completed one assessment of the use of the My Health Record emergency access function by GP clinics and pharmacies. The OAIC also continued one assessment of the Australian Digital Health Agency’s my health mobile health application.
We followed up 20 entities from a 2020-21 My Health Record assessment, finalising 14 of these follow‑ups. The OAIC takes a risk-based approach to following up entities that we have previously assessed, to confirm that they have implemented our recommendations.
Assessment snapshots
My Health Records Emergency Access
In 2023-24, the OAIC commenced and finalised an assessment of the use of the My Health Record emergency access function, which allows health care providers to override access controls to view the My Health Record. We assessed 150 GP clinics and 150 retail pharmacies, examining their governance, use (and potential misuse) of the emergency access function in the My Health Record. The assessment considered the privacy risks related to Australian Privacy Principles (APPs) 1.2 and 11.1.
We conducted the assessment through a survey of the 300 clinics and pharmacies. Upon completion of the survey, assessment respondents received general guidance about their My Health Record emergency access obligations, feedback on potential risks identified in their responses, and guidance for addressing these risks.
Overall, the assessment found that there was a lack of oversight, governance and awareness of the emergency access function in healthcare provider organisations. Areas for improvement include:
- Identifying misuse – stronger proactive measures are required to identify and address inappropriate access and breaches of the My Health Record system.
- Training – less than half of the survey respondents train staff about My Health Record emergency access.
- Intended usage – only a minority of survey respondents indicated that they use the emergency access function for its intended purpose under section 64 of the My Health Records Act.
The assessment identified good privacy practices in that most respondents had at least two measures in place to prevent, identify and address misuse; were aware they were required to report misuse to the OAIC and the Australian Digital Health Agency; and were able to provide authorised reasons for using the function.
You can read the full report on our website.
Assessment of a mobile health application
In 2023-24, the OAIC continued an assessment we commenced in 2022-23 of a mobile application that can be used to access the My Health Record system. This assessment has assessed how the mobile application handles personal information under APPs 1.2, 1.3, 1.4 and 5. This assessment will be finalised in early 2024–25 and an assessment report will be published on the OAIC website.
Assessment subject | Number of entities assessed | Year opened | Status |
|---|---|---|---|
Assessment of a mobile health application – APPs 1.2-1.4 and 5 | 1 | 2022-23 | Ongoing |
My Health Records – Emergency Access function: Assessment of general practice clinics and pharmacies – APPs 1. 2 and 11.1 | 300 | 2023–24 | Complete |
Follow-up of 2020-21 assessment: 20 general practice clinics | 20 | 2023-24 | 14 complete 6 ongoing |
Data breach notifications
In 2023–24, the OAIC received 39 data breach notifications in relation to the My Health Record system and closed 38 notifications. The increased number of healthcare recipients impacted in this reporting period is attributed to one incident reported.
Notified in the period | Closed in the period | |||||
|---|---|---|---|---|---|---|
Notifying party | No. of data breach notifications | No. of healthcare recipients affected | No. of affected recipients holding a My Health Record | No. of data breach notifications | No. of healthcare recipients affected | No. of affected recipients holding a My Health Record |
Australian Digital Health Agency | 0 | 0 | 0 | 0 | 0 | 0 |
Services Australia | 1 | 80 | 80 | 1 | 80 | 80 |
Healthcare provider organisations | 38 | 4192 | 4192 | 37 | 4005 | 4005 |
Total | 39 | 4272 | 4272 | 38 | 4085 | 4085 |
My Health Record system advice, guidance, liaison and other activities
Advice
My Health Record system enquiries
The OAIC’s enquiries team received 21 telephone enquiries and 3 written enquiries about the My Health Record system during the reporting period.
Regulatory policy advice to stakeholders
During the reporting period, the OAIC provided 34 pieces of regulatory policy advice to various stakeholders related to the My Health Record system. These included:
- engagement with the Department of Health and Aged Care on the design of the My Health Record Research and Public Health scheme as part of the proof of concept and roadmap
- providing feedback on revised versions of the My Health Record Guidelines for Residential Aged Care for the Aged Care Industry Information Technology Council
- engagement with the Department of Health and Aged Care in relation to the My Health Record Share by Default project.
Regulatory policy advice to the Australian Digital Health Agency
The OAIC liaised and coordinated with the Australian Digital Health Agency on privacy-related matters relating to the My Health Record system. During the reporting period, this included:
- reviewing and providing feedback on guidance to assist sole traders in developing a security and access policy
- reviewing and providing feedback on the MHR notifiable data breach form
- meeting to discuss the National Digital Health Strategy and roadmap.
Guidance
For health service providers
The OAIC’s guidance focus in 2023-24 was publishing a new My Health Records data breach notification page, Report a My Health Record Data breach, along with minor updates to the Guidelines for reporting a data breach under the My Health Records Act.
When a reporting entity, such as a healthcare provider, becomes aware that a My Health Record data breach has (or may have) occurred, they must notify the System Operator (the Australian Digital Health Agency) and the OAIC, unless they are a state or territory body. State or territory bodies must report a My Health Record data breach to their state/territory System Operator.
A reporting entity must make a My Health Record data breach notification if it becomes aware that:
- a person has, or may have, contravened the My Health Records Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or
- an event has, or may have, occurred (whether or not involving a contravention of the My Health Records Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
- circumstances have, or may have, arisen (whether or not involving a contravention of the My Health Records Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.
The contravention, event or circumstances must either have directly involved, may have involved or may involve the entity reporting the My Health Record data breach.
After monitoring the use of the security and access policy template, the OAIC published an updated version in July 2023 that improves its design and usability.
To further raise awareness of the role of security and access policies and provide practical guidance on how healthcare provider organisations should develop their policies, the OAIC took part in an Australian Digital Health Agency podcast alongside health professionals with experience in connecting the MHR system.
For consumers
The OAIC website features a dedicated health information privacy section for individuals, including privacy advice for the My Health Record system. My Health Record privacy advice is also highlighted through a dedicated section of our website which features FAQs, a video and information on how to make a complaint.
Liaison
Liaison with the Australian Digital Health Agency
The OAIC liaised regularly with the Australian Digital Health Agency to discuss privacy matters relating to the My Health Record system and guidance projects.
Other activities
Monitoring developments in digital health and the My Health Record system
The OAIC actively monitors developments in digital health to inform its regulatory role. During the reporting period, staff:
- attended the AI+ Care Conference in November 2023. The conference was organised by the Australasian Institute of Digital Health and focused on delivering health care digitally in the age of artificial intelligence
- reviewed the Productivity Commission’s research paper on leveraging digital technology in healthcare released in May 2024
- attended a privacy impact assessment consultation session in November 2023 led by the Australian Bureau of Statistics (ABS) on the expanded health data linkage to the Person-Level Integrated Data Asset (PLIDA) – formerly known as the Multi-Agency Data Integration Project (MADIP)
- met with stakeholders to discuss development of AI tools for use in the healthcare industry, including potential compatibility with the My Health Record system in April 2024
- attended the second Asia Pacific Privacy Enhancing Technologies (PETs) community call in July 2023 to monitor potential applications of PETs for digital health
Presentations
- The OAIC was on the panel for a webinar hosted by MIGA focused on privacy law in healthcare on 13 March 2024, covering key concepts in health privacy law, and intersection with the My Health Record system.
- The OAIC was on the panel for an Australian Digital Health Agency podcast alongside health professionals on the topic of My Health Record security and access policies, and why healthcare provider organisations are required to have one to connect to My Health Record, published on 4 April 2024.
Submissions
- The OAIC provided a submission to the Commonwealth Government COVID-19 Response Inquiry on 8 January 2024. The submission highlighted our role during the pandemic and made recommendations for future pandemic responses. In relation to digital health, we worked collaboratively with the Australian Government to establish appropriate privacy safeguards and oversight for the COVIDSafe app, assess and mitigate privacy risks during the rollout of the COVID-19 vaccination program and digital vaccination certificates, and published clear guidance on the importance of secure handling of vaccination information.
Part 3: OAIC and the Healthcare Identifiers Service
The OAIC performs a range of functions in relation to the HI Service. This includes handling complaints and enquiries and monitoring developments to support informed guidance and advice about privacy aspects of the HI Service in the broader digital health context.
The OAIC is the independent regulator of the privacy aspects of the Healthcare Identifiers Act 2010 (HI Act) and the Healthcare Identifiers Regulations 2020.
The HI Act implements a national system for assigning unique identifiers to individuals, healthcare providers, and healthcare provider organisations. The identifiers are assigned and administered through the HI Service, currently operated by the Chief Executive of Medicare.
The HI Service is a foundation service for a range of digital health initiatives in Australia, particularly the My Health Record system. Under the My Health Record system, healthcare identifiers:
- are used to identify healthcare recipients who register for a My Health Record
- enable the Australian Digital Health Agency to authenticate the identity of all individuals who access a My Health Record and record activity through the audit trail
- help ensure the correct health information is associated with the correct healthcare recipient’s My Health Record.
There are three types of healthcare identifiers issued by the HI Service, namely:
- Individual Healthcare Identifiers (IHI) — for individuals receiving healthcare in Australia
- Healthcare Provider Identifier – Individual (HPI-I) — for individual healthcare providers, such as GPs, allied health professionals, nurses, dentists and pharmacists
- Healthcare Provider Identifier – Organisation (HPI-O) — for organisations delivering healthcare, such as hospitals and general practices.
The HI Act imposes a high standard of privacy on healthcare identifiers, and they may only be accessed, used and disclosed for limited purposes.
Registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the My Health Record system.
The Information Commissioner has the following roles and responsibilities under HI Act and the Privacy Act:
- respond to complaints received relating to the privacy aspects of the HI Service, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
- investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of healthcare identifiers
- receive data breach notifications and respond as appropriate
- conduct assessments
- provide a range of regulatory policy advice and guidance material.
OAIC compliance and regulatory activities
Complaints and investigations relating to the Healthcare Identifiers Service
The OAIC received one complaint about healthcare identifiers in 2023-24, which is down75% on the previous year.[6] We finalised the complaint, as well as another 6 complaints from the previous year.
All of the complaints were finalised without requiring a formal investigation.
The OAIC did not commence or finalise any investigations about the Healthcare Identifiers Service during the reporting period. As of 30 June 2024, there were no open investigations.
HI Service advice, guidance, liaison and other activities
Advice
HI Service enquiries
The OAIC’s enquiries team received 2 phone enquiries and no written enquiries about the handling of healthcare identifiers during the reporting period.
Regulatory policy advice to stakeholders
In relation to the HI Service, the OAIC provided 2 pieces of regulatory policy advice during the reporting period:
- providing advice to the Department of Health and Aged Care about the potential privacy risks of the HI Framework Project
- meeting with the Australian Medical Association regarding the HI Framework Project.
Other activities
Monitoring developments in digital health and the Healthcare Identifiers Service
The OAIC monitors developments in digital health to ensure the OAIC is positioned to offer informed advice about privacy aspects of the HI Service in the broader digital health context. During the reporting period the OAIC:
- monitored developments relating to digital health and the HI Service through news and digital health websites
- as outlined above, in relation to the My Health Record system, attended various forums and conferences related to digital health which considered the HI Service in the broader digital health context.
Elizabeth Tydd
Information Commissioner
23 September 2024
Carly Kind
Privacy Commissioner
24 September 2024
[1] A complaint may cover more than one issue.
[2] [3] N/A is listed for data breach notifications for the HI Service because there are no mandatory data breach reporting requirements under the Healthcare Identifiers Act.
[4] This percentage is based on there being 11 My Health Record complaints in 2022-23. Ten were listed in last year’s report. The difference is due to reclassification.
[5] Section 73 of the My Health Records Act provides that an act or practice which contravenes a provision of Part 4 or 5 of the My Health Records Act is taken to be an interference with the privacy of a healthcare recipient for the purposes of the Privacy Act. The Commissioner is empowered, under s 73(3)(a) of the My Health Records Act, to investigate such an act or practice. Section 40(2) of the Privacy Act empowers the Commissioner to commence an investigation on her own initiative.
[6] This percentage is based on there being 4 HI Service complaints in 2022-23. Five were listed in last year’s report. The difference is due to reclassification.
