Healthcare providers can obtain emergency access to a patient’s My Health Record in certain circumstances. The Office of the Australian information Commissioner (OAIC) has recently published Guidelines and Flowcharts to assist healthcare providers to understand when they can use the emergency access function.

The emergency access function enables healthcare providers to override a patient’s access controls and view key health information when they reasonably believe access is necessary:

1. to ‘lessen or prevent a serious threat to an individual’s life, health or safety’ and it is ‘unreasonable or impracticable to obtain the patient’s consent. A ‘serious threat’ is one that poses a ‘significant danger’ to an individual’s physical or mental health and safety or the safety of another person; or
2. to ‘lessen or prevent a serious threat to public health or safety’.¹ This includes the potential spread of a communicable disease, including COVID-19.

The emergency access function enables healthcare providers to view a patient’s My Health Record, including any restricted information or documents (except for deleted information, hidden documents and personal health notes). It is worth noting that many patients do not have access controls in place.

The Australian Digital Health Agency (ADHA) is automatically notified each time the emergency access function is used.² It is vital healthcare providers maintain accurate records outlining the circumstances that prompted their use of the emergency access function. The ADHA may request this information at any time.

Unauthorised use of the emergency access function, including by mistake, may amount to a Notifiable Data Breach. Penalties may apply.³ In the case of unauthorised access, the accessing party will need to immediately contain the breach, evaluate any risks associated with the breach, notify the ADHA and the OAIC and take steps to prevent and mitigate any further breaches. If you suspect a Notifiable Data Breach has occurred at your place of practice, whether to do with the use of the My Health Record or otherwise, we recommend you seek legal advice immediately.

If you would like more information about your privacy obligations or the My Health Record system, please contact Karen Keogh or Chelsea Gordon.

This article was written by Karen Keogh, Partner and Chelsea Gordon, Associate.

¹See sections 64(1) and 64(2) of the My Health Records Act 2012
²See section 74 of the My Health Records Act 2012
³See section 75 of the My Health Records Act 2012