Commonwealth: My Health Records Act 2012 (Cth)

My Health Records Act 2012 No. 63, 2012 Compilation No. 15 Compilation date: 15 February 2025 Includes amendments: Act No. 8, 2025 About this compilation This compilation This is a compilation of the My Health Records Act 2012 that shows the text of the law as amended and in force on 15 February 2025 (the compilation date). The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law. Uncommenced amendments The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law. Application, saving and transitional provisions for provisions and amendments If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes. Editorial changes For more information about any editorial changes made in this compilation, see the endnotes. Modifications If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law. Self‑repealing provisions If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes. Contents Part 1—Preliminary 1 Short title 2 Commencement 3 Object of Act 4 Simplified outline of this Act 4A Schedule 1 5 Definitions 6 Definition of authorised representative of a healthcare recipient 7 Definition of nominated representative of a healthcare recipient 7A Duties of authorised representative or nominated representative 8 Things done etc. under provisions of other Acts 9 Definition of identifying information 10 Definition of shared health summary 10A Sharing information with the My Health Record system 10B When an upload exception applies 10C When an application is finally determined 11 Act to bind the Crown 12 Concurrent operation of State laws 13 External Territories 13A System Operator may arrange for use of computer programs to make decisions 13B System Operator may use electronic communications Part 2—The System Operator and the functions of the Chief Executive Medicare Division 1—System Operator 14 Identity of the System Operator 15 Functions of the System Operator 16 Research or public health purposes 17 Retention and destruction of records uploaded to National Repositories Service Division 4—Functions of Chief Executive Medicare 38 Registered repository operator Part 3—Registration Division 1—Registering healthcare recipients 39 Healthcare recipients may apply for registration 40 When a healthcare recipient is eligible for registration 41 Registration of a healthcare recipient by the System Operator Division 1A—Healthcare provider organisations that are required to be registered 41A Prescribed healthcare provider organisations must be registered 41B System Operator may approve a period during which registration is not required Division 2—Registering healthcare provider organisations 42 Healthcare provider organisation may apply for registration 43 When a healthcare provider organisation is eligible for registration 44 Registration of a healthcare provider organisation 45 Condition of registration—uploading of records, etc. 45A Condition of registration—handling old records that are works subject to copyright 45B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright 45C Liability where work uploaded in breach of section 45A or 45B 46 Condition of registration—non‑discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc. Division 3—Registering repository operators, portal operators and contracted service providers 47 Persons may apply for registration as a repository operator, a portal operator or a contracted service provider 48 When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider 49 Registration of a repository operator, a portal operator or a contracted service provider 50 Condition about provision of information to System Operator 50A Condition of registration—handling old records that are works subject to copyright 50B Condition of registration—handling old sound recordings and cinematograph films that are subject to copyright 50C Liability where work uploaded in breach of section 50A or 50B 50D Authorisation to make health information available to the System Operator Division 4—Cancellation, suspension and variation of registration 51 Cancellation or suspension of registration 52 Variation of registration 53 Notice of cancellation, suspension or variation of registration etc. 54 Effect of suspension 55 My Health Records Rules may specify requirements after registration is cancelled or suspended Division 5—The Register 56 The Register 57 Entries to be made in Register Division 6—Collection, use and disclosure of information for the purposes of the My Health Record System 58 Collection, use and disclosure of health information by the System Operator 58A Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives Part 4—Collection, use and disclosure of health information included in a healthcare recipient's My Health Record Division 1—Unauthorised collection, use and disclosure of health information included in a healthcare recipient's My Health Record 59 Unauthorised collection, use and disclosure of health information included in a healthcare recipient's My Health Record 59A Unauthorised use of information included in a healthcare recipient's My Health Record for prohibited purpose 60 Secondary disclosure Division 2—Authorised collection, use and disclosure Subdivision A—Collection, use and disclosure in accordance with access controls 61 Collection, use and disclosure for providing healthcare 62 Collection, use and disclosure to nominated representative Subdivision B—Collection, use and disclosure other than in accordance with access controls 63 Collection, use and disclosure for management of My Health Record system 64 Collection, use and disclosure in the case of a serious threat 65 Collection, use and disclosure authorised by law 66 Collection, use and disclosure with healthcare recipient's consent 67 Collection, use and disclosure by a healthcare recipient 68 Collection, use and disclosure for indemnity cover 69 Disclosure to courts and tribunals 69A Disclosure to designated entity under order by judicial officer 69B Judicial officers for orders under section 69A 70 Disclosure in relation to unlawful activity 70AA Collection, use and disclosure in relation to compliance with share by default provisions Subdivision C—Unauthorised use of information included in a healthcare recipient's My Health Record for prohibited purpose 70A Definition of prohibited purpose 70B Use for prohibited purpose is unauthorised Division 3—Prohibitions and authorisations limited to My Health Record system 71 Prohibitions and authorisations limited to health information collected by using the My Health Record system Division 3A—Offences and penalties in relation to use of My Health Record‑derived information for prohibited purpose 71AA Definitions 71A Offence for use of My Health Record‑derived information for prohibited purpose 71B Civil penalty for use of My Health Record‑derived information for prohibited purpose Division 4—Interaction with the Privacy Act 1988 72 Interaction with the Privacy Act 1988 73 Contravention of this Act is an interference with privacy 73A Information Commissioner may disclose details of investigations to System Operator 73B Obligations of System Operator in relation to correction, etc. Division 5—Authorised collection, use and disclosure for compliance purposes 73C Collection, use and disclosure of health information in relation to compliance with share by default provisions 73D Collection, use and disclosure of healthcare identifiers and identifying information in relation to compliance with share by default provisions Part 5—Other offences and civil penalty provisions 74 Registered healthcare provider organisations must ensure certain information is given to System Operator 75 Data breaches 76 Requirement to notify if cease to be eligible to be registered 76A Requirement to notify if healthcare provider organisation ceases to be able to meet conditions on registration 77 Requirement not to hold or take records outside Australia 77A Enforceable requirements in My Health Records Rules must not be contravened: offence 78 My Health Records Rules must not be contravened: civil penalty 78A Some information must be shared with the My Health Record system unless exception applies 78B System Operator may approve a period during which sharing with the My Health Record system is not required 78C Record keeping requirements in relation to sharing information with the My Health Record system 78D Prescribed healthcare provider organisations must display notice when not sharing information with the My Health Record system Part 6—Enforcement Division 1—Civil penalties 79 Civil penalty provisions Division 1A—Infringement notices 79A Infringement notices Division 2—Enforceable undertakings 80 Enforceable undertakings Division 3—Injunctions 81 Injunctions Part 7—Data Governance Board Division 1—Establishment and functions 82 Data Governance Board 83 Functions of the Board Division 2—Membership 84 Membership 85 Appointment of members 86 Qualifications and experience 87 Acting appointments 88 Term of appointment and other terms and conditions 89 Remuneration 90 Resignation 91 Termination of appointment 92 Leave of absence 93 Other paid work Division 3—Meetings of the Data Governance Board 94 Convening meetings 95 Presiding at meetings 96 Quorum 96A Voting at meetings 96B Conduct of meetings 96C Minutes 96D Decisions without meetings Division 4—Other matters relating to the Data Governance Board 96E Relationship between System Operator and Data Governance Board in relation to data for research or public health purposes 96F Board committees 96G Delegation of functions 96H Annual report 96J Board is part of the Department Part 8—Other matters Division 1—Review of decisions 97 Review of decisions Division 2—Delegations 98 Delegations by the System Operator Division 3—Authorisations of entities also cover employees 99 Authorisations extend to employees etc. Division 4—Treatment of certain entities 100 Treatment of partnerships 101 Treatment of unincorporated associations 102 Treatment of trusts with multiple trustees 104 Division does not apply to Division 3 of Part 3 Division 5—Alternative constitutional bases 105 Alternative constitutional bases Division 6—Annual reports and review of Act 106 Annual reports by Information Commissioner 107 Annual reports by the System Operator 108 Review of the operation of the Act Division 7—My Health Records Rules, regulations and other instruments 109 Minister may make My Health Records Rules 109A My Health Records Rules relating to data for research or public health purposes 110 Minister may determine a law of a State or Territory to be a designated privacy law 111 Guidelines relating to the Information Commissioner's enforcement powers etc. 112 Regulations Schedule 1—My Health Records for all healthcare recipients Part 1—Opt‑out model for the participation of healthcare recipients in the My Health Record system 1 Trial of opt‑out model 2 Minister may apply the opt‑out model to all healthcare recipients after trial Part 2—Registering all healthcare recipients Division 1—Registering healthcare recipients 3 Registration of a healthcare recipient by the System Operator 4 When a healthcare recipient is eligible for registration 5 Healthcare recipient elects not to be registered 6 Healthcare recipients may apply for registration Division 2—Information sharing for the purposes of the opt‑out system 7 Collection, use and disclosure of health information by the System Operator 8 Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives Division 3—Handling health information for the purposes of a healthcare recipient's My Health Record Subdivision A—Healthcare provider to upload health information 9 Authorisation for healthcare provider to upload health information Subdivision B—Functions of the Chief Executive Medicare 10 Registered repository operator 11 Uploading health information to the repository 12 Making health information available to the System Operator 13 Healthcare recipient may elect not to have health information disclosed to the System Operator 14 Health information uploaded or made available may include details of healthcare providers 15 Way in which repository operated not limited by this Division Subdivision C—Other registered repository operators 16 Making health information available to the System Operator Part 3—Other consequences of applying the opt‑out rules 17 References to other provisions of this Act Endnotes Endnote 1—About the endnotes Endnote 2—Abbreviation key Endnote 3—Legislation history Endnote 4—Amendment history An Act to provide for a system of access to electronic health records, and for related purposes Part 1—Preliminary 1 Short title This Act may be cited as the My Health Records Act 2012. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provision(s) Commencement Date/Details 1. Sections 1 and 2 and anything in this Act not elsewhere covered by this table The day this Act receives the Royal Assent. 26 June 2012 2. Sections 3 to 112 A day or days to be fixed by Proclamation. 29 June 2012 However, if any of the provision(s) do not commence by the later of: (see F2012L01395) (a) 1 July 2012; and (b) the day this Act receives the Royal Assent; they commence on the day after the later of those days. Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Object of Act The object of this Act is to enable the establishment and operation of a national public system for the provision of access to health information relating to recipients of healthcare that is voluntary for those recipients, to: (a) help overcome the fragmentation of health information; and (b) improve the availability and quality of health information; and (c) reduce the occurrence of adverse medical events and the duplication of treatment; and (d) improve the coordination and quality of healthcare provided to healthcare recipients by different healthcare providers. 4 Simplified outline of this Act The My Health Record system is a national public system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient. A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt‑out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt‑out of the system. The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient's My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient's My Health Record. If a healthcare recipient is registered in the My Health Record system, a healthcare provider may (or, in some circumstances, must) upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory. Health information may be collected, used and disclosed from a healthcare recipient's My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act. An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act. 4A Schedule 1 Schedule 1 has effect. Note: Schedule 1 deals with the opt‑out model for registering healthcare recipients in the My Health Record system. 5 Definitions In this Act: approved form means a form approved by the System Operator, in writing, for the purposes of the provision in which the expression occurs. approved registered repository operator means a healthcare provider organisation that: (a) is a registered repository operator; and (b) satisfies the requirements (if any) specified in the My Health Records Rules. Australia, when used in a geographical sense, includes the external Territories. authorised representative of a healthcare recipient has the meaning given by section 6. Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973. cinematograph film has the same meaning as in the Copyright Act 1968. civil penalty provision has the same meaning as in the Regulatory Powers Act. contracted service provider of a healthcare provider organisation means an entity that provides: (a) information technology services relating to the My Health Record system; or (b) health information management services relating to the My Health Record system; to the healthcare provider organisation under a contract with the healthcare provider organisation. data custodian means the Australian Institute of Health and Welfare. date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is. date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is. Defence Department means the Department that: (a) deals with matters arising under section 1 of the Defence Act 1903; and (b) is administered by the Minister who administers that section. designated privacy law means a law determined under section 110 to be a designated privacy law. employee of an entity includes the following: (a) an individual who provides services for the entity under a contract for services; (b) an individual whose services are made available to the entity (including services made available free of charge). entity means: (a) a person; or (b) a partnership; or (c) any other unincorporated association or body; or (d) a trust; or (e) a part of an entity (under a previous application of this definition). finally determined: see section 10C. genetic relative of an individual (the first individual) means another individual who is related to the first individual by blood, including a sibling, a parent or a descendant of the first individual. healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988. healthcare provider means: (a) an individual healthcare provider; or (b) a healthcare provider organisation. healthcare provider organisation means an entity that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge). Note: Because of paragraph (e) of the definition of entity, a healthcare provider organisation could be a part of an entity. healthcare recipient means an individual who has received, receives, or may receive, healthcare. healthcare recipient‑only notes, in relation to a healthcare recipient, means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient‑only notes (whether using that expression or an equivalent expression). Health Chief Executives Forum means a body (however described) that consists of: (a) the Secretary of the Department; and (b) each head (however described) of the Health Department of a State or Territory. Health Department of a State or Territory means a Department of state that: (a) deals with matters relating to health; and (b) is administered by the State/Territory Health Minister of the State or Territory. health information has the meaning given by subsection 6(1) of the Privacy Act 1988. identifying information has the meaning given by section 9. index service means the index service maintained by the System Operator for the purposes of the My Health Record system, as mentioned in paragraph 15(a). individual healthcare provider means an individual who: (a) has provided, provides, or is to provide, healthcare; or (b) is registered by a registration authority as a member of a particular health profession. Ministerial Council means a body (however described) that consists of the Minister of the Commonwealth, and the Minister of each State and Territory, who is responsible, or principally responsible, for matters relating to health. My Health Record of a healthcare recipient means the record of information that is created and maintained by the System Operator in relation to the healthcare recipient, and information that can be obtained by means of that record, including the following: (a) information included in the entry in the Register that relates to the healthcare recipient; (b) health information connected in the My Health Record system to the healthcare recipient (including information included in a record accessible through the index service); (c) other information connected in the My Health Record system to the healthcare recipient, such as information relating to auditing access to the record; (d) back‑up records of such information. My Health Records Rules has the meaning given by section 109. My Health Record system means a system: (a) that is for: (i) the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with the healthcare recipient's wishes or in circumstances specified in this Act; and (ii) the assembly of that information using telecommunications services and by other means so far is it is relevant to a particular healthcare recipient, so that it can be made available, in accordance with the healthcare recipient's wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the healthcare recipient or for purposes specified in this Act; and (b) that involves the performance of functions under this Act by the System Operator. National Law means: (a) for a State or Territory other than Western Australia—the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland, as it applies (with or without modification) as a law of the State or Territory; or (b) for Western Australia—the Health Practitioner Regulation National Law (WA) Act 2010 of Western Australia, so far as that Act corresponds to the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland. National Repositories Service means the service referred to in paragraph 15(i). nominated healthcare provider: a healthcare provider is the nominated healthcare provider of a healthcare recipient if: (a) an agreement is in force between the healthcare provider and the healthcare recipient that the healthcare provider is the healthcare recipient's nominated healthcare provider for the purposes of this Act; and (b) a healthcare identifier has been assigned to the healthcare provider under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; and (c) the healthcare provider is an individual registered by a registration authority as one of the following: (i) a medical practitioner within the meaning of the National Law; (ii) a registered nurse within the meaning of the National Law; (iii) an Aboriginal health practitioner, a Torres Strait Islander health practitioner or an Aboriginal and Torres Strait Islander health practitioner within the meaning of the National Law who is included in a class prescribed by the regulations for the purposes of this subparagraph; (iv) an individual, or an individual included in a class, prescribed by the regulations for the purposes of this subparagraph. nominated representative of a healthcare recipient has the meaning given by section 7. parental responsibility: a person has parental responsibility for a healthcare recipient (the child) if, and only if: (a) the person: (i) is the child's parent (including a person who is presumed to be the child's parent because of a presumption (other than in section 69Q) in Subdivision D of Division 12 of Part VII of the Family Law Act 1975); and (ii) has not ceased to have parental responsibility for the child because of an order made under the Family Law Act 1975 or a law of a State or Territory; or (b) under a parenting order (within the meaning of the Family Law Act 1975): (i) the child is to live with the person; or (ii) the child is to spend time with the person; or (iii) the person is responsible for the child's long‑term or day‑to‑day care, welfare and development; or (c) the person is entitled to guardianship or custody of, or access to, the child under a law of the Commonwealth, a State or a Territory. Note: The presumptions in the Family Law Act 1975 include a presumption arising from a court finding that a person is the child's parent, and a presumption arising from a man executing an instrument under law acknowledging that he is the father of the child. participant in the My Health Record system means any of the following: (a) the System Operator; (b) a registered healthcare provider organisation; (c) the operator of the National Repositories Service; (d) a registered repository operator; (e) a registered portal operator; (f) a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider. personal information has the same meaning as in the Privacy Act 1988. prescribed healthcare provider organisation means a healthcare provider organisation that is: (a) a corporation to which paragraph 51(xx) of the Constitution applies; and (b) of a kind specified in the My Health Records Rules. prohibited purpose has the meaning given by section 70A. record includes a database, register, file or document that contains information in any form (including in electronic form). Register has the meaning given by section 56. registered contracted service provider means a contracted service provider that is registered under section 49. registered healthcare provider organisation means a healthcare provider organisation that is registered under section 44. registered healthcare recipient means a healthcare recipient who is registered under section 41. registered portal operator means a person that: (a) is the operator of an electronic interface that facilitates access to the My Health Record system; and (b) is registered as a portal operator under section 49. registered repository operator means a person that: (a) holds, or can hold, records of information included in My Health Records for the purposes of the My Health Record system; and (b) is registered as a repository operator under section 49. registration authority means an entity that is responsible under a law for registering members of a particular health profession. Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. share by default provision: each of the following is a share by default provision: (a) section 41A (prescribed healthcare provider organisations must be registered); (b) section 78A (some information must be shared with the My Health Record system unless exception applies); (c) section 78C (record keeping requirements in relation to sharing information with the My Health Record system); (d) section 78D (prescribed healthcare provider organisations must display notice when not sharing information with the My Health Record system); (e) section 19AD (medicare benefits not payable in respect of certain professional services) of the Health Insurance Act 1973; (f) section 19AF (record keeping requirement) of the Health Insurance Act 1973; (g) section 19AG (advance payment before information is shared with the My Health Record system) of the Health Insurance Act 1973; (h) section 19AH (recovery of payments) of the Health Insurance Act 1973. shared health summary has the meaning given by section 10. shares with the My Health Record system: see section 10A. sound recording has the same meaning as in the Copyright Act 1968. State or Territory authority has the same meaning as in the Privacy Act 1988. State/Territory Health Minister means: (a) the Minister of a State; or (b) the Minister of the Australian Capital Territory; or (c) the Minister of the Northern Territory; who is responsible, or principally responsible, for the administration of matters relating to health in the State or Territory, as the case may be. System Operator has the meaning given by section 14. this Act includes: (a) regulations made under this Act; and (b) the My Health Records Rules. upload exception applies: see section 10B. use health information included in a healthcare recipient's My Health Record includes the following: (a) access the information; (b) view the information; (c) modify the information; (d) delete the information. Veterans' Affairs Department means the Department that: (a) deals with matters arising under section 1 of the Veterans' Entitlements Act 1986; and (b) is administered by the Minister who administers that section. Veterans' Affairs Department file number means a number allocated to a healthcare recipient by the Veterans' Affairs Department. work has the same meaning as in the Copyright Act 1968. 6 Definition of authorised representative of a healthcare recipient Healthcare recipients aged under 14 (1) For the purposes of this Act, each person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 14 is the authorised representative of the healthcare recipient. (1A) Despite subsection (1), a person who has parental responsibility for a healthcare recipient aged under 18 is not the authorised representative of the healthcare recipient if the System Operator is satisfied that: (a) under a court order or a law of the Commonwealth or a State or Territory, the person must be supervised while spending time with the healthcare recipient; or (b) the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient. (2) If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 14, or the only such persons are covered by subsection (1A), the authorised representative of the healthcare recipient is: (a) a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient for the purposes of this Act under the law of the Commonwealth or a State or Territory, or a decision of an Australian court or tribunal; or (b) if there is no such person—a person: (i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or (ii) who is prescribed by the regulations for the purposes of this paragraph. Healthcare recipients aged between 14 and 17 (3) For the purposes of this Act, a person is the authorised representative of a healthcare recipient aged between 14 and 17 years if the healthcare recipient, by written notice given to the System Operator in the approved form, nominates the person to be his or her authorised representative. Healthcare recipients aged at least 18 (4) For the purposes of this Act, if the System Operator is satisfied that a healthcare recipient aged at least 18 is not capable of making decisions for himself or herself, the authorised representative of the healthcare recipient is: (a) a person who the System Operator is satisfied is authorised to act on behalf of the healthcare recipient under the law of the Commonwealth or a State or Territory or a decision of an Australian court or tribunal; or (b) if there is no such person—a person: (i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the healthcare recipient; or (ii) who is prescribed by the regulations for the purposes of this paragraph. (5) An authorisation referred to in paragraph (2)(a) or (4)(a) may be conferred by specific reference to the purposes of this Act, or conferred by words of general authorisation that are broad enough to cover that purpose. (6) A person cannot be the authorised representative of a healthcare recipient unless: (a) a healthcare identifier has been assigned to the person under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or (b) the My Health Records Rules provide that a healthcare identifier is not required to have been so assigned. Effect of being an authorised representative (7) At a time when a healthcare recipient has an authorised representative: (a) the authorised representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do; and (b) the healthcare recipient is not entitled to do any thing that this Act would, apart from this subsection, authorise or require the healthcare recipient to do; and (c) this Act has effect for all purposes, in relation to a thing done by an authorised representative, as if the healthcare recipient had done the thing. (8) At a time when a healthcare recipient has one or more authorised representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient is to be done in relation to at least one of the healthcare recipient's authorised representatives. This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient. 7 Definition of nominated representative of a healthcare recipient (1) For the purposes of this Act, an individual is the nominated representative of a healthcare recipient if: (a) an agreement is in force between the individual and the healthcare recipient that the individual is the healthcare recipient's nominated representative for the purposes of this Act; and (b) the healthcare recipient has notified the System Operator that the individual is his or her nominated representative. Effect of being a nominated representative (2) At a time when a healthcare recipient has a nominated representative: (a) the nominated representative is entitled to do any thing that this Act authorises or requires the healthcare recipient to do, subject to any limitations: (i) to which the healthcare recipient's agreement is subject; and (ii) that have been notified to the System Operator by the healthcare recipient; and (b) this Act has effect for all purposes, in relation to a thing done by a nominated representative, as if the healthcare recipient had done the thing, subject to any modifications prescribed by the regulations. Note: Despite this subsection, a nominated representative must not use information for a prohibited purpose within the meaning of section 70A (even though a healthcare recipient may do so): see subsections 59A(2), 70B(2), 71A(4) and 71B(3). (3) Despite subsection (2), the System Operator must not permit a nominated representative of a healthcare recipient to set access controls in relation to the healthcare recipient's My Health Record unless: (a) a healthcare identifier has been assigned to the nominated representative under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or (b) the My Health Records Rules provide that a healthcare identifier is not required to have been so assigned. (4) The fact that a healthcare recipient has a nominated representative does not prevent the healthcare recipient doing any thing that this Act authorises or requires the healthcare recipient to do. (5) At a time when a healthcare recipient has one or more nominated representatives, any thing that this Act authorises or requires to be done in relation to the healthcare recipient may be done in relation to one of the healthcare recipient's nominated representatives and not in relation to the healthcare recipient to the extent: (a) agreed between the healthcare recipient and the nominated representative; and (b) notified to the System Operator by the healthcare recipient. This Act has effect for all purposes as if the thing had been done in relation to the healthcare recipient. 7A Duties of authorised representative or nominated representative Duty to ascertain will and preferences (1) An authorised representative or a nominated representative (a representative) of a healthcare recipient must make reasonable efforts to ascertain the recipient's will and preferences in relation to the recipient's My Health Record. (2) If it is not possible to ascertain the healthcare recipient's will and preferences, the representative must make reasonable efforts to ascertain the recipient's likely will and preferences in relation to the recipient's My Health Record. (3) The healthcare recipient's likely will and preferences may be ascertained from sources including the following: (a) if the representative is a nominated representative—the agreement appointing the representative; (b) to the extent legally possible, from consultation with people who may be expected to be aware of the recipient's will and preferences. Duty to give effect to will and preferences (4) The representative must give effect to the healthcare recipient's will and preferences, or likely will and preferences, ascertained in accordance with subsection (1) or (2). (5) However, if to do so would pose a serious risk to the healthcare recipient's personal and social wellbeing, the representative must instead act in a manner that promotes the personal and social wellbeing of the healthcare recipient. Duty if will and preferences cannot be ascertained (6) If the healthcare recipient's will and preferences, or likely will and preferences, cannot be ascertained, the representative must act in a manner that promotes the personal and social wellbeing of the healthcare recipient. 8 Things done etc. under provisions of other Acts (1) A reference in section 6 or 7 to any thing that this Act authorises or requires a healthcare recipient to do is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires a healthcare recipient to do. (2) A reference in section 6 or 7 to any thing that this Act authorises or requires to be done in relation to a healthcare recipient is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires to be done in relation to a healthcare recipient. 9 Definition of identifying information (1) Each of the following is identifying information of a healthcare provider who is an individual: (a) the name of the healthcare provider; (b) the address of the healthcare provider; (c) the email address, telephone number and fax number of the healthcare provider; (d) the date of birth, and the date of birth accuracy indicator, of the healthcare provider; (e) the sex of the healthcare provider; (f) the type of healthcare provider that the individual is; (g) if the healthcare provider is registered by a registration authority—the registration authority's identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled); (h) other information that is prescribed by the regulations for the purpose of this paragraph. (2) Each of the following is identifying information of a healthcare provider that is not an individual: (a) the name of the healthcare provider; (b) the address of the healthcare provider; (c) the email address, telephone number and fax number of the healthcare provider; (d) if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider; (e) if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider; (f) other information that is prescribed by the regulations for the purpose of this paragraph. (3) Each of the following is identifying information of an individual, other than an individual in the capacity of a healthcare provider: (a) if applicable, the Medicare number of the individual; (b) if applicable, the Veterans' Affairs Department file number of the individual; (c) the name of the individual; (d) the address of the individual; (e) the date of birth, and the date of birth accuracy indicator, of the individual; (f) the sex of the individual; (g) if the individual was part of a multiple birth—the order in which the individual was born; Example: The second of twins. (h) if applicable, the date of death, and the date of death accuracy indicator, of the individual; (i) other information that is prescribed by the regulations for the purpose of this paragraph. 10 Definition of shared health summary The shared health summary of a registered healthcare recipient, at a particular time, is a record that: (a) was prepared by the healthcare recipient's nominated healthcare provider and described by him or her as the healthcare recipient's shared health summary; and (b) has been uploaded to the National Repositories Service; and (c) at that time, is the most recent such record to have been uploaded to the National Repositories Service. Note: This means that there is only one shared health summary for a healthcare recipient at a particular time. 10A Sharing information with the My Health Record system (1) An entity other than an approved registered repository operator shares with the My Health Record system information if the entity uploads, for the purposes of the My Health Record system, the information to: (a) a repository that forms part of the National Repositories Service; or (b) a repository to which a registered repository operator's registration relates. (2) An approved registered repository operator shares with the My Health Record system information if the registered repository operator: (a) uploads, for the purposes of the My Health Record system, the information to a repository that forms part of the National Repositories Service; or (b) takes, in relation to the information, the action specified in the My Health Records Rules. 10B When an upload exception applies An upload exception applies in relation to an entity sharing with the My Health Record system information about healthcare provided to an individual if: (a) the individual is not a registered healthcare recipient; or (b) either: (i) the individual, or an authorised representative or nominated representative of the individual, has advised the entity; or (ii) the entity has otherwise been informed that the individual, or an authorised representative or nominated representative of the individual, has advised; that the information must not be uploaded to the My Health Record system; or (c) an individual healthcare provider reasonably believes that the information should not be shared with the My Health Record system because of a serious concern for the health, safety or wellbeing of the individual; or (d) the information cannot be shared with the My Health Record system due to circumstances beyond the reasonable control of the entity. 10C When an application is finally determined (1) An application under section 41B, 42 or 78B is finally determined when the System Operator has made a decision (the original decision) on the application and: (a) the original decision is to approve the application; or (b) no notice of the original decision is given because subsection 97(2A) applies; or (c) no notice asking the System Operator to reconsider the original decision is given within the period mentioned in subsection 97(4); or (d) all of the following apply: (i) a notice asking the System Operator to reconsider the original decision is given within the period mentioned in subsection 97(4); (ii) the System Operator reconsiders the original decision; (iii) no application is made to the Administrative Review Tribunal within the period mentioned in section 18 of the Administrative Review Tribunal Act 2024 for review of the System Operator's reconsideration decision; or (e) an application is made to the Administrative Review Tribunal within the period mentioned in section 18 of the Administrative Review Tribunal Act 2024 for review of the System Operator's reconsideration of the original decision, the Administrative Review Tribunal decides the application and one of the following applies: (i) subsection 123(1) of that Act does not apply in relation to the Administrative Review Tribunal's decision; (ii) no application is made under section 123 of that Act within the period mentioned in section 125 of that Act to refer the Administrative Review Tribunal's decision to the guidance and appeals panel; (iii) any application that is made under section 123 of that Act within the period mentioned in section 125 of that Act to refer the Administrative Review Tribunal's decision to the guidance and appeals panel is refused; or (f) both of the following apply: (i) the President of the Administrative Review Tribunal refers the Administrative Review Tribunal's decision on the application for review of the System Operator's reconsideration of the original decision to the guidance and appeals panel under section 123 of the Administrative Review Tribunal Act 2024; (ii) the Administrative Review Tribunal makes a decision on the guidance and appeals panel application (within the meaning of the Administrative Review Tribunal Act 2024) taken to be made because of the referral. (2) An application under section 41B or 78B is finally determined when the System Operator ceases to consider the application under subsection 41B(4) or 78B(4). 11 Act to bind the Crown (1) This Act binds the Crown in each of its capacities. (2) This Act does not make the Crown liable to be prosecuted for an offence. Note: Subsection (2) does not limit other rights and remedies. 12 Concurrent operation of State laws It is the intention of the Parliament that this Act is not to apply to the exclusion of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act. 13 External Territories This Act extends to every external Territory. 13A System Operator may arrange for use of computer programs to make decisions (1) The System Operator may arrange for the use, under the System Operator's control, of computer programs for any purposes for which the System Operator may make decisions under this Act. (2) A decision made by the operation of a computer program under an arrangement made under subsection (1) is taken to be a decision made by the System Operator. 13B System Operator may use electronic communications (1) If under this Act the System Operator is required to give information in writing, that requirement is taken to have been met if the System Operator gives the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999. (2) If under this Act the System Operator is permitted to give information in writing, the System Operator is permitted to give the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999. Part 2—The System Operator and the functions of the Chief Executive Medicare Division 1—System Operator 14 Identity of the System Operator (1) The System Operator is: (a) the Secretary of the Department; or (b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator—that body. (2) Before regulations are made for the purposes of paragraph (1)(b), the Minister must be satisfied that the Ministerial Council has been consulted in relation to the proposed regulations. 15 Functions of the System Operator The System Operator has the following functions: (a) to establish and maintain an index service, for the purposes of the My Health Record system, that: (i) allows information in different repositories to be connected to registered healthcare recipients; and (ii) facilitates the retrieval of such information when required, and ensures that registered healthcare recipients, and participants in the My Health Record system who are authorised to collect, use and disclose information, are able to do so readily; (b) to establish and maintain mechanisms (access control mechanisms) that, subject to any requirements specified in the My Health Records Rules: (i) enable each registered healthcare recipient to set controls on the healthcare provider organisations and nominated representatives who may obtain access to the healthcare recipient's My Health Record; and (ii) specify default access controls that apply if a registered healthcare recipient has not set such controls; and (iii) specify circumstances in which access to a healthcare recipient's My Health Record is to be automatically suspended or cancelled; (c) without limiting paragraph (b), to ensure that the access control mechanisms enable each registered healthcare recipient to specify that access to a healthcare recipient's My Health Record is only to be: (i) by healthcare provider organisations and nominated representatives specified by the healthcare recipient; and (ii) in accordance with any limitations specified by the healthcare recipient, including limitations on the kind of health information to be collected, used or disclosed by such healthcare provider organisations and nominated representatives; (d) to establish and maintain a reporting service that allows assessment of the performance of the system against performance indicators; (e) to establish and maintain the Register (see section 56); (f) to register healthcare recipients and participants in the My Health Record system (see Part 3) and to manage and monitor, on an ongoing basis, the system of registration; (g) to establish and maintain an audit service that records activity in respect of information in relation to the My Health Record system; (h) without limiting paragraph (g)—to establish and maintain mechanisms: (i) that enable each registered healthcare recipient to obtain electronic access to a summary of the flows of information in relation to his or her My Health Record; and (ii) that enable each registered healthcare recipient to obtain a complete record of the flows of information in relation to his or her My Health Record, on application to the System Operator; (i) to operate a National Repositories Service that stores key records that form part of a registered healthcare recipient's My Health Record (including the healthcare recipient's shared health summary); (ia) to establish and operate a test environment for the My Health Record system, and other electronic systems that interact directly with the My Health Record system, in accordance with the requirements (if any) in the My Health Records Rules; (j) to establish a mechanism for handling complaints about the operation of the My Health Record system; (k) to ensure that the My Health Record system is administered so that problems relating to the administration of the system can be resolved; (l) to advise the Minister on matters relating to the My Health Record system, including in relation to the matters to be included in the My Health Records Rules (see section 109); (m) to educate healthcare recipients, participants in the My Health Record system and members of the public about the My Health Record system; (ma) in accordance with the guidance and direction of the Board established under section 82, to prepare and provide de‑identified data, and, with the consent of the healthcare recipient, health information, for research or public health purposes; (n) such other functions as are conferred on the System Operator by this Act or any other Act; (o) to do anything incidental to or conducive to the performance of any of the above functions. 16 Research or public health purposes The System Operator's function under paragraph 15(ma) does not include providing de‑identified data or health information to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer. 17 Retention and destruction of records uploaded to National Repositories Service Records (1) This section applies to a record if: (a) the record is uploaded to the National Repositories Service; and (b) the record includes health information that is included in the My Health Record of a healthcare recipient. Retention of records (2) The System Operator must ensure that the record is retained for the period: (a) beginning when the record is first uploaded to the National Repositories Service; and (b) ending: (i) 30 years after the death of the healthcare recipient; or (ii) if the System Operator does not know the date of death of the healthcare recipient—130 years after the date of birth of the healthcare recipient; or (iii) if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4). Destruction of records after cancellation on request (3) If the System Operator is required to cancel the registration of the healthcare recipient under subsection 51(1) (cancellation on request), the System Operator must destroy any record that includes health information that is included in the My Health Record of the healthcare recipient, other than the following information: (a) the name and healthcare identifier of the healthcare recipient; (b) the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient; (c) the day the cancellation decision takes effect under subsection 51(7). (4) The System Operator must comply with subsection (3): (a) as soon as practicable after the cancellation decision takes effect under subsection 51(7); or (b) if any of the following requirements apply before the records are destroyed under paragraph (a)—as soon as practicable after the conclusion of the matter to which the requirement relates: (i) a court order requires the System Operator not to destroy records of the healthcare recipient; (ii) the System Operator is required to disclose records of the healthcare recipient under section 69 or 69A; (iii) the System Operator is required to disclose records of the healthcare recipient under a law covered by subsection 65(3). (5) To avoid doubt, if the System Operator is required under subsection (3) to destroy a record that includes health information, the System Operator must also destroy the following: (a) any copy of the record; (b) any previous version of the record; (c) any back‑up version of the record. Division 4—Functions of Chief Executive Medicare 38 Registered repository operator (1) It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the My Health Record system in accordance with subsection (2). (2) Without limiting the way in which the repository is to be operated, at any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare: (a) may at his or her discretion upload health information held by the Chief Executive Medicare about a registered healthcare recipient to the repository operated by the Chief Executive Medicare; and (b) with the consent of a registered healthcare recipient—may at his or her discretion make available to the System Operator health information held by the Chief Executive Medicare about the healthcare recipient. Note: Section 58 authorises the Chief Executive Medicare to disclose identifying information to the System Operator. (3) The health information referred to in subsection (2) in relation to a healthcare recipient may include the name of one or more healthcare providers that have provided healthcare to the healthcare recipient. Part 3—Registration Division 1—Registering healthcare recipients Note: This Division does not apply to a healthcare recipient if the opt‑out model applies to the healthcare recipient because of My Health Records Rules made under Schedule 1 to this Act. 39 Healthcare recipients may apply for registration (1) A healthcare recipient may apply to the System Operator for registration of the healthcare recipient. (2) The application must: (a) be in the approved form; and (b) include, or be accompanied by, the information and documents required by the form; and (c) be lodged at a place, or by a means, specified in the form. 40 When a healthcare recipient is eligible for registration A healthcare recipient is eligible for registration if: (a) a healthcare identifier has been assigned to the healthcare recipient under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and (b) the following information has been provided to the System Operator in relation to the healthcare recipient: (i) full name; (ii) date of birth; (iii) healthcare identifier, Medicare card number or Department of Veterans' Affairs file number; (iv) sex; (v) such other information as is prescribed by the regulations. 41 Registration of a healthcare recipient by the System Operator (1) The System Operator must decide to register a healthcare recipient if: (a) an application has been made under section 39 in relation to the healthcare recipient; and (b) the healthcare recipient is eligible for registration under section 40; and (c) the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified. Note: The System Operator is not permitted to register a healthcare recipient in any other circumstances. (2) Despite subsection (1), the System Operator is not required to register a healthcare recipient if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules. (3) The System Operator is not required to register a healthcare recipient if the healthcare recipient does not consent to a registered healthcare provider organisation uploading to the My Health Record system any record that includes health information about the healthcare recipient, subject to the following: (a) express advice given by the healthcare recipient to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded; (b) a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4). (3A) A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient) that includes health information about another healthcare recipient (the third party), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4). (4) A consent referred to in subsection (3), and an authorisation given under subsection (3A), have effect despite a law of a State or Territory that requires consent to the disclosure of particular health information: (a) to be given expressly; or (b) to be given in a particular way; other than a law of a State or Territory prescribed by the regulations for the purposes of this subsection. (5) A decision under subsection (1) takes effect when it is made. Division 1A—Healthcare provider organisations that are required to be registered 41A Prescribed healthcare provider organisations must be registered (1) A prescribed healthcare provider organisation contravenes this subsection if the healthcare provider organisation is not a registered healthcare provider organisation and is not an approved registered repository operator. Civil penalty: 250 penalty units. (2) However, subsection (1) does not apply: (a) during any period starting when the healthcare provider organisation applies to the System Operator under section 41B or 42 and ending when the application is finally determined; or (b) during any period approved by the System Operator under section 41B in relation to the healthcare provider organisation. Note: A person who wishes to rely on subsection (2) in proceedings for a civil penalty order bears an evidential burden in relation to the matters in that subsection: see section 96 of the Regulatory Powers Act. 41B System Operator may approve a period during which registration is not required Application (1) A healthcare provider organisation may apply to the System Operator to approve a period during which subsection 41A(1) does not apply to the healthcare provider organisation. (2) The application must: (a) be in the approved form; and (b) include, or be accompanied by, the information and documents required by the form; and (c) be lodged at a place, or by a means, specified in the form. Further information may be required (3) If a healthcare provider organisation makes an application under subsection (1), the System Operator may, by notice in writing, require the healthcare provider organisation to give the System Operator, within the period specified in the notice, such further information in relation to the application as the System Operator requires. (4) The System Operator is not required to decide the application, and may cease considering the application, if the healthcare provider organisation does not provide the required information within the period specifie