The My Health Records Act 2012 (Cth) establishes Australia's national digital health record system and creates specific privacy and security obligations for registered healthcare providers, system operators, and individuals who access the system. Since the system moved to opt-out in 2019, over 24 million Australians have active My Health Records. Healthcare providers who are registered participants have ongoing obligations under the Act and the Australian Digital Health Agency (ADHA) security requirements — obligations that extend to the email systems used to communicate clinical information.
Who Has Obligations Under the My Health Records Act?
- Registered healthcare provider organisations (hospitals, GP practices, specialist clinics, allied health) — who upload and access records.
- Healthcare provider individuals (registered practitioners who access the system through their organisation).
- System operators (the ADHA and contracted technology partners who operate the system infrastructure).
- Healthcare recipients (patients whose records are in the system) — have rights, not obligations.
- Organisations that access MHR data under ADHA authorised access categories — including research institutions with approved access.
Email and the My Health Records Act: Where They Intersect
The My Health Records Act does not directly regulate email systems. However, several provisions create indirect but significant email obligations for healthcare providers. Section 59 (Permitted secondary use) and Section 64 (Offences relating to collection, use, and disclosure) create serious criminal offences for accessing or disclosing MHR data without authorisation — penalties reach 5 years imprisonment. When clinical email contains references to, extracts from, or attachments derived from a patient's My Health Record, that email is subject to these provisions. Sending such email through an offshore provider creates multiple risks: APP 8 breach, potential MHR Act secondary use concerns, and the inability to control access by the overseas service provider.
Practical implication: An email that says "re: your patient's MHR-sourced discharge summary attached" is handling My Health Records data. Under both APP 8 and the MHR Act, this email must not be transmitted through a system where overseas entities can access it without authorisation. See /industries/healthcare for the full healthcare compliance guide.
ADHA Security Standards for Healthcare Email
The ADHA publishes security requirements for organisations participating in the My Health Record system, including the Healthcare Identifiers Service and NASH PKI infrastructure. While not all requirements are email-specific, the baseline security standards expected of registered healthcare provider organisations include: encrypted communications for all clinical data transmission; access controls ensuring only authorised practitioners can access clinical correspondence; audit logging of access to clinical data; and systems that can be audited by the ADHA in the event of a suspected security incident.
5 Practical Steps for MHR-Related Email Compliance
- Step 1: Migrate to Australian-hosted email — ensures that clinical correspondence containing MHR-sourced data is stored exclusively on Australian servers, resolving the primary APP 8 and MHR Act access risk.
- Step 2: Enable end-to-end encryption for external clinical correspondence — particularly when sending referrals, discharge summaries, or results extracts to other providers or patients.
- Step 3: Configure role-based access — ensure clinical staff can only access clinical email folders relevant to their role. Reception staff should not have access to clinical correspondence.
- Step 4: Enable 7-year audit logging — satisfies both the MHR Act audit requirements and state health records legislation minimum retention obligations.
- Step 5: Register as a healthcare provider organisation with the ADHA — this formalises your obligations and ensures you receive security guidance and incident notification support from the ADHA.