To increase participation by healthcare providers and patients, the health records of all Australians are being automatically uploaded onto the My Health Record database unless they opt out between 16 July and 15 October 2018. There will be ability to opt out after this date, but a My Health Record cannot be deleted, only deactivated and removed from view. Consent in an opt out model relies on apathy, rather than encouraging control by the patient. In practice, the opt out process is cumbersome to implement and, in many cases, patients do not have the capability or capacity to exercise the controls to opt out or implement access restrictions. NSWCCL recommends that, unless there are specific health reasons for not doing so, individuals opt out of the MHR.

Uploading of documents by a healthcare provider is permitted by “standing consent” until that consent is withdrawn by the patient.  It is recommended that patients exercise their right to withdraw consent and advise their doctors when certain information is not to be uploaded.  Audit measures include notification to the patient of first time use by a healthcare “organisation”. However, this and other privacy measures do not eliminate the risk of unauthorised access, unintentional breaches and unwarranted disclosure of patients’ health records, by individuals within or outside those organisations. Proper auditing needs to be specific and visible to the patient, permitting them to decide what level of notification is desired. Disclosure of records should be limited to the minimum number of persons necessary to perform a task.

The Federal “Framework to guide the secondary use of My Health Record system data” is being introduced in 2020. Patients will have to withdraw or opt out of future plans for very broad secondary use of health records, rather than being able to give explicit consent for each disclosure of medical or health data to a third party.

Read more here My Health Record Summary