Privacy

What is covered by this Privacy Statement?

This Privacy Statement explains:

• the types of personal information (including health information) that is collected by the System Operator about consumers who choose to have an eHealth record;
• if a consumer has an authorised representative (a person who the System Operator recognises as being able to act on behalf of the consumer), the types of personal information that is collected by the System Operator about the authorised representative;
• if a consumer has a nominated representative (a person who a consumer nominates to access their eHealth record), the types of personal information that is collected by the System Operator about the nominated representative;
• the source from where the System Operator will collect information, including information that is collected directly from consumers and information that is collected about the consumer from others;
• why the System Operator collects information and what the information is used for in the eHealth record system;
• how the System Operator stores the information;
• the entities which the System Operator will usually disclose information to as part of the eHealth record system; and
• how consumers can access their personal information held by the System Operator.

Who is the eHealth System Operator and how can I contact [it/them]?

The System Operator is the person with responsibility for establishing and operating the eHealth record system. This person is the Secretary of the Department of Health and Ageing. Customer service officers from the Medicare area of the Department of Human Services (DHS-Medicare) will undertake some of the eHealth record system's day-to-day tasks on behalf of the System Operator.

You can contact the System Operator by calling 1800 723 471 or visiting your local Service Centre offering Medicare services. For details of your nearest Service Centre, visit http://humanservices.findnearest.com.au.

What information is collected by the System Operator directly from consumers?

The kinds of information collected by the System Operator directly from consumers or from authorised representatives about consumers may include:

• details that allow the System Operator to identify and contact the consumer such as the consumer's name, address, telephone contact numbers, gender, date of birth, and either Medicare card number, Department of Veterans’ Affairs (DVA) file number or the consumer’s individual healthcare identifier (IHI);
• certified copies of acceptable identity documentation submitted to verify the consumer's identity in the registration process where a consumer applies for registration in writing;
• details about current medications, allergies and adverse reactions the consumer has which the consumer or his/her authorised representative has decided to upload to and publish in the eHealth record (known as the Personal Entered Health Summary);
• details about a consumer's health which are entered by a consumer or his/her authorised representative into a confidential health diary facility offered as part of the eHealth system (known as Personal Entered Notes);
• information entered by the consumer about the person who holds the consumer's Advance Care Directive;
• information about the choices a consumer has made about their access controls including the names of nominated representatives who the consumer will allow to access the eHealth record and other access controls;
• information about a consumer's access to his/her eHealth record for inclusion in the audit log;
• if a consumer contacts the System Operator to ask a question or report an issue, relevant information to address that matter;
• contact details provided by the consumer where the consumer elects to receive notifications regarding certain activities in the consumer’s eHealth record;

Information about the consumer's relatives or other third parties where the consumer or his/her authorised representative has included that information in the eHealth record, including in a Personal Entered Health Summary, the Personal Entered Notes, emergency contact details, or the information about the person who holds the consumer's Advance Care Directive;

• information about an adult consumer’s capacity, in the event that a person makes an application for registration for an eHealth record on behalf of that adult consumer on the basis that the person is the consumer's authorised representative.

What information is collected if I access an eHealth record online?

If you access an eHealth record online, the System Operator will collect Clickstream data. This is information that is collected automatically and is logged due to the nature of communications protocols exercised by browsers, for example, Internet Explorer or Safari. Cookies can also be used to collect information from you. Session cookies and persistent cookies types may be used. 

What information is collected about consumers by the System Operator from healthcare provider organisations?

The System Operator may collect health information about registered consumers from healthcare provider organisations (organisations that provide healthcare such as hospitals, clinics and pharmacies) that have registered to participate in the eHealth record system, including:

• allergies and adverse reactions;
• medicines;
• medical history; 
• immunisations;
• conditions diagnosed;
• information about treatments provided;
• hospital discharge information;
• referrals;
• prescribing and dispensing information;
• pathology results; and
• information provided by a specialist.

Consumers can advise their healthcare providers not to upload particular documents to the eHealth record system. A consumer who wishes to withdraw consent for the record of a prescription being dispensed should advise the pharmacy each time that a repeat of the prescription is dispensed.

In some cases the System Operator may collect information about the consumer's relatives or other third parties where a healthcare provider has included that information in a healthcare record uploaded to the eHealth record system. 

What information is collected about consumers by the System Operator from DHS-Medicare in its role as a registered repository?

A consumer can decide to have the System Operator collect DHS-Medicare records from the DHS-Medicare registered repository for inclusion in his/her eHealth record, including:

• details of all claims a consumer or his/her doctor make for Medicare benefits in the future whenever the consumer receives a healthcare service which is covered under the Medicare Benefits Schedule (MBS) (includes claims that are processed by the Department of Human Services (DHS) on behalf of DVA, in accordance with eligibility entitlements provided by DVA);
• details of claims a consumer or his/her doctor made for Medicare benefits in the past, if those records are available;
• details of all claims made for pharmaceutical benefits in the future whenever the consumer receives medication that is covered under the Pharmaceutical Benefits Scheme (PBS) (includes Department of Veterans’ Affairs claims under the Repatriation Pharmaceutical Benefits Scheme (RPBS) that are processed by DHS);
• details of claims made under the PBS by the consumer in the past, if those records are available;
• Organ and/or tissue donation decisions, which are sourced from the Australian Organ Donor Register (AODR);
• Immunisations administered to the consumer up until the age of 7 years, which are sourced from the Australian Childhood Immunisation Register (ACIR).

If a consumer (or their authorised representative(s)) consents to include DHS-Medicare records but later withdraws consent for transfer of information from DHS-Medicare to the System Operator, the Chief Executive Medicare will not notify the System Operator about any new records and the System Operator will not be able to access any new records. However, MBS and PBS records transferred to the System Operator before the time the consumer withdraws consent will remain visible on the consumer's eHealth record and will remain accessible through the eHealth record system, unless the consumer (or their authorised representative(s)) "effectively removes" the MBS and PBS record from the eHealth record.

Important: It is important for consumers to be aware that some health information that DHS-Medicare holds about the consumer (eg MBS data and PBS data) may include information about the types of healthcare services that the consumer has received and the types of medications that they have been prescribed, and that these services and medications may indicate diagnosed conditions or illnesses.

What information is collected about consumers by the System Operator from other repository operators?

A repository operator holds records in storage for the eHealth record system, then makes them available when they are requested through the System Operator. Repository operators must register to participate in the eHealth record system. As described above, DHS-Medicare will operate one of the repositories of information in the eHealth record system. 

Other private and public entities which hold healthcare information (for example, diagnostic imaging providers or public hospitals) may also apply to the System Operator to be repository operators in the eHealth record system.

The System Operator will collect details of the documents held in registered repositories for consumers who are registered in the eHealth record system and display an index of the available information in the consumer's eHealth record. If, for example, a healthcare provider wishes to access a document held in a registered repository for the purposes of providing healthcare to the consumer, the System Operator will call for the document from the registered repository and make it available to the healthcare provider. 

What other information is collected about consumers by the System Operator from DHS-Medicare?

The System Operator collects demographic information (which may include the consumer's name, address, age and gender) about consumers from DHS-Medicare and the Healthcare Identifiers service during the registration process for the purposes of verifying the identity of consumers and their authorised representatives. Updates to consumers’ demographic and contact information will be collected over time, so that the System Operator's records remain current.

Why does the System Operator collect information about consumers and what is the information used for?

The System Operator collects information about consumers for a number of reasons, including to:

• register consumers in the eHealth record system;
• verify the identity of consumers in the registration process and when consumers access the eHealth record system after registration;
• link the correct consumer to the correct healthcare information stored by the System Operator and in registered repositories;
• facilitate the retrieval of consumers’ healthcare information when required;
• enable consumers to set access controls;
• to notify a consumer of certain activities on their eHealth record, if the consumer has elected to receive notifications;
• establish and maintain an audit service that records activity in the eHealth record system;
• operate the National Repositories Service to store key records that form part of the eHealth record;
• administer, maintain and monitor the eHealth record system including monitoring the security, integrity and efficiency of the system; and
• otherwise perform its functions and responsibilities as authorised by law.

What are the main consequences for consumers if they do not consent to the System Operator collecting some of their information?

Registering for an eHealth record is voluntary. Whether a consumer chooses to register for an eHealth record has no effect on his/her entitlement to medical treatment or Medicare benefits.

Outside the eHealth system, if a consumer withholds information from, or gives inaccurate information to, a healthcare provider who is treating the consumer, this may affect the quality of decisions made about the consumer's care. The same situation applies under the eHealth record system. Limiting access to an eHealth record or telling a healthcare provider not to upload a record to an eHealth record means a healthcare provider will need to rely on other ways to obtain that information, such as asking the consumer questions or consulting other clinical records.

What information is disclosed by the System Operator, who is the information disclosed to and why?

The System Operator will disclose information about consumers to:

• the consumer or the consumer's authorised representative;
• the consumer's nominated representative in accordance with the consumer's access controls;
• registered healthcare provider organisations involved in the consumer's health care in accordance with the consumer's access controls or in cases of medical emergency;
• DHS and DVA, in order to verify the accuracy of information consumers have supplied with their registration application including information necessary to verify the consumer's identity and the consumer's consent to include DHS-Medicare information in the eHealth record;
• registered contracted service providers (private sector firms contracted by healthcare provider organisations to assist them with computer and IT-related services) if the healthcare provider organisation is authorised by the consumer to access information in the consumer's eHealth record and the healthcare provider organisation has authorised the contracted service provide to connect to the eHealth record system on its behalf;
• a registered portal operator if a consumer, consumer's authorised representative, consumer's nominated representative or healthcare provider accesses the eHealth record through a registered portal;
• registered repository operators for the purpose of storing, indexing and calling for records about consumers which form part of the eHealth record;
• a healthcare provider organisation, contracted service provider, portal operator or repository operator if the System Operator needs to do so in order to investigate or resolve a technical, security or privacy matter that has arisen in the eHealth record system.

If a healthcare organisation and its local clinical information systems are compatible with the eHealth record system, the local clinical information system will automatically check for and notify the healthcare provider whether an eHealth record exists. A consumer can prevent a healthcare provider’s clinical information systems from automatically checking and displaying whether the consumer has an eHealth record by turning ‘off’ this option. This function does not prevent healthcare professionals from searching for the consumer’s eHealth record in the eHealth record system.

There are limited other circumstances in which a consumer's information may be collected, used and disclosed under the Personally Controlled Electronic Health Records Act 2012 or as authorised by or under law. These circumstances include the provision of indemnity cover for healthcare providers, disclosure to courts and tribunals, for the purposes of coroner's investigations, and for law enforcement purposes.

The System Operator uses private sector firms to assist it in delivering the eHealth record system. Those firms will collect, use and disclose, and in some cases store, consumer information as part of this work. These firms are bound by strict obligations to treat consumers’ information with the same level of respect, privacy and security that they are entitled to from the System Operator.

If a consumer or authorised representative contacts the System Operator to ask a question or report an issue, the System Operator may need to disclose personal information about the consumer and/or the authorised representative to the Australian Information Commissioner or equivalent body in a State or Territory or to a healthcare provider organisation to which the question or issue relates.

The System Operator will not disclose details about a consumer's health which are entered by a consumer or his/her authorised representative into a confidential health diary facility offered as part of the eHealth system (known as Personal Entered Notes) to a consumer’s healthcare providers.

What information is used or disclosed by the Chief Executive Medicare to assist in the eHealth record system?

The Chief Executive Medicare is involved in the eHealth record system as the Healthcare Identifier service operator under the Healthcare Identifiers Act 2010, the holder of Medicare and PBS records and as a repository operator.

In its roles as the Healthcare Identifier service operator and the holder of Medicare and PBS records, the Chief Executive Medicare may disclose information to the System Operator about consumers to assist the System Operator to make decisions about registering consumers and determining whether certain persons are authorised to act on behalf of consumers (authorised representatives). For example, when a consumer applies for an eHealth record online, over the phone or in person, consent will be sought for the Chief Executive Medicare or other employees of the Department of Human Services to use Medicare and PBS records to ask the consumer or his/her authorised representative a series of questions to verify the consumer's and the authorised representative's identity.

If the person asserts that they are the authorised representative for the consumer because he/she is the consumer's parent, the Chief Executive Medicare or other employees of the Department of Human Services will seek consent to check the Medicare records to see whether that person is on the same Medicare card grouping as the consumer. Medicare groupings can be used as evidence of a person being an authorised representative of a child.

Will information in eHealth records be taken or held outside Australia?

A registered repository operator, a registered portal operator or a registered contracted service provider that holds or has access to eHealth records must not hold or take the records outside Australia or process or handle the information relating to the records outside Australia. 

The System Operator is only authorised to hold, take, process or handle records outside Australia for the purposes of the operation or administration of the eHealth record system and only where the records do not contain any personal or identifying information of participants in the eHealth record system.

How does the System Operator store eHealth records?

An eHealth record is not a single record stored in a single repository. An eHealth record is made up of a collection of health documents stored in a network of connected registered repositories.

The System Operator itself stores information including:

• personal information about consumers who have registered for an eHealth record;
• an index of available records for each consumer stored in registered repositories which can be accessed via a consumer's eHealth record;
• the consumer's Shared Health Summary and information uploaded by a consumer in the Personal Entered Health Summary and PersonalEntered Notes in the National Repositories Service (a repository operated by the System Operator);
• DHS-Medicare records in accordance with the consumer's consent for upload of this information.

Information in the National Repositories Service will be retained until at least 30 years after the date of a consumer's death, or if the System Operator does not know this date, 130 years after the information was uploaded.

How will eHealth records be kept safe and secure?

The protection and security of consumers’ personal information is something the System Operator takes seriously. The System Operator is committed to keeping secure the personal information that is provided to the eHealth record system. The System Operator will take reasonable precautions to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

The System Operator has a range of practices and policies in place to provide a robust security environment. The ongoing adequacy of these measures will be regularly reviewed by the System Operator.

The security measures of the eHealth record system include, but are not limited to:

• a multi-layered ICT system of firewalls, gateways and portals to ensure only authorised users can access the eHealth record system;
• personal information transmitted or stored by or on behalf of the System Operator will be encrypted to government standards published in the Australian Government Information Security Manual;
• developing education and awareness programs to highlight the need for consumers to protect themselves against security threats and other hoaxes or scamming activities;
• not registering a consumer if the System Operator is satisfied the consumer may compromise the security or integrity of the eHealth record system, having regard to the matters prescribed by the PCEHR Rules;
• monitoring of access to eHealth records in order to detect suspicious or inappropriate behaviour;
• maintaining an audit log of access to eHealth records which consumers can access;
• requiring the System Operator, registered repository operators and registered portal operators to report a data breach to the Australian Information Commissioner (and/or in some cases, the System Operator who in turn must report the breach to the Australian Information Commissioner), as soon as practicable after becoming aware of the breach, event or circumstances;
• requiring the System Operator, registered repository operators and registered portal operators to contain the data breach as soon as practicable after becoming aware of the breach, event or circumstances;
• requiring the System Operator to notify all affected consumers (or the general public if a significant number of consumers are affected) if a data breach occurs;
• rigorous security testing, to be conducted both prior to and after commencement of the eHealth record system;
• imposing requirements for participants to comply with specific business rules and other relevant legislation which support security in the eHealth record system;
• educating employees of DHS and other delegates of the System Operator as to their obligations when handling personal information; and
• requiring employees of DHS and other delegates of the System Operator to individually authenticate themselves when accessing the eHealth record system.

In addition to the security controls set out above, the System Operator will comply with the Security and Access Framework for the eHealth record system. Compliance with the Security and Access Framework increases confidence that confidentiality, integrity and availability of information within an eHealth record system are not compromised. The Security and Access Framework was developed with regard to the Australian Government's Protective Security Policy Framework, the National Identity Security Strategy developed by the Commonwealth Attorney-General and the National E-Authentication Framework.

The System Operator has established a framework where consumers, authorised representatives, nominated representatives and registered healthcare providers are appropriately identified and authenticated each time they wish to access the individual eHealth records that they are entitled to access.

Healthcare providers will also need to undergo a registration process. Once registered they will also need to go through an authentication process each time they want to access the eHealth record system. This authentication process will include the use of Public Key Infrastructure (PKI) technologies. 

Consumers are encouraged to take appropriate and adequate precautions to ensure that whatever is accessed from an eHealth record is free of viruses or other contamination that may interfere with or damage a consumer's eHealth record. Consumers should keep their login and password for the eHealth record system secret and secure. For more information on how to take steps to protect the security of an eHealth record online see www.ehealth.gov.au.

Can consumers access personal information held by the System Operator?

Yes. Consumers can access their personal information held by the System Operator by logging into their eHealth record online or contacting the System Operator.

If a consumer requires assistance in accessing this information or would like further information, they can contact the System Operator by calling 1800 723 471 or visiting their local Medicare office. For details of the nearest Medicare office, see http://humanservices.findnearest.com.au.

Will consumers be able to see who else has accessed a consumer's eHealth record?

Yes. Consumers can access the audit log for their eHealth record online or by contacting the System Operator. The audit log will include details including whether a healthcare provider, nominated representative, authorised representative or the consumer accessed the eHealth record and when they accessed it.

If consumers require assistance in accessing this information or would like further information, they can contact the System Operator by calling 1800 723 471 or visiting their local Medicare office. For details of the nearest Medicare office, see http://humanservices.findnearest.com.au.

How can consumers request correction or updating of information in their Health record?

If consumers believe that their eHealth record (or if they are an authorised representative, the consumer's eHealth record that they are authorised to access) contains incorrect healthcare information, they should request the relevant healthcare provider to correct it.
If a healthcare provider refuses to correct the information, a consumer (or authorised representative) may complain to the Office of the Australian Information Commissioner.

The System Operator also has powers to request a healthcare provider to correct personal information contained in an eHealth record and to load the corrected record to the eHealth record system. 

Consumers can obtain further information on how to correct or update personal information by contacting the System Operator by calling 1800 723 471 or visiting their local Department of Human Services service centre offering Medicare services. For details of the nearest service centre, see http://humanservices.findnearest.com.au.

Can consumers restrict access to their eHealth record or documents contained in their eHealth record?

The eHealth record system allows consumers to limit access to their whole eHealth record, limit access to documents within the eHealth record (except for the Shared Health Summary, Consumer Entered Health Summary or Advance Care Directive information) or "effectively remove" documents that have been uploaded to the eHealth record system.

For more information on how to manage access controls, consumers should access the 'Help' section of their eHealth record or see www.ehealth.gov.au.

Consumers should be aware that in emergencies, where it is unreasonable or impractical to obtain their consent, information in their eHealth record may be made available to healthcare providers and that access controls may be overridden on a temporary basis, for the purpose of delivering healthcare.

Is information ever temporarily collected that will not be added to a consumer’s eHealth record?

There may be times where information relating to a prescription medication(s) that a consumer does not want to be included in their eHealth record is collected and temporarily stored in a repository so it can be distinguished from the information that the consumer does consent to being uploaded to their eHealth record . This only relates to instances where a healthcare provider generates a prescription for multiple medicines to be dispensed together.

It is possible in such an instance that a consumer may wish for information relating to only some of the medications prescribed to be uploaded to their eHealth record, while information relating to other medications on the same script is to be excluded.

In these circumstances, because all the medications are on the same prescription and sent through electronically together, a data processing device called an adaptor may collect some consumer health information not destined for the eHealth record system, in order to extract the information that is to be uploaded.

Any non-eHealth record information collected in this way is kept secure and destroyed as soon as practicable.

If a consumer nominates another person to have access to the consumer's eHealth record (known as a nominated representative), what information will that nominated representative be able to access?

Consumers can choose to allow certain persons to access their eHealth record (known as nominated representatives). Nominated representatives are able to access information in the consumer's eHealth record subject to a consumer’s access settings. For more information on how to appoint a nominated representative, consumers should access the 'Help' section of their eHealth record or see www.ehealth.gov.au.

I have been asked to assist another person with their eHealth record. What information will be collected about me if I agree to be a nominated representative? 

If a consumer nominates you as a nominated representative they are required to assign you a preferred name to identify you when you access their eHealth record. While this name could be any word (e.g. "mum"), it is possible that a consumer will use your real name or include other personal information about you in the name field. The System Operator will only collect personal information about nominated representatives when that information is entered into the eHealth record by a consumer or his/her authorised representative.

I am a parent, guardian or other type of authorised representative for a consumer. What information will be collected about me for the purposes of the consumer's eHealth record?

In order for the System Operator to determine whether a person is able to act on behalf of a consumer as their authorised representative, the System Operator collects:

• details that allow the System Operator to identify and contact the authorised representative such as the person's name, address, telephone contact numbers, gender, date of birth, and either Medicare card number, DVA file number or the person's IHI;
• certified copies of acceptable identity documentation submitted to verify identity of an authorised representative if that person applies to register a consumer in writing;
• documentation to verify that the person is the authorised representative of the consumer, such as a power of attorney, court order, or a statutory declaration about the person's relationship with the consumer;
• information from the documentation establishing the authorised representative's authority, including type of authority (from a pre-defined list), issuing authority, start date of authority, end date of authority (if specified) and review date of authority (if specified).

The System Operator may also collect information from DHS-Medicare to assist the System Operator to make decisions about registering consumers and determining whether certain persons are authorised to act on behalf of consumers (authorised representatives). For example, when an authorised representative applies for an eHealth record for a consumer online, over the phone or in person, consent will be sought for the Chief Executive Medicare or other employees of the Department of Human Services to use Medicare and PBS records to ask the authorised representative a series of questions to verify the consumer's and the authorised representative's identity. 

In some cases personal information may be collected from authorised representatives by the System Operator if the authorised representative contacts the System Operator to ask a question or report an issue.

Can healthcare providers access eHealth records in an emergency?

If a healthcare provider reasonably believes that access to health information in a consumer's eHealth record is necessary to lessen or prevent a serious threat to an individual's life, health or safety (and the consumer’s consent cannot be obtained) or to public health or public safety, the healthcare provider can access the consumer's eHealth record for a limited period of time. 

In emergencies, healthcare providers may override the access controls set by a consumer and access all information in the consumer's eHealth record to deliver emergency health care. After a period of five days from the time of last emergency access to the eHealth record, the consumer's access controls will be restored for that healthcare provider. Use of the emergency access function by a healthcare provider will be logged in the consumer’s Audit Log and the consumer will be notified if they requested to receive this type of notification.

Will eHealth records be used for research or other public health purposes?

The System Operator is authorised to prepare and provide de-identified data (ie data that has had information that would reasonably identify the consumer removed) for research and other public health purposes. The PCEHR Rules will ensure that appropriate protections are put in place around the preparation and disclosure of de-identified data.

What can I do if I think someone has breached my privacy?

If you think someone has breached your privacy please contact the System Operator by calling 1800 723 471 or visiting your local Service Centre offering Medicare services. For details of your nearest Service Centre, visit http://humanservices.findnearest.com.au.

Following the receipt of your complaint, the System Operator may refer your complaint to the Office of the Australian Information Commissioner or a privacy regulator in a State or Territory.

What are the penalties for collecting, using or disclosing information in an eHealth record when it is not authorised?

It is an offence under the Personally Controlled Electronic Health Records Act 2012 for a person to collect health information from a consumer's eHealth record, or use or disclose that information, if the collection, use or disclosure is not authorised by the legislation and the person knows that the collection is not authorised or is reckless as to whether the collection is authorised or not. 

The penalty under the legislation for unauthorised collection, use and disclosure is currently up to $20,400 for an individual or up to $102,000 for a body corporate. . 

What happens if there is a data breach involving my eHealth record? Will I be notified by the System Operator?

The System Operator is required to notify the Australian Information Commissioner as soon as practicable after becoming aware of a data breach relating to the eHealth record system, if the System Operator is directly involved or may be involved in the breach. The System Operator is also required to notify all affected consumers of a data breach involving the System Operator, a registered repository operator or a registered portal operator.

The Personally Controlled Electronic Health Records Act 2012 compels registered repository operators, registered portal operators and the System Operator to report data breaches. Depending on the circumstances, operators may have to report a data breach to the System Operator, the Information Commissioner or both. If a registered repository operator or registered portal operator fails to notify the relevant body of a data breach, they may be subject to a civil penalty.

What happens to an eHealth record if a consumer’s registration is cancelled?

When a consumer’s registration in the eHealth record system is cancelled, their eHealth record is deactivated by the System Operator.

Upon an eHealth record being deactivated:

• all documents in the eHealth record will be kept in the eHealth record system;
• the eHealth record will not be able to be accessed in an emergency situation;
• a consumer will only be able to access their eHealth record by making a request to the System Operator;
• healthcare providers will only be able to access the consumer’s eHealth record where authorised by law;
• healthcare providers will not be able to upload records to the eHealth record;
• the eHealth record may still be accessed by the System Operator for the purposes of maintenance, audit and other purposes authorised by law.

The key records that form part of a deactivated eHealth record, including any shared health summary, will be stored in the National Repositories Service for a period of 30 years after the consumer’s death, and if a date of death is unknown, for a period of 130 years after the record was uploaded. All other records in an eHealth record will be retained for a minimum of 15 years by the System Operator using a registered repository operator.

Please note that a healthcare organisation that authored a clinical document which was uploaded to a consumer’s eHealth record will have a copy of this clinical document saved in their clinical information system regardless of whether the consumer’s eHealth record has been cancelled.

Please note that health information uploaded to a consumer’s eHealth record will still be accessible to healthcare providers and other organisations after cancellation where registered repository operators continue to provide healthcare providers (and other registered organisations used by healthcare providers) with access to health information which was previously downloaded by them from a person’s eHealth record with that person’s consent.

If an application is made to reapply for registration, the reactivated eHealth record may include information (including health information) which was included in the eHealth record immediately prior to it being deactivated.
Please note that if an eHealth record has been cancelled due to the death of a consumer, it is not able to be reactivated.

Application of States and Territory privacy laws

Where a healthcare provider downloads health information from a consumer’s eHealth record into the healthcare provider organisation’s clinical information system, the local State or Territory privacy law will apply to that downloaded information.