Implementation of the My Health Record System

In 2019 the Auditor General Grant Hehir, commissioned a team of auditors to undertake an independent performance audit in the Australian Digital Health Agency (ADHA) and the Department of Health. The report that was developed from the audit is titled Implementation of the My Health Record System, which can be found here.

04 Dec 2019

Reason for the Audit

The My Health Record system collates electronic summaries of individuals’ health information.  This information can be accessed by different healthcare professionals involved in a person’s care (as well as by the individual themselves).  

The system is intended to generate personal benefits for individuals and economic benefits for the health system.  However, achieving the designed benefits of the system requires increasing access to information, managing the inherent privacy and cyber security risks of making that information more readily available. 

During the audit no individual My Health Records were examined.


Audit Methodology

The audit team:

•     Examined ADHA and Department of Health information;

•     Reviewed the Senate Inquiries' final reports and individual submissions;

•     Interviewed ADHA and Department of Health staff; and

•     Interviewed Services Australia, Digital Transformation Agency, and Office of the Australian Information Commissioner staff.


Audit Findings

  • Implementation of the My Health Record system was largely effective.
  • Implementation planning for and delivery of My Health Record under the opt-out model was effective in promoting achievement of its purposes.
  • Implementation planning and execution was appropriate and was supported by appropriate governance arrangements.
  • Communication activities were appropriate to inform healthcare recipients and providers.
  • Risk management for the My Health Record expansion program was partially appropriate.
  • Risks relating to privacy and the IT system core infrastructure were largely well managed and were informed by several privacy risk assessments and the implementation of key cyber-security.


Audit Recommendations

Recommendation 1

ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls and incorporate the results of this assessment into the risk management framework for the My Health Record system.


Recommendation 2

ADHA, with the Department of Health and in consultation with the Information Commissioner, review the adequacy of its approach and procedures for monitoring use of the emergency access function and notifying the Information Commissioner of potential and actual contraventions.


Recommendation 3

ADHA develop an assurance framework for third party software connecting to the My Health Record system — including clinical software and mobile applications — in accordance with the Information Security Manual.


Recommendation 4

ADHA develop, implement and regularly report on a strategy to monitor compliance with mandatory legislated security requirements by registered healthcare provider organisations and contracted service providers.


Recommendation 5

ADHA develop and implement a program evaluation plan for My Health Record, including forward timeframes and sequencing of measurement and evaluation activities across the coming years, and report on the outcomes of benefits evaluation.