What providers need to know about the new My Health Records Rules and Regulations
Recent updates to the My Health Records Rules 2026 and My Health records Regulations 2026:[1]
- introduce expanded requirements for technical adjustments including Interoperability Requirements;
- update the list of preserved privacy protections;
- consumers can choose to be notified in relation to certain situations where their My Health Record is accessed by a healthcare provider organisation or a nominated representative;
- to specify certain categories of operational information which now must be retained for either two or five years; and
- to reflect current expectations regarding cyber security standards.
Health and aged care providers who connect with the My Health Records system should review and update their mandatory Security and Access Policy.
Under the transitional arrangements some rules immediately commence on 1 April 2026, with others coming into force on 1 October 2026.
My Health Records Security and Access Policies, and broader security practices, should be reviewed and updated at least annually and following any significant changes to the My Health Records legislation.
Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Act 2025
The Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Act 2025 was passed under the My Health Records Act 2012 (Cth) (as amended) and received assent on 14 February 2025.
The new legislation requires certain healthcare providers, beginning with pathology and imaging services, to upload key health information to the My Health Record system under the Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Act 2025 and the My Health Record (Share by Default) Rules 2025.
Certain healthcare providers must upload key health information to My Health Record unless an exception applies. This is intended to give consumers better and faster access to test results and other important health information.
An upload exception applies, for example, where an individual or their authorised representative has advised the entity connecting to the My Health Records System that the information must not be uploaded to the My Health Record System. [2]
What providers should do now
Providers should take steps now to ensure they remain compliant with these requirements, including:
- reviewing and updating their My Health Records Security and Access Policy;
- confirming whether they are subject to the ‘share by default’ requirements;
- identifying what information must be uploaded and when;
- reviewing systems and processes to ensure information can be uploaded within requirement timeframes; and
- training staff on updated obligations and exceptions, including when information should not be uploaded.
If you would like support understanding how these changes apply to your organisation or updating your policies and processes, please contact our team.
Contacts
