Changeflow GovPing Government & Legislation My Health Records Rules 2026
Routine Rule Added Final

My Health Records Rules 2026

Favicon for www.legislation.gov.au AU Federal Legislative Instruments (7-day)
Published March 31st, 2026
Detected March 31st, 2026
Email

Summary

The Australian Department of Health, Disability and Ageing issued the My Health Records Rules 2026 (F2026L00392), establishing detailed operational requirements for the My Health Record system under the My Health Records Act 2012. The Rules cover access controls, automatic suspension and cancellation of access, definitions of authorized and nominated representatives, and functions of the System Operator and Chief Executive Medicare.

View original document View source feed page

What changed

The My Health Records Rules 2026 (F2026L00392) establish comprehensive regulatory requirements for the Australian My Health Record system, authorized by the My Health Records Act 2012. The instrument contains 14 named provisions organized across two parts: Part 1 covers preliminary matters including definitions of authorized and nominated representatives of healthcare recipients, specifying persons to whom healthcare identifier requirements do not apply; Part 2 addresses System Operator functions including access control mechanisms that registered healthcare recipients can set, default access controls, and circumstances for automatic suspension or cancellation of access to a My Health Record.

Healthcare provider organisations, nominated representatives, and system administrators should review their access control procedures and record management practices to ensure compliance with these Rules, which take effect on 31 March 2026. Healthcare recipients and their authorized representatives should understand the new default access controls and automatic suspension/cancellation circumstances. The instrument supersedes prior My Health Records Rules and organisations should update their compliance documentation accordingly.

What to do next

  1. Review access control mechanisms against sections 8-11 for compliance with new requirements
  2. Update internal procedures for automatic suspension and cancellation of My Health Record access
  3. Align nominated representative definitions and processes with sections 6-7

Source document (simplified)

- Interactions

My Health Records Rules 2026

In force Administered by
- Department of Health, Disability and Ageing
This item is authorised by the following title:

View document Legislative instrument Explanatory statement Filter active Table of contents
- Part 1—Preliminary
- 1 Name
- 2 Commencement
- 3 Authority
- 4 Schedules
- 5 Definitions
- 6 Definition of authorised representative of a healthcare recipient—persons to which healthcare identifier not required to have been assigned
- 7 Definition of nominated representative of a healthcare recipient—persons to which healthcare identifier not required to have been assigned
- Part 2—The System Operator and the functions of the Chief Executive Medicare
- Division 1—Functions of the System Operator—requirements for access control mechanisms
- 8 Access controls set by registered healthcare recipients for access by healthcare provider organisations and nominated representatives
- 9 Default access controls
- 10 Circumstances for automatic suspension of access to a healthcare recipient’s My Health Record
- 11 Circumstances for automatic cancellation of access to a healthcare recipient’s My Health Record
- Division 2—Functions of the System Operator—other functions conferred by this instrument
- 12 Purpose of this Division
- 13 Deleting information or a record in the My Health Record system in certain circumstances
- 14 Suspending access to the My Health Record system if security, integrity or operations are or may be compromised
- 15 Providing a mechanism to access My Health Record system
- Part 3—Registration
- Division 1—Registering healthcare recipients
- 16 Matters System Operator to have regard to
- Division 2—Registering healthcare provider organisations
- Subdivision A—When organisations are eligible for registration—requirements organisations must comply with
- 17 Purpose of this Subdivision
- 18 Organisation officers must have authority to act on behalf of organisation
- 19 Organisation must give System Operator and service operator certain information
- 20 Organisations that are network organisations—seed organisation for network must be a registered healthcare provider organisation
- 21 Organisation must have security and access policy
- 22 Organisation must give System Operator security and access policy on request
- Subdivision B—Condition of registration—uploading of records, etc
- 23 Kinds of records
- 24 Prescribed circumstances
- Division 3—Registering repository operators and portal operators
- 25 Purpose of this Division
- 26 Person must have an operator officer
- 27 Person must have security and access policy
- 28 Person must give security and access policy to System Operator with application for registration
- 29 Person must have technical and after-hours contacts
- Division 4—Registering contracted service providers
- 30 Purpose of this Division
- 31 Person must have a contracted service provider officer
- 32 Person must have security and access policy
- 33 Person must give security and access policy to System Operator with application for registration
- Division 5—Cancellation, suspension and variation of registration
- 34 Requirements after registration is cancelled or suspended—retention, transfer or disposal of records
- Part 4—Other matters—conditions on the registration of participants in the My Health Record system
- Division 1—Preliminary
- 35 Purpose of this Part
- Division 2—Registered healthcare provider organisations
- 36 Complying with directions to delete information or a record
- 37 Uploading records
- 38 Notifying System Operator of certain matters
- 39 Compliance with interoperability requirements
- 40 Providing assistance to the System Operator on request
- 41 Uploading advance care planning information
- 42 Organisations that are network organisations—seed organisation for network must be a registered healthcare provider organisation
- 43 Security and access policy—general
- 44 Security and access policy—giving to System Operator on request
- 45 Security and access policy—application record-keeping
- 46 Security and access policy—giving application records to System Operator on request
- Division 3—Registered repository operators and portal operators
- 47 Application
- 48 Complying with directions to delete information or a record
- 49 Ensuring operator officer carries out duties
- 50 Notifying System Operator of certain matters
- 51 Compliance with interoperability requirements
- 52 Providing assistance to the System Operator on request
- 53 Security and access policy—general
- 54 Security and access policy—giving to System Operator on request
- 55 Security and access policy—application record-keeping
- 56 Security and access policy—giving application records to System Operator on request
- Division 4—Registered contracted service providers
- 57 Application
- 58 Complying with directions to delete information or a record
- 59 Ensuring contracted service provider officer carries out duties
- 60 Notifying System Operator of certain matters
- 61 Compliance with interoperability requirements
- 62 Providing assistance to the System Operator on request
- 63 Security and access policy—general
- 64 Security and access policy—giving to System Operator on request
- 65 Security and access policy—application record-keeping
- 66 Security and access policy—giving application records to System Operator on request
- 67 Accessing the My Health Record system or using health information included in a healthcare recipient’s My Health Record
- Part 5—Other requirements relating to the My Health Record system
- 68 Purpose of this Part
- 69 Requirements for System Operator—system availability
- Part 6—Other matters—authorised representatives and nominated representatives
- 70 Requirement for System Operator—identity verification for healthcare recipients on ceasing to have an authorised representative
- Part 7—Opt-out model for the participation of healthcare recipients in the My Health Record system
- 71 Opt-out model applies to all healthcare recipients in Australia
- Part 8—Application, transitional and saving provisions
- Division 1—Provisions for this instrument as originally made
- 72 Security and access policy requirements for certain registered entities existing immediately before 1 April 2026
- Schedule 1—Repeals of instruments
- My Health Records (Assisted Registration) Rule 2015
- My Health Records (National Application) Rules 2017
- My Health Records (Opt-out Trials) Rule 2016
- My Health Records Rule 2016

Named provisions

Part 1—Preliminary Part 2—The System Operator and the functions of the Chief Executive Medicare Division 1—Functions of the System Operator—requirements for access control mechanisms Division 2—Functions of the System Operator—other functions conferred by this instrument Access controls set by registered healthcare recipients Default access controls Circumstances for automatic suspension of access Circumstances for automatic cancellation of access Deleting information or a record in the My Health Record system

Related changes

Favicon for www.legislation.gov.au Pharmaceutical Benefits Scheme April Update
Routine Mar 31, 2026 AU Federal Legislative Instruments (7-day) Government & Legislation
Favicon for www.legislation.gov.au IVF Program Special Arrangement Amendment
Priority review Mar 31, 2026 AU Federal Legislative Instruments (7-day) Government & Legislation
Favicon for www.legislation.gov.au Taxation (Multinational—Global and Domestic Minimum Tax) Rules 2024
Priority review Mar 31, 2026 AU Federal Legislative Instruments (7-day) Government & Legislation
Favicon for clinicaltrials.gov Dapagliflozin Acute Heart Failure Trial - AstraZeneca
Routine Mar 31, 2026 ClinicalTrials.gov Pharma & Drug Safety
Favicon for clinicaltrials.gov Early automated insulin delivery pilot for newly diagnosed T1D
Routine Mar 31, 2026 ClinicalTrials.gov Pharma & Drug Safety
Favicon for clinicaltrials.gov VLA15 Lyme Disease Vaccine Safety Study Protocol Amendment
Routine Mar 31, 2026 ClinicalTrials.gov Pharma & Drug Safety

Source

Favicon for www.legislation.gov.au
AU Federal Legislative Instruments (7-day) legislation.gov.au/search/registrationdate(today-7,today)/collection(LegislativeInstrument)/sort(registeredat%20desc)
Government & Legislation
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
DoH
Published
March 31st, 2026
Instrument
Rule
Legal weight
Binding
Stage
Final
Change scope
Substantive
Document ID
F2026L00392

Who this affects

Applies to
Healthcare providers Patients Government agencies
Industry sector
6211 Healthcare Providers
Activity scope
Health Record Access Management Healthcare Identifier Assignment Nominated Representative Designation
Geographic scope
Australia AU

Taxonomy

Primary area
Healthcare
Operational domain
Compliance
Topics
Data Privacy Public Health

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 285 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Government & Legislation alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when AU Federal Legislative Instruments (7-day) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.