Compliance

My Health Records Act

How Scrutex Supports My Health Records Act Compliance

Sign up for freeAll Frameworks

Executive Summary

The My Health Records Act governs Australia's national digital health record system. Unauthorised access is a criminal offence with penalties including imprisonment. With the majority of Australians now having a My Health Record following the opt-out model, system security is a significant public concern. Scrutex supports healthcare providers with continuous monitoring of systems connecting to My Health Record, vendor oversight for clinical software providers, credential exposure detection, and brand protection against fake healthcare portals.

About My Health Records Act

The Act establishes the legal framework for My Health Record, imposing strict obligations on participating healthcare providers regarding security, confidentiality, and integrity of health information. Unauthorised access carries penalties including up to two years' imprisonment. Following the opt-out model in 2019, the vast majority of Australians have a My Health Record, making participant system security a matter of significant public trust.

Geographic and Sector Applicability

The Act applies to registered healthcare provider organisations participating in My Health Record, including hospitals, GP clinics, pharmacies, pathology labs, and allied health providers. Technology vendors supporting My Health Record infrastructure are indirectly within scope.

Who Should Care

Practice Manager / CIO

Responsible for system security connecting to My Health Record.

CISO (larger organisations)

Owns the security programme protecting health record access.

Clinical Software Vendor Relationship Manager

Must ensure vendor systems meet security requirements.

Key Risks of Non-Compliance

!

Criminal penalties including imprisonment for unauthorised access to health records.

!

Civil penalties and regulatory action by the OAIC.

!

Loss of My Health Record participation status.

!

Public trust damage in healthcare communities.

Common Compliance Gaps

Exposed Clinical System Interfaces

Clinical software portals and patient management systems sometimes have internet-facing exposure that creates unauthorised access pathways to My Health Record data.

Clinical Software Vendor Security

Many healthcare providers have limited visibility into the security posture of their clinical software vendors who provide the systems connecting to My Health Record.

How Scrutex Supports My Health Records Act Compliance

Scrutex capabilities mapped to My Health Records Act requirements.

Vulnerability Insights

Scrutex identifies externally exposed clinical systems, patient management portals, and network infrastructure that could provide pathways to My Health Record data.

Scrutex Capabilities

  • Clinical system exposure detection
  • Vulnerability assessment
  • Certificate monitoring

Requirements Addressed

  • System security for My Health Record access
Data Exposure Insights

Healthcare credentials are highly valued on dark web marketplaces. Scrutex detects leaked credentials and data exposures that could facilitate unauthorised access to My Health Record components.

Scrutex Capabilities

  • Healthcare credential monitoring
  • Dark web surveillance
  • Personal information exposure detection

Requirements Addressed

  • Credential compromise prevention
  • Unauthorised access prevention
Brand Insights

Fake healthcare portals impersonating legitimate providers can harvest patient credentials that grant access to My Health Record data. Scrutex detects these impersonation threats.

Scrutex Capabilities

  • Lookalike domain detection
  • Fake healthcare portal monitoring
  • Takedown facilitation

Requirements Addressed

  • Patient protection
  • Unauthorised access prevention
Vendor Insights

Scrutex monitors the security posture of clinical software vendors and managed service providers supporting My Health Record connectivity.

Scrutex Capabilities

  • Clinical vendor security monitoring
  • Vendor risk scoring

Requirements Addressed

  • Vendor security oversight

Compliance Reporting

Structured reports provide evidence of security measures, vulnerability management, and vendor oversight for regulatory engagement.

Scrutex Capabilities

  • Security documentation
  • Regulatory evidence

Requirements Addressed

  • Security documentation and evidence

Quick-Start Compliance Checklist

1

Run external discovery to identify exposed clinical systems.

2

Activate credential monitoring for healthcare domains.

3

Onboard clinical software vendors into Vendor Insights.

4

Enable Brand Insights for healthcare brand impersonation.

5

Generate a security posture report for regulatory readiness.

Summary

The My Health Records Act places significant security obligations on healthcare providers participating in Australia's national health record system. With criminal penalties for unauthorised access and millions of Australians relying on the system, security is both a legal and public trust requirement. Scrutex supports healthcare providers with continuous external monitoring, vendor oversight, credential protection, brand monitoring, and compliance documentation.

Related Regulations and Standards

Privacy Act / NDB Scheme: Health information breaches trigger both Acts.

APRA CPS 234: Health insurers face both My Health Records and CPS 234 obligations.

Cyber Security Act 2024: Healthcare is affected by Australia's new cybersecurity legislation.

Ready to Strengthen Your Compliance Posture?

Book a personalised demonstration and receive a complimentary external exposure assessment.

Sign up for freeRequest a demo