Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) A person must not use health information that is or was included in a healthcare recipient's My Health Record for a prohibited purpose.
Civil penalty: 1,500 penalty units.
(2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.
Note: A person bears an evidential burden in relation to the matter in subsection (2): see section 96 of the Regulatory Powers (Standard Provisions) Act 2014 .
(3) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).