Healthcare provider organisations participating in My Health Record must operate in accordance with relevant legislation, including establishing and maintaining a security and access policy.
The My Health Records Rule 2016 (the 2016 Rule) has been replaced with the My Health Records Rules 2026 (the 2026 Rules), effective 1 April 2026. Under the 2026 Rules, revised security and access policy requirements are outlined in Rules 21 and 43. These Rules replace Rules 42 and 44 of the 2016 Rule. While the core requirements remain largely consistent, several key changes have been introduced. This includes changes to requirements concerning user account management, training and security measures, and a new requirement to include processes for responding to My Health Record data breaches. In addition to the policy itself, organisations must keep records showing how the policy has been applied. Retention periods for these records are outlined in Rule 45 of the 2026 Rules.
We recommend that all organisations that use My Health Record review their security and access policy now, ensuring it complies with the requirements of the 2026 Rules.
- Organisations registered with the My Health Record system before 1 April 2026, must update their security and access policy by 1 October 2026, in line with the 2026 Rules.
- Organisations registering for My Health Record from 1 April 2026, must develop a security and access policy in accordance with the 2026 Rules.
The following information can assist organisations in updating their policy in accordance with the new requirements:
- My Health Record participation obligations
- Updated My Health Record Organisation Registration Checklist
- Recommended My Health Record Training resources
- Department of Health, Disability and Ageing FAQs document on My Health Record legislative changes
Contact the WNSWPHN Digital Health team (digitalhealth.team@wnswphn.org.au) for further support.






