Are you using the My Health Record ‘break glass’ function appropriately?

Georgie Haysom, BSc, LLB (Hons) LLM (Bioethics), GAICD, Head of Research, Education and Advocacy, Avant

Sunday, 17 October 2021

Close shot of person using tablet

A patient is brought into your Emergency Department unconscious after a car accident. The patient has been identified from their driver’s licence and Medicare card, but the hospital has no prior records for them. If this patient has restricted access to their My Health Record, can you use the emergency access function to obtain their health information?

Decisions about whether the emergency access function can or should be used usually have to be made quickly and can create confusion for doctors. Any unpermitted use of the emergency access function is considered a contravention of the My Health Records Act and a breach of privacy under the Privacy Act, so it’s important to understand when access is permitted and when it’s not.

In the hypothetical case above, the Emergency Department staff make the call to use the emergency access function for health information that may assist with treating life-threatening injuries to the patient.

It is considered appropriate use in this instance because access to the My Health Record is necessary to prevent serious threat to the patient’s life, the patient had access controls in place that need to be overridden, and it is impossible to obtain the patient’s consent.

What does the emergency access function entail?

If a patient has put restrictions on their My Health Record, healthcare providers can override them using the emergency access function. This function allows you to view any restricted information, except for deleted information, hidden documents and personal health notes. This access is valid for five days, after which it will revert to normal settings.

However, most patients do not have access controls in place so you can view their record in normal settings, without using this function.

When is it appropriate to use the emergency access function?

You can override a patient’s access controls using this function, if you reasonably believe there is a serious threat to the patient’s life and it is not possible to obtain the patient’s consent, or the situation poses a threat to public health and safety.

It’s important to note that working in an emergency department does not automatically authorise you to use the emergency access function.

Regardless of where you work, you must ensure that the requirements for using the emergency access function have been met before you use it.

Unauthorised use of the emergency function

The use of the emergency access function sends an automatic notification to the Australian Digital Health Agency (ADHA), who monitors emergency access use.

If you are aware that a contravention has occurred, you have reporting obligations under section 75 of the My Health Records Act to notify the ADHA and the Office of the Australian Information Commissioner (OAIC) as soon as practicable. This also includes using the emergency access function by mistake.

The ADHA monitors the use of the emergency access function. An audit report by the Australian National Audit office published in 2019/a\ noted that in only 8.2% of cases was the function used as intended. In other words, in more than 90% of cases the emergency access function was not used appropriately.

As a result, the OAIC has developed privacy guidance to help healthcare providers understand their privacy obligations. This guidance includes general advice, case studies, and tips on when and how to use the emergency access function.

The OAIC has also developed FAQs and a flowchart to help healthcare providers decide whether to use the emergency access function, which can be printed and posted in the workplace.

More information

If you require medico-legal advice on any of these issues, you can contact us via email at or if you require immediate advice, call 1800 128 268. We are available 24/7, after hours and on weekends in emergencies.


To Top