All templates
My Health Records Act · Section 64

My Health Record Emergency Access Procedure Template — Section 64

Procedure for using emergency access to a patient's My Health Record under section 64 of the Act. Defines the four-part legal test, step-by-step procedure, documentation expectations, audit review, and a printable emergency access log.

My Health Records Act 2012My Health Records Rule 2016

This template is available on a paid plan

Subscribe to ClinicComply to download the My Health Record Emergency Access Procedure template and access all policy templates.

View plans

What's in this template?

This procedure governs the most legally sensitive operation a clinician can perform in the My Health Record system: accessing a patient's record without their consent in an emergency. Section 64 of the My Health Records Act 2012 permits this access only where strict criteria are met. This template documents the criteria, the step-by-step procedure, the audit and review obligations, and provides a printable Emergency Access Log so every use is properly recorded.

The template covers 11 sections plus a sign-off block and Appendix A — Emergency Access Log:

  1. Purpose — anchored to section 64 of the My Health Records Act 2012
  2. Scope — clinical staff who may need emergency access
  3. When emergency access is permitted — the four-part legal test as a clear table
  4. Examples — when emergency access is appropriate, and when it is not
  5. Procedure — step by step — confirm criteria, access, provide care, document, review
  6. Roles and responsibilities — clinician using emergency access, Responsible Officer
  7. Audit and oversight — automatic System Operator logging, monthly reconciliation
  8. Breach handling — what happens if a clinician got it wrong
  9. Training — links to the Staff Training and Awareness Procedure
  10. Related documents
  11. Review — 2-yearly cycle

Appendix A — Emergency Access Log: a printable table for every emergency access, with columns for date/time, patient identifier, clinician HPI-I, reason, reviewer, and review date.

Editable placeholder fields

  • {{practice_name}}, {{abn}}, {{hpi_o}}, {{practice_address}}, {{phone}}, {{email}}
  • {{responsible_officer}} — the person who reviews every emergency access entry
  • {{review_date}}, {{next_review_date}}

Why this procedure matters

Section 64 is a deliberately narrow exception to the general rule that My Health Record access requires patient consent. Misusing it is one of the fastest ways to attract enforcement action from the Australian Digital Health Agency or the OAIC.

Two facts every clinician must understand before using emergency access:

  • The System Operator automatically logs every emergency access and these logs are reviewable
  • A clinician who knowingly accesses a record outside section 64 commits a criminal offence with penalties of up to 2 years' imprisonment under sections 59 to 62 of the Act

The procedure makes the section 64 criteria unambiguous so clinicians can act quickly and lawfully in a genuine emergency, while the practice owner retains the audit visibility needed to detect misuse early.

When emergency access is permitted

Section 64 of the Act allows a registered healthcare provider to collect, use, or disclose information in a patient's My Health Record without consent only when all four of these criteria are met:

  • The clinician reasonably believes access is necessary to lessen or prevent a serious threat to the individual's life, health, or safety
  • It is unreasonable or impracticable to obtain consent (the patient is unconscious, severely confused, or otherwise unable to consent)
  • The access is by a registered healthcare provider (or a person under their direct supervision)
  • The information will be used only to provide healthcare to that individual in response to the threat

If any criterion is not met, the clinician must rely on other clinical sources rather than emergency access. The template lays this out as a table on page 4 so it can be referenced at the point of decision.

Examples to anchor the rule

The procedure includes worked examples to make the rule concrete:

Appropriate uses of emergency access:

  • Unconscious patient brought to the practice with no relatives present
  • Home visit to a confused or post-ictal patient who cannot give allergy or medication history
  • Anaphylaxis where the clinician must confirm allergies and current medication immediately
  • Locum providing acute out-of-hours care to a patient whose record is not in the local clinical system

Not appropriate (these would be breaches if emergency access was used):

  • Looking at a record "just in case" before a routine appointment
  • Convenience — the patient is in front of you and consent could easily be obtained
  • Reception staff confirming a Medicare number
  • Working around a patient who has restricted access under their own controls

Section 64 requirement

Section 64 sits within Part 4, Division 1 of the My Health Records Act 2012. It is one of a small set of statutory exceptions to the general rule, in section 65, that My Health Record information may only be collected, used, or disclosed with consent or for a directly related purpose the consumer would reasonably expect. Every emergency access creates an audit log entry visible to the System Operator, and the Australian Digital Health Agency periodically reviews emergency access patterns.

How to customise this template

  1. Download the Word document and replace every {{placeholder}} with your details
  2. Brief every clinician on the four-part test in section 3 and the worked examples in section 4
  3. Decide where the Emergency Access Log lives — printed in a clinical workroom, in your practice's incident management system, or in a shared drive accessible to clinicians and the Responsible Officer
  4. Set the audit cadence — within 24 hours per entry is the procedure's default; monthly reconciliation against the System Operator's audit logs is also built in
  5. Add it to the training matrix — emergency access is one of the seven mandatory topics in the Staff Training and Awareness Procedure
  6. Have it approved by the Responsible Officer in the sign-off table
  7. Communicate the procedure to all clinicians and locums before they next have access to the system

Related templates

  • My Health Record Security and Access Policy — the parent Rule 42 policy
  • My Health Record Staff Training and Awareness Procedure — the training program that covers emergency access
  • Clinical Handover Policy — how emergency access information is communicated within the clinical team
  • Data Breach Response Plan — what happens if an emergency access turns out to have been outside section 64

Frequently asked questions

When can a clinician access a My Health Record without consent?

Only in the circumstances described in section 64 of the My Health Records Act 2012: where the clinician reasonably believes access is necessary to lessen or prevent a serious threat to the patient's life, health or safety; it is unreasonable or impracticable to get consent; the access is by a registered healthcare provider; and the information is used only to provide healthcare in response to that threat. All four criteria must be met. If any is missing, the clinician must rely on other clinical sources of information.

What is the section 64 emergency access provision?

Section 64 is the part of the My Health Records Act that creates a narrow exception to the general consent requirement. It permits authorised collection, use and disclosure of information in a My Health Record without consent in genuine clinical emergencies. It is not a general convenience provision — every emergency access is automatically logged and reviewable.

What records must be kept of emergency access?

The Act requires the clinician to make a written note of why they believed access was necessary. This procedure satisfies that obligation through Appendix A, the Emergency Access Log. Each entry records the date and time, patient identifier, clinician HPI-I, the reason emergency access was used, the reviewer, and the date of review. The patient's clinical record should also note that My Health Record was accessed under section 64.

Who reviews emergency access at our practice?

Under this procedure, the Responsible Officer reviews every emergency access entry within 24 hours of it being logged. The Responsible Officer also reconciles the local Emergency Access Log against the System Operator's automatic audit logs at least monthly. Any access that does not appear to meet the section 64 criteria is treated as a suspected breach.

What happens if emergency access is used incorrectly?

If an emergency access turns out to have been outside section 64 — for example, the patient could in fact have consented, or access was for a non-clinical purpose — the Responsible Officer treats it as a breach. The breach is investigated under the Security and Access Policy, and notification to the System Operator and the OAIC may be required under section 75 of the Act and the Notifiable Data Breaches scheme. Knowingly accessing outside section 64 may also be a criminal offence with penalties up to 2 years' imprisonment.

Can a practice nurse use emergency access?

Yes, where they are providing emergency clinical care under the supervision of a registered medical practitioner and the four section 64 criteria are met. Reception staff and other non-clinical workers cannot use emergency access — the provision is limited to registered healthcare providers and people working under their direct supervision.

Does this procedure apply to telehealth or after-hours care?

Yes. The procedure applies to all clinicians acting under your HPI-O, including locums and after-hours providers. If your practice uses an after-hours deputising service, the deputising service operates under its own HPI-O and its own Rule 42 policy. The procedure is most often invoked at the practice for home visits and in-clinic acute presentations where a patient cannot consent.

Should the patient be told their record was accessed?

Where possible, yes. The procedure expects the clinician to inform the patient (or their substitute decision-maker) at the earliest practicable opportunity that emergency access was used. This builds trust and aligns with the open-disclosure expectations of professional codes of conduct, even though the Act does not strictly require it.

Related templates

Rule 42(2)(a)

My Health Record Staff Training and Awareness Procedure

Procedure that satisfies Rule 42(2)(a) by setting out how staff are trained before being granted My Health Record access, the topics covered, the knowledge check, refresher cadence, and a printable training register for audit evidence.

View template
Rule 42

My Health Record Security and Access Policy

The Rule 42 policy required of every registered My Health Record provider organisation. Covers responsible officer duties, authorisation of users, identification and authentication, physical and technical security, breach response, audit and review.

View template
C6.3

Privacy Policy

A comprehensive privacy policy covering the 13 Australian Privacy Principles (APPs), patient data collection, use, disclosure, and storage. Includes state-specific Health Records Act references.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime