The Federal Government's digital health agency has moved to reassure Australians that their online My Health Record data will be safe, as the opt-out period begins.

Key points: The Government says patients' online health data will be safe

The Government says patients' online health data will be safe It's up to patients to set their own privacy and access settings

It's up to patients to set their own privacy and access settings Cyber security experts warn no system can be 100 per cent secure

From Monday, people who do not want their medical records stored on the national electronic database will have three months to opt out.

Steve Hambleton from the Australian Digital Health Agency (ADHA) said after October 15, there would be a month of auditing who was in and who was out.

"If you haven't deliberately opted out by the end of 2018, you will have a My Health Record," Dr Hambleton said.

As part of My Health Record, patients and doctors can upload medical information such as prescriptions, allergies and medical summaries to their record, and users can decide what is there and who can see it.

"Patients control access to the record, so they can switch off their entire record and make it only available using a pin code, or use that process with individual documents," Dr Hambleton said.

Patients can get an SMS or email anytime someone new accesses their record — but it is up to individuals to set up those privacy and access settings.

Robert Merkel, a software engineering lecturer at Monash University, said he was worried the safeguards were not in place by default.

"I am concerned that most people simply aren't going to be aware of those privacy controls," Dr Merkel said.

Have you set up your record? Share your story and email Specialist.Team@abc.net.au

Many people who do not opt out and end up with a My Health Record may never log into the system and set their controls, said Dr Trent Yarwood, an infectious diseases physician. He represents the digital advocacy group, Futurewise.

"Having [access controls] opt-in is complex, because it means it skews to people with better health literacy," he said.

Selling data to third parties 'absolutely prohibited'

A number of third-party health apps will be able to show patients their My Health Record data, but not store it.

However, Dr Hambleton said strict security safeguards were in place.

"I can absolutely categorically state that none of the apps and none of the use of the My Health Record data will be able to be sold to third parties — that's absolutely prohibited," he said.

Earlier this month, it was revealed Australia's biggest online doctor booking service, Healthengine — one of My Health Record's partner apps — had been passing on patient information to third parties, including legal firms.

Patients and doctors will be able to add medication summaries to My Health Record. ( Getty images: Jeff Greenberg )

The company has since announced it would stop sharing patient data. Health Minister Greg Hunt also ordered an "urgent review" of the platform.

Dr Merkel said he had reservations about app access, even if it was limited to "view-only".

"Just because all you can do is view, doesn't mean there are no security concerns," he said.

"If somebody's private medical record is viewed by somebody who they didn't authorise to do it — that's obviously a very serious concern."

My Health Record security concerns remain

The ADHA said My Health Record had sophisticated cybersecurity protections and was regularly audited.

But security experts warned no online database could protect against all possible threats, and healthcare data was an attractive target.

Dr Merkel said he was worried that by design, My Health Record would make health data available to more medical practitioners than before.

While this has clinical benefits, it also creates more opportunities for something to go wrong, he said, whether due to an administrative error or a hack.

Many privacy breaches of health data can be insider threats, Dr Yarwood pointed out, such as doctors looking up files of celebrities or high-profile patients.

While My Health Record provides an online access log, so you can see if someone has accessed your record, he said he was concerned a population level system could make this type of breach more likely.

"It's right that there's an audit trail, but audit trails don't give people back their confidentiality," he said.

However, ADHA chief executive officer Tim Kelsey said the new online platform offered advantages over the old paper-based system.

"The ability to have an audit trail, I think … is a vitally important asset of digital technology," he said.

"Paper-based healthcare offers us no means of actually understanding whether our information is secure or not."

New system will reduce medication errors: ADHA

Each year, as many as 230,000 Australians end up in hospital due to medication errors.

Dr Hambleton said he believed the new electronic health record system would reduce that rate.

"I have patients who run around with some raggedy pieces of paper in their pocket with their current medications on it," he said.

He said the biggest risk for the public was having a complex health problem and not having their information easily accessible.

For his part, Dr Yarwood said he was not entirely convinced of the clinical benefits.

He suggested the usefulness of My Health Record depended on the quality of the documents uploaded by health workers or patients.

As a specialist, he said he could not always rely on referral letters from other doctors to be complete or accurate.

"It's a document archive of whatever people want to upload there, rather than a comprehensive medical record," he said.

Ultimately, Dr Yarwood encouraged users to understand the access and privacy controls available to them, and to make the decision that works best for their health status.

"People who have got complex … diseases, who see lots of different specialists, there's definitely benefits to having this sort of system, provided it's used well," he said.

"But I would be explaining to them the potential risks … and getting them familiar with the privacy controls."