Digital health reforms: the Regulatory Reform Omnibus Act

5 minute read 04.02.2026 Kate Dimes Letters and Heather Moriarty

The Regulatory Reform Omnibus Act 2025 introduces reforms across several areas of the healthcare sector. This article examines the amendments to the healthcare identifier framework, My Health Record and the Australian Immunisation Register.

Passed by the Australian Parliament on 27 November 2025 and assented to on 4 December 2025, the Regulatory Reform Omnibus Act 2025 (Cth) (RRO Act) introduces amendments to legislation that establishes health-related systems such as the My Health Record and the use of healthcare identifiers. The reforms aim to streamline regulatory processes and improve the provision of healthcare in Australia.

Whilst most of the changes took effect on 5 December 2025, a few provisions have a delayed commencement. Where this is the case, we have made note of the commencement date below.

Healthcare identifiers

Healthcare identifiers are unique 16-digit numbers used to identify individuals (Individual Healthcare Identifiers or IHIs) and healthcare providers (Healthcare Provider Identifiers or HPIs). The purpose of the healthcare identifier framework is to assist healthcare providers with accessing patient records and securely and accurately communicating patient information to other providers. The reforms aim to clarify and increase the use of healthcare identifiers and to promote a more integrated experience for patients utilising different healthcare services.

Expansion of the Healthcare Provider Directory

The Healthcare Identifiers Act 2010 (Cth) (HI Act) allows 'identified healthcare providers' (individuals, organisations and support services that have a HPI) to access the Healthcare Provider Directory (Directory) to share healthcare identifiers with one another.

The RRO Act streamlines processes by making it possible for healthcare identifiers, identifying information and other professional and business details of all identified healthcare providers to be disclosed to other providers in the Directory by default without needing to obtain their agreement first. The information to be published is limited and there are mechanisms for identified healthcare providers to request removal of their personal information.

Entities authorised to access the Directory are able to communicate between each other about healthcare and support services for the purpose of health administration. Notably, the RRO Act establishes a Healthcare Provider Directory Operator (Directory Operator) to maintain the Directory and facilitate the sharing and disclosure of information between entities.

The RRO Act also expands the bases upon which healthcare identifiers can be handled / used to allow certain prescribed entities, including health administration entities, to access the Directory.

Opt-out instead of opt-in

The RRO Act shifts the process for disclosing provider information in the Directory from an 'opt-in' model to an 'opt-out' model. This allows the Directory Operator to disclose healthcare providers' information to other healthcare providers without their consent, unless they specifically request for their information not to be shared. By shifting to an opt-out system, the RRO Act seeks to streamline providers' access to services such as electronic prescribing and electronic referrals.

Expanded uses and disclosures of Healthcare Identifiers

The RRO Act expands the entities that can use and disclose healthcare identifiers to include:

Health Technology Providers: Due to commence on 1 February 2027, new provisions introduced by the RRO Act will permit health technology providers (such as providers of wearable devices and health monitoring apps) to collect, use and disclose healthcare identifiers. Healthcare identifiers must only be collected, used and disclosed with patient consent and for the 'permitted health technology purpose' of assisting the health technology provider to communicate with patients, providers and health administration entities about patient healthcare.
Employers and Insurers: The RRO Act removes the restriction that prevents employers and insurers from collecting, using or disclosing healthcare identifiers when handling health information for employment or insurance purposes. The intention of the restriction was to stop employers and insurers from accessing personal health records and using them to make decisions about employment or insurance coverage. However, this has also meant that care provided through an employer or insurer cannot be linked to the recipient’s healthcare identifier. Repealing the restriction allows health information to be linked to individuals using their healthcare identifiers, without changing the information employers or insurers are legally able to access.
Subcontractors: Authorisation for contractors to handle healthcare identifiers is expanded to subcontractors. This change acknowledges and accounts for the need for information technology and information management contractors to subcontract duties to other contractors to be able to carry out the purpose of their contracts.
Research institutes: A healthcare recipient can agree to an entity collecting, using or disclosing their healthcare identifier for the purpose of assisting the entity to conduct research that has been approved by a Human Research Ethics Committee or is authorised by another Australian law.

My Health Records

The My Health Records Act 2012 (Cth) (MHR Act) prohibits the use of health information obtained from a healthcare recipient's My Health Records for a prohibited purpose. The RRO Act expands the protections for data held in patients' My Health Records.

New amendments to the MHR Act prohibit the use or communication of information where the information was sourced from My Health Records, downloaded or saved to a local system for an authorised purpose, and then subsequently used for a prohibited purpose. Prohibited purposes currently include:

underwriting or determining whether to give the healthcare recipient insurance coverage;
determining whether an insurance policy covers a healthcare recipient in relation to a particular event; and
decisions about employing or continuing or ceasing to employ a healthcare recipient.

Australian Immunisation Register

The RRO Act introduces provisions that give providers the option of having their provider healthcare identifier included on the Australian Immunisation Register, alongside existing provider identification information. These amendments aim to improve system interoperability and enable more efficient information sharing across Australia's digital health infrastructure.

Data standards

The RRO Act introduces a Part 5AA in the HI Act. The new Part 5AA gives the Secretary the power to make data standards about health information and other clinical data. The standards may cover matters including the format and description of health information, storage and disclosure requirements, interoperability of clinical information management systems and health terminology. The standards aim to increase the accuracy and efficiency of data exchange across the Australian healthcare system by providing a standardised approach to data formatting and storage. Before making any data standard, the Secretary must consult with the Health Chief Executives Forum and must comply with any Ministerial determinations. All data standards will be published on the internet and be accessible for free, though the standards themselves are not a legislative instrument.

The RRO Act represents a comprehensive effort to achieve a more integrated patient experience and enable a safer and more accurate exchange of health information within Australia. If you have any questions or concerns about the RRO Act, we would be happy to assist you.