Patient Identity Verification in Australian Healthcare: Privacy Act, My Health Record, and Best Practices

Patient identity verification in Australian healthcare is a legal requirement under the Privacy Act 1988, the My Health Records Act 2012, and state/territory health records legislation. The Australian Commission on Safety and Quality in Health Care (ACSQHC) identified patient identification failure as a contributing factor in 7% of sentinel events reported to state health departments in 2023 — incidents that resulted in serious patient harm. Getting identification right is both a safety obligation and a regulatory requirement under Australian law.

What is patient identity verification in Australia?

Patient identity verification is the set of processes healthcare providers use to confirm that the person receiving care is who they claim to be and that their health record is correctly matched to them. In Australia, the primary patient identifier is the Individual Healthcare Identifier (IHI) — a unique 16-digit number assigned to every Australian resident by the Department of Health and Aged Care under the Healthcare Identifiers Act 2010.

The Individual Healthcare Identifier (IHI) is the national standard for patient identification in Australian healthcare. It must be used in all electronic communications of health information between healthcare providers who are connected to Australia's National Healthcare Identifiers (HI) Service. Source: Services Australia — Individual Healthcare Identifier

The IHI is linked to a patient's Medicare number (for eligible residents), their Australian passport, or their Driver Licence — the three primary means of establishing identity at registration.

Australian regulatory framework

Privacy Act 1988 and Australian Privacy Principles

The Privacy Act 1988 is Australia's primary privacy legislation. The Australian Privacy Principles (APPs) — 13 principles that regulate the collection, storage, use, and disclosure of personal information — apply to all APP entities, including private healthcare providers with annual turnover above $3 million, and all public health agencies regardless of size.

Health information is sensitive information under the Privacy Act (s 6(1)), attracting the highest level of protection. APP 11 requires entities to take reasonable steps to protect health information from misuse, interference, loss, and unauthorised access.

The Office of the Australian Information Commissioner (OAIC) can impose civil penalties up to $50 million for serious or repeated privacy interferences by organisations, following amendments to the Privacy Act effective 2024. Source: OAIC — Privacy Act Review

My Health Record Act 2012

The My Health Record Act 2012 governs Australia's national digital health record system. My Health Record — managed by the Australian Digital Health Agency (ADHA) — stores clinical documents (discharge summaries, pathology results, prescriptions, immunisation history) accessible to authorised healthcare providers and patients.

Healthcare providers must verify patient identity before accessing or uploading documents to My Health Record. The My Health Record Rules 2016 (Rule 12) require that a healthcare provider organisation take reasonable steps to verify the identity of a healthcare recipient before creating or accessing their record. Source: ADHA — My Health Record

As of 2026, more than 24 million Australians have a My Health Record, making accurate patient identity matching critical for system integrity.

Healthcare Identifiers Act 2010

The Healthcare Identifiers Act 2010 established the national Healthcare Identifiers Service, which assigns and manages:

• Individual Healthcare Identifiers (IHI) — for patients
• Healthcare Provider Identifiers — Individual (HPI-I) — for healthcare practitioners
• Healthcare Provider Identifiers — Organisation (HPI-O) — for healthcare organisations

The HI Service is operated by Services Australia (formerly the Department of Human Services). Healthcare providers are legally required to use IHIs when communicating health information electronically. Misuse of a healthcare identifier — including accessing or disclosing an IHI without authorisation — is an offence under the Act carrying penalties up to $22,200 (individual) or $111,000 (body corporate).

ACSQHC National Safety and Quality Health Service Standards

The Australian Commission on Safety and Quality in Health Care (ACSQHC) administers the National Safety and Quality Health Service (NSQHS) Standards, which all accredited hospitals and day procedure services must meet. Standard 5 (Comprehensive Care) and Standard 6 (Communicating for Safety) both require healthcare facilities to:

• Implement a patient identification system using at least three approved patient identifiers
• Confirm patient identity before each clinical intervention
• Use patient identification wristbands in inpatient settings
• Match clinical items (medications, blood products, specimens) to the correct patient

ACSQHC's three approved patient identifiers are: full name, date of birth, and one additional identifier — either IHI, Medicare number, patient medical record number, or address. Source: ACSQHC — NSQHS Standards

State and territory health records legislation

In addition to federal frameworks, each state and territory has its own health records legislation:

• Victoria: Health Records Act 2001 — Privacy Principles for health information
• New South Wales: Health Records and Information Privacy Act 2002 (HRIPA)
• Queensland: Hospital and Health Boards Act 2011; Information Privacy Act 2009
• South Australia: Health Care Act 2008; Information Privacy Principles
• Western Australia: Health Services Act 2016

State health departments also set minimum record retention periods, typically 7 years for adults and until age 25 for minors.

Risks of poor patient identification in Australia

Australian healthcare professionals frequently raise two practical questions: how to verify identity for patients who cannot present Medicare cards (tourists, recent arrivals, patients without documents) and how to manage duplicate IHIs — an issue the ADHA acknowledges affects approximately 1% of registered individuals. Both require clear escalation protocols.

Best practices for patient identity verification

1. Three-point identification at every clinical encounter

ACSQHC's National Safety and Quality Health Service Standards require healthcare providers to confirm patient identity using at least three approved identifiers before each clinical intervention:

1. Full legal name (as registered with Medicare or the HI Service)
2. Date of birth
3. IHI, Medicare number, patient MRN, or residential address

These must be confirmed verbally with the patient (or their carer/guardian) at each encounter — never assumed from a previous verification.

2. Acceptable identity documents in Australia

For new patient registrations or when the IHI is unknown:

• Australian passport
• State/territory driver licence
• Medicare card (for Medicare-eligible patients)
• Australian birth certificate
• ImmiCard (for visa holders)
• Australian Citizenship Certificate

Proof of Medicare eligibility is established by presenting the Medicare card and confirming the name and Medicare number against Services Australia's records.

3. Individual Healthcare Identifier (IHI) lookup

Healthcare providers connected to the HI Service can perform real-time IHI lookups using patient demographic data (name, date of birth, Medicare number or DVS-verified passport/licence number). IHI lookups are performed through clinical software that is registered with the HI Service — standard in all PCEHR-compliant EHR systems (Best Practice, MedicalDirector, Cliniko, Epic).

4. Automated document verification

Manual identity checking at GP clinics and hospital admissions is vulnerable to sophisticated forgeries. Automated document verification solutions — such as CheckFile — validate Australian driver licences and passports in under 10 seconds, detecting forgeries (digitally altered documents, inconsistent holograms, expired documents) with accuracy exceeding 99%. These solutions integrate with practice management systems via HL7 FHIR or RESTful APIs.

5. Audit logging requirements

All clinical software systems must log access to patient records — required under the My Health Record Act 2016, APP 11, and state health records legislation. Log retention is typically 7 years minimum. Healthcare organisations must be able to demonstrate to OAIC or state privacy commissioners that access logging is in place and reviewed regularly as part of annual privacy governance assessments.

Verification technologies in Australian healthcare

IHI Service (Services Australia) — Real-time lookup of a patient's IHI using Medicare number, full name, date of birth and sex. Available through certified clinical software. Allows verification that the IHI is active, the Medicare number is valid, and the patient is enrolled in My Health Record.

Document Verification Service (DVS) — Australia's national DVS (operated by the Attorney-General's Department) allows authorised organisations to verify Australian passports and driver licences against source data in real time. DVS access requires agreement and accreditation from the DVS Hub. This is the most authoritative document verification mechanism in Australia.

My Health Record patient-controlled access — Patients can set access controls in their My Health Record, including limiting access to specific providers. Healthcare providers must respect these access settings and verify patient consent before accessing restricted records.

Biometric verification for telehealth — Facial recognition or liveness detection for remote consultations. A Privacy Impact Assessment (PIA) under APP 1.4 is recommended before deploying biometric systems. OAIC guidance (2023) requires proportionality and patient consent for biometric health verification.

For more on identity verification methods and technologies, see our guide on identity verification methods and technologies.

For a cross-sector view of verification requirements, see our industry verification guide.

Explore CheckFile's solutions for Australian healthcare or view our pricing page.

FAQ

What is the Individual Healthcare Identifier (IHI) and is it mandatory?

The IHI is a unique 16-digit number assigned to every Australian resident under the Healthcare Identifiers Act 2010. Its use is mandatory for electronic communication of health information between registered healthcare providers. It links to a patient's Medicare record and their My Health Record. As of 2026, all accredited healthcare providers must be registered with the HI Service.

How do you verify patient identity in an Australian emergency department?

Emergency treatment cannot be withheld pending identity verification. A provisional record is created with available information. IHI lookup can be attempted via the HI Service using any known demographic details. Full verification — including IHI confirmation and Medicare validation — must be completed before discharge or as soon as the patient is able to cooperate. The provisional status must be clearly marked in the EHR.

What are the penalties for a health data breach in Australia?

Following the 2024 Privacy Act amendments, the OAIC can seek civil penalties up to $50 million for serious or repeated interferences with privacy by organisations. Individuals face penalties up to $2.5 million. Mandatory breach notification is required for eligible data breaches (serious harm likely) under the Notifiable Data Breaches scheme — notification to both the OAIC and affected individuals within 30 days of awareness. Healthcare organisations are among the most frequently notified sectors.

What is the Medicare number and how is it used for patient identification?

The Medicare number is a unique identifier issued by Services Australia to Medicare-eligible residents (Australian citizens, permanent residents, and certain temporary visa holders). It appears on the Medicare card and can be used — along with name and date of birth — to look up a patient's IHI via the HI Service. The Medicare number is not a standalone identity document; it must be paired with a government-issued photo ID for complete verification.

How long must patient records be retained in Australia?

Federal standards set no single national retention period, but state guidelines typically require 7 years from last service for adults, or until age 25 for patients who were minors. Mental health records and records related to major surgery often have longer retention requirements. Audit logs linked to patient identity verification should be retained for the same period as the clinical record.