Is my eScript safe if my phone is stolen?

If your phone has a screen lock, the risk is reduced. However, you should still ask your GP to cancel the token. For more on protecting your digital identity, see the Digitalhealth guide to electronic prescriptions.

Does the token reveal my medical condition to others?

As a general rule, the SMS or email merely reads 'Your digital prescription is ready.' The medication name and instructions become visible only after the link is securely opened and a licensed professional scans the barcode. This aligns with medication tracking privacy standards.

What if someone else sees my QR code?

A QR code is just a series of numbers and letters. Without a dispensing system that supports the pharmacist, they will not be able to access any information. A QR code alone cannot be interpreted without compatible pharmacy dispensing software.

Are my prescriptions stored on my phone?

Not at all. The token is just a pointer to the data kept in the secure national cloud. No clinical data is permanently preserved on your mobile device. For official privacy information, visit the Australian Government Department of Health and Aged Care.

Are eScripts Safe? Prime Medic Prescription Privacy Guide

Key Takeaways

Electronic prescriptions are subject to Australian privacy and healthcare legislation.
Tokens act as secure access keys and do not store clinical data.
Prescription data is encrypted during storage and transmission.
Access is restricted to authorised healthcare professionals and the patient.
Tokens can be invalidated if compromised.
Patients play an important role in protecting their own digital prescription tokens.

Australia's digital transformation of health records emphasises privacy through the 'Privacy by Design' principle. Beyond the convenience of receiving prescriptions directly on your phone via SMS, robust security measures protect your personal health information.

The eScript & Prescription Access Hub adheres to the latest amendments to the Privacy Act 1988 and Australian Digital Health Agency (ADHA) standards, fostering a patient-centred control environment.

This overview details the legal and technical layers of protection that shield your digital prescriptions from unauthorised access, with access restricted to authorised individuals involved in your care, in accordance with regulatory requirements.

Why Privacy Matters for Digital Prescriptions

Personal health information is considered highly sensitive. The OAIC oversees Australia's data protection laws and strictly regulates the handling of this data category. Paper prescriptions may be vulnerable if left unsecured. Electronic prescriptions are designed with access controls that help reduce the risk of unauthorised access.

Regulatory Compliance

Electronic systems are designed to support compliance with the Australian Privacy Principles, particularly APP 11, which requires organisations to actively protect personal information against misuse, interference, or loss. In the electronic system, your Online Medical Certificates and Prescriptions records are stored in systems that comply with Australian privacy and healthcare legislation. To learn more about how these standards apply to clinical records, please visit our page on digital record keeping for prescribers.

Encryption in Prescription Delivery

The primary safety measure for any eScript is encryption. When a GP from Prime Medic prescribes a medication, the information is not sent by a basic SMS but through a secure "tunnel" to a Prescription Delivery Service (PDS) operating within Australia's electronic prescribing framework.

How Encrypted Channels Work

Data at Rest: Prescriptions are stored in encrypted form within secure national systems. The database may be accessed, but its contents will remain incomprehensible without the decryption keys.
Data in Transit: The transfer of data between the GP's clinical software and the pharmacy's dispensing system is secured by end-to-end encryption (E2EE), a standard part of the digital prescription access security framework.
The Token as a Key: The QR code or link you find on your smartphone is a unique digital token. It does not store your healthcare data; instead, it provides the pharmacist with the "location" and the "authorisation" to retrieve it from the secure cloud.

Who Can View or Dispense an eScript?

Access to your prescription is restricted to authorised healthcare professionals and the patient, in accordance with applicable regulations.

Authorised Access Rights

The Patient: The pharmacy you are using is the one that can see the script, since you are the token holder.
The Prescriber: A doctor, such as those providing online GP consultations, can view the status of the script in their clinical software.
The Pharmacist: The person who obtains your prescription is the pharmacist, and after scanning your token, they can view the details. A pharmacist cannot look up your prescription by searching for your name in the national database. This kind of access will require your explicit consent or a token.

Whenever an individual accesses your data, a digital record is created to track the event. Such "Audit Trails" have been key features of digital health, thereby enhancing transparency in consumer protections.

Safe Handling of Your Token

Still, your smartphone is the last gatekeeper of your prescription, the "human" element being the weakest link in any case. Your token serves as proof of prescription and should be handled with care, as you would patient document access rights.

Protecting Your Privacy

Use Device Locks: Ensure your phone is equipped with a biometric lock (Fingerprint/Face ID) or, at a minimum, a strong PIN.
Avoid Public Sharing: Refrain from posting a screenshot of a prescription token on social media, as even an incomplete QR code can be reconstructed by attackers.
Be Selective with Forwarding: If you want a carer to collect your medication, only communicate the eScript Token via secure messaging apps, and delete the message after the medication is received.

Taking these measures will help you play an active role in Sharing Certificates Details Safely.

Removing Access When Needed

One feature of the digital system is that access can be withdrawn at any time. When a prescription is no longer needed, or you suspect your token may have been exposed to another person (e.g., if you mistakenly sent it to someone), access can be restricted promptly.

How Revocation Works

Revocation is only available to the original prescriber. When done, it means:

The token is marked as cancelled within the prescribing system and will not be valid for dispensing.
If a pharmacist scans the QR code, the system checks the token; if it is cancelled or invalid, it returns the corresponding message.
This approach allows digital cancellation without physically recovering a paper prescription. a process similar to correcting errors on medical certificates.

In case you want to change an eScript token or stop a live one, please consult our Lost eScript Token Replacement tutorial.

Need Medical Advice?

Consult with our experienced doctors from the comfort of your home. Available 24/7 for your convenience.

Book Appointment

1300 090 252

Access eScripts via Online Doctor Consultation

Speak with an Australian-registered doctor. If clinically appropriate, an eScript may be issued following a clinical assessment.

Request to Access eScripts

eScript Privacy & Security: Who Can Access Your Digital Prescription?