You may be right about that but that is a little bit different from what I suggested - which was about whether MHR itself allows the person whose record it is to control “write” access, as opposed to controlling “read” access.
Controlling at the client side is clearly not enforcement (relies on procedures and honesty of client) and may be subject to fine print, misunderstanding, special cases, … as a means of bypassing the check on the client side.
That is a major issue with MHR anyway. Around 900,000 people Australia-wide have access to your record - unless you are in the tiny tiny minority who put a “read” password on the record. If any one of those thousands of healthcare providers suffers a security breach or other compromise then that provider can be used as a conduit to exfiltrate information. (You would hope that MHR has heuristics and auditing to detect that kind of indirect attack in some cases but the government is non-transparent, so it is a leap of faith for the patient. Even if the attack is detected, that is reactive i.e. the data is already copied.)
This is not a hypothetical. We know that “China” already did this in Singapore.