Request an indicative quote for your practitioner indemnity insurance before 30 June

Are you allowed to look at that medical record?

Dr Mark Woodrow, MBBS, MBA, GDipAppLaw, GCertArts, EMCert(ACEM), MACLM, AFRACMA, General Manager – Medical Advisory Services, Avant

Sonya Black, LLB (Hons), B.Com, Legal Team Manager – Workplace Law Team, Avant Law, QLD

Wednesday, 5 June 2024


Electronic medical records (eMRs) have improved the ability to find out about a patient and their care. They have made it much simpler to check how your patient in the ED got on after your initial treatment, or to assess the potential upcoming surgical workload. But is accessing records in this way allowed? Many public hospitals think not.

Avant has seen a significant increase in disciplinary processes involving inappropriate access to medical records in public hospitals. Doctors are facing disciplinary processes for accessing the medical records of:

  • themselves
  • family members, friends and staff
  • patients when there’s not a valid clinical need
  • patients when there is a clinical need to do so, but without making a record in the patient note
  • patients they are not treating for the purpose of training and learning

One member accessed the medical record of a patient she had treated in the Emergency Department to see the outcome and the impact of her treatment. Another member accessed medical records while on call to review test results and provide advice about them, but no note was made in the medical record. Both doctors received letters asking them to explain why they accessed the records in breach of hospital policy. Previously, the outcome of such indiscretions has been management action (for example, a requirement to undertake training), but now tougher sanctions are being applied (such as a reprimand).

Hospitals abiding by privacy legislation

As unfair as this seems, hospitals are responding to increased scrutiny of adherence to privacy laws. Personal information can only be used and disclosed for the purposes for which it was collected – in the context of a hospital, information is collected and included in records for the provision of healthcare to individual patients. Use of the information for other purposes requires explicit patient consent.

Following the widespread introduction of eMRs and tightening of privacy laws, hospitals have been updating and enforcing their policies more strictly.

Enforcement potentially compromises good care

While there are many circumstances where access to a medical record is clearly inappropriate (e.g. finding information for a journalist), there are other circumstances where the access is seen as valid by many doctors, but breaches hospital policy (e.g. a doctor accessing own medical record). 

Accessing records for the purposes of audit, review, individual and group clinical reflection, all have the potential to benefit patient care. Following up on patients you have cared for can be an extremely helpful way to obtain information on the accuracy of a diagnosis and presents a good educational opportunity. This access is likely to breach hospital policy but discouraging such activities is likely to deny doctors the opportunity to learn and improve. 

The law and hospital policies are slightly different across jurisdictions, with some permitting the review of patient information without consent for audit and other quality improvement activities. In other jurisdictions, use of information for such purposes requires patient consent, unless there is an exception, and there is generally no overriding exemption for educational purposes.

Policy inconsistency and obscurity

Privacy policies vary across hospitals. Although hospitals expect all doctors to be aware of the hospital’s policies and understand their obligations about access to medical records, this is not our experience. Doctors have many policies they need to be across, and few will be across all in detail.

Better training is needed, and having a checklist of what can and cannot be accessed would ensure it is clear to all staff in terms they can understand.

What you can do

When you want to access a patient's medical record for purposes other than providing healthcare, follow these guidelines to ensure compliance with legal and ethical standards:

  1. Familiarise yourself with hospital policy and procedure - Many of the policies are general in nature, so clarify with your line manager whether particular access is allowed (for example, access for education purposes).
  2. Comply with hospital process:  Policies and procedures will explain how you can lawfully access patient medical records where you do not have a direct clinical need to do so.  For example, access to a family member’s medical record or your own medical record may require a formal request to the medical records department, outlining the purpose and intended use of the information. Keep in mind requests should have a justifiable base. Many hospital departments have specific protocols about access for education purposes. 
  3. Policy amendments - Where your employer's policies do not currently allow access for the purposes you wish to access medical records, discuss the possibility of amending the policy or developing a department specific protocol that’s authorised by the hospital executive.
  4. Obtain explicit patient consent - Where policy amendments are not feasible, work with your employer or health services to gain explicit patient consent. This consent must be secured in writing or documented verbal form, clearly explaining the purpose for accessing the records and identifying who will access them and where the information will be used. Patients have the right to revoke consent at any point in time. It will likely remain a breach of hospital policy if you access your own medical records, or the records of family, friends and staff, even with their consent.
  5. Adhere to legal requirements - Always comply with both Commonwealth and state or territory privacy legislation when dealing with patients' health information. This ensures patient data is handled responsibly and legally.
  6. Use of the information you have accessed:  Access to the medical records is only one aspect of managing privacy. You should also ensure you only use and disclose that information in accordance with hospital policy and the law.
  7. Always document access: Ideally, the reason for any access to medical records should be recorded in the progress notes by the person who has accessed the record. Many hospital policies mandate this, which is an additional admin burden, so you may wish to discuss the issue with your hospital to find an appropriate solution.

Rather than checking the records, consider whether a brief discussion with another clinician, who is involved in the patient care, may negate the need to check the records, for example when you want to follow up on a patient’s condition.

By following these steps, you can access patient medical records appropriately, ensuring all actions are legal and ethical.


This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top