Beyond the expiry date: when medical records become a privacy risk

It’s late afternoon in a suburban general practice. A long-standing patient has just moved interstate, and the clinic is looking to make space for those files in its storage room. Among the boxes are records from patients who haven’t attended in over a decade. The practice manager hesitates - should they be kept just in case? Or is it time to let them go?

While it may seem harmless to retain old medical records, doing so longer than necessary can pose serious privacy risks. In healthcare, the line between caution and compliance is often blurred, and well-meaning decisions can inadvertently breach privacy laws.

The legal landscape: how long is too long?

Medical records are vital for continuity of care, but retaining them longer than necessary can pose serious privacy risks. Across Australia, privacy legislation requires that personal information is stored securely and only retained for as long as it is needed or legally required. Although specific requirements vary between states and territories, it is recommended that in all jurisdictions adult records are kept for seven years from the last entry, and for children, until they turn 25.

Beyond these timeframes, other needs might include ongoing or anticipated litigation or research with consent. There may also be compelling clinical reasons to retain the information, depending on the patient’s circumstances or the nature of the treatment provided. For example, obstetric records for the mother may be kept until the child reaches the age of 25. Or for patients who have had a device or prosthesis implanted, there may be a need to keep the records for longer than seven years if that information is going to be necessary for future re-implantation or review, . This will depend on the individual situation of your patients, their clinical needs and/or your specialty.   In all other circumstances, records should be securely destroyed or permanently de-identified once the required period has ended.

Holding onto records ‘just in case’ may feel like a safeguard, but it can actually increase the risk of unauthorised access, data breaches, and non-compliance with privacy obligations. The same obligations apply in relation to electronic records. Unless there is a reason that records have been retained, if a breach occurs that includes records that no longer needed to be kept, there may be additional consequences for the doctor or practice.

The hidden risks of over-retention

Medical records contain some of the most sensitive personal information. Retaining them unnecessarily can expose doctors and practices to:

• Data breaches: older records, particularly paper records, may be stored in less secure formats or locations, making them vulnerable to theft, loss, or unauthorised access.
• Legal liability: if a breach occurs, doctors may face regulatory action, reputational damage, and loss of patient trust.
• Operational inefficiencies: holding excessive records can clutter systems, complicate audits, slow transitions to digital platforms, and consume resources that could be better used elsewhere.

For example, a clinic storing archived paper records in an offsite facility experienced a break-in. The compromised records included both current and former patient information, prompting a formal investigation and mandatory patient notifications. The investigation discovered some records were for former patients who had not been seen for over 15 years.

Compliance processes are essential for meeting legal requirements and patient expectations, and failing to meet those obligations also carries reputational risks and can place significant strain on administrative resources.

Balancing retention with responsibility

Managing medical records responsibly means knowing when to keep them and when to let them go. Here are some practical tips:

• Know your obligations: familiarise yourself with the retention requirements that apply in your state or territory under the health records legislation.
• Audit regularly: schedule periodic reviews of stored records to identify those eligible for secure destruction.
• Document your process: maintain clear records of when and why files are destroyed, including the method used.
• Prioritise secure disposal: use reputable providers to ensure physical records are shredded and digital data irretrievably wiped in accordance with privacy requirements.
• Be transparent with patients: ensure your privacy policy explains how long records are kept and when they will be securely disposed of.

Privacy is proactive, not passive

Doctors and practice staff play a critical role in safeguarding patient information - not just during care, but long after the patient has left. By embedding privacy into record-keeping policies and routines, doctors can reduce medico-legal risk, maintain compliance, and uphold the trust that patients place in their healthcare providers.

Further information

Avant factsheet: Medical records: the essentials

Avant factsheet: Storing, retaining and disposing of medical records

Office of the Australian Information Commissioner: Chapter 11 APP 11 Security of personal information