Patient at reception desk

Information Commissioner clarifies doctors’ obligations to provide patient with access to records 

A decision of the Australian Information and Privacy Commissioner reminds healthcare practices they must give patients access to the personal information the practice holds about them if requested. This includes information such as copies of referral letters or images that the patient may already have access to, or that they may be able to access another way.  

Wednesday, 27 August 2025

Key messages from the case  

Healthcare organisations must allow patients to access their personal information if requested (subject to limited exceptions). The Australian Information and Privacy Commissioner confirmed this obligation applies even where the patient already has obtained the information, for example referral letters or images, from other sources. Practices may charge a reasonable fee for access, but must not charge patients for any time spent dealing with a privacy complaint. 

Under the Privacy Act 1988 (Cth), Australian Privacy Principle 12 (APP 12) gives individuals the right to access personal information held about them, unless a specific exception applies.

Details of the decision 

Around six months after a single appointment with an obstetrician and gynaecologist (O&G), patient AGX contacted the practice and requested a copy of their full medical file.  

The practice responded, explaining the only information on file was copies of imaging reports and the letter back to the referring GP (GP letter). AGX already had copies of these documents from the referring GP and the practice advised there was no other information it could provide. AGX sent a second request, claiming the practice did hold more information and requesting it provide that. When the practice did not reply to the second request, AGX complained to the Office of the Australian Information Commissioner (OAIC). 

After the OAIC began investigating, the practice sent an invoice for $440 for time spent reviewing the Privacy Act and addressing the OAIC complaint. It offered to provide AGX with copies of the GP letter and AGX’s signed consent form once the invoice was paid. 

Outcome

The commissioner concluded the O&G practice held the following personal information about AGX: 

  • The initial referral letter 
  • GP letter  
  • AGX’s signed consent form 
  • Imaging reports 
  • Patient questionnaire completed during the appointment 
  • AGX’s personal identifiers such as contact details, Medicare and private health insurance identifiers 

The commissioner accepted the O&G had reported back to the GP that they were unable to assist AGX and that there were no separate patient notes other than those noted in the questionnaire and GP letter.  

The practice explained that their initial search of the electronic file had missed the questionnaire, which had been kept in hard copy and never scanned into the file. 

The commissioner clarified that the Privacy Act required a healthcare organisation to provide patients with access to personal information it holds about them. This obligation applies regardless of whether the patient has obtained or may obtain that information from another source. 

Frivolous and vexatious requests 

The practice claimed it was entitled to refuse access as AGX’s request was frivolous and vexatious (exception APP 12.3(c)). 

The commissioner clarified that a request should only be refused on this ground if there is a clear and convincing basis for deciding it is frivolous or vexatious. Examples could include: 

  • persistent requests for information that has already been provided or that the organisation has explained it does not hold or cannot locate, or 
  • requests that appear to be made for the purpose of harassing or intimidating staff or interfering unreasonably with the practice’s operations. 

In this case, AGX’s second request was not unreasonable, and not frivolous or vexatious.  

The commissioner concluded that the practice’s conduct in refusing AGX access to their personal information amounted to an interference with AGX’s privacy.  

Fee for access to records 

The commissioner confirmed practices can charge a fee for providing access to personal information. This can comprise costs including staff time in searching for the information, making copies and posting or delivering materials. The charge should not be excessive and cannot be used to discourage an individual from accessing their personal information. 

Ideally practices should let a patient know in advance if they will charge a fee for access and how much that is likely to be. 

Whether a charge is excessive will depend on the circumstances, but in this case the practice had given no information to justify the cost. It was not permitted to charge for time spent responding to a complaint to the OAIC.  

The commissioner concluded the fee was excessive. 

The practice withdrew the invoice and provided AGX with their personal information at no charge. 

Compensation 

AGX requested compensation on the basis that the practice caused them distress and that the practice’s conduct exacerbated their stress and pre-existing psychological and medical conditions. 

The fact that AGX had access to, or was aware of the contents of information held about them was not relevant to the practice’s obligation to provide it. However, it was relevant to assessing the impact of the practice’s refusal on AGX. 

In this case, the commissioner was not persuaded that the practice’s conduct, rather than other factors, exacerbated AGX’s condition. Therefore, the practice’s conduct did not warrant the payment of compensation. 

Key lessons 

Patients have a right to access personal information you or your practice hold about them. This includes information the patient may already have obtained from other sources. 

You can refuse access on the grounds the request is frivolous or vexatious – but only if there are clear and convincing reasons for reaching this conclusion. Contact Avant for advice if you are unsure. 

You are entitled to charge a reasonable fee for access. This might include costs for time spent reviewing the record, making copies, posting copies etc. Note that in some jurisdictions, access fees are specified or capped, so check the position in your state or territory. 

Ideally advise patients upfront if you are going to charge a fee and how much that could be.  

Explain what the fee is for, and be careful that it does not cause the patient hardship or deter them from accessing their personal information. 

References and further reading

Office of the Australian Information Commissioner: Guide to health privacy. Chapter 4 - Giving access to health information 

Avant factsheet – Medical records: What you need to know 

Avant factsheet – Responding to a request to access medical records 

Avant factsheet – Privacy essentials 

Avant eLearning – Medical records: part two – managing medical records 

The case discussed in this publication is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality. The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of its content. 

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

Topic

Other resources

Shelf of medical records

Medical records - the essentials

Medical record documents and computer

Medical record issues in claims

Female receptionist on phone

Navigating requests for medical records

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

Key support services
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.



The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.