Due to a global Microsoft outage, we are experiencing technical difficulties that may make it hard to reach us.

Management of patient records

Ben Ryan, Avant Law - Senior Associate, Commercial & Corporate

Michael Mobberley, Avant Law - Senior Associate, Estate Planning & Probate

Sunday, 5 May 2024

woman walking through patient records

How do you manage patient records?

The expectations for practices and health professionals when dealing with patient records can be confusing and often overwhelming. While these expectations are understandable given the nature of the information, it can leave practices often asking more questions. In light of recent developments and changes in the way some practices operate, it is important to review how you manage your patient records.

How do I collect patient information?

From a patient’s first contact with the practice, it should be clear how the practice is collecting, storing, using and otherwise dealing with the patient’s information. Practitioners should ensure that there is a privacy policy on the practice website explaining how the personal information will be collected, used and stored, and the patient’s registration/consent form completed on arriving to the practice authorising such collection and use of their personal information.

How do I store patient records and how long do I need to store them for?

Patient records must be stored as either a physical or electronic file (or both) that can be easily accessed and in a manner which:

·      Protects the records from damage, loss or theft/unauthorised access (including if stored electronically having measures in place to protect against cyber theft and data breaches).
·      Preserves the patient’s confidentiality and privacy. 

All records for adults should be stored for at least seven years from the date you last saw/dealt with the patient. Where a patient is under the age of 18, the record should be kept until they would have reached 25 years old.  When storing electronic copies of patient records, we recommend engaging with an IT Provider medical practice specialist who will be able to support you with active data protection measures (including encryption, multi-factor authentication and regular backups (within Australia).

What do I do if someone requests a copy of the patient record?

Before you can disclose a patient’s records, you must ensure that you have the patient’s consent to do so, or are otherwise authorised by law to do so to take into account the situations where you can disclose patient information without consent.

The patient’s consent should be signed and specify:
·      Who they are authorising a copy of the file be provided to (e.g. their doctor, their lawyer or themselves); and
·      What records they are authorising to be released (i.e. specific records or their entire file).

Once you have the patient’s consent, you can provide the copies as directed in the authorising consent.  

You are entitled to charge your reasonable costs of making the records available. This can include fees that your practice management software provider charges to extract the records from your system. Subject to where your practice is located, there may be specific regulations addressing the recovery of fees.

Who owns the patient records?

The issue of ownership of patient records is complex. It depends on many factors, including the terms of the contract between the practice and practitioner, and has several practical implications, particularly when a practitioner leaves a practice. If a practitioner is part of a partnership or incorporated practice, multiple practitioners may be entitled to a copy of the records.

Ownership of records and access to records are two separate issues. Regardless of who actually owns the record, patients have a right to request access to their records, subject to any exceptions under the privacy legislation, and records can only be disclosed with the patient’s consent or as otherwise authorised by law.  

What if I work in a hospital or for a government entity?

As a general principle, if you work in a public hospital/facility, the patient records will be managed by that hospital and its policies. If you also see a patient privately then you would need to ensure that you are complying with the legislation and rules which apply to your private practice as well.

What do I do if I sell the practice?

In selling your practice, you may need to obtain the consent of a patient to the release/transfer of their records to the new practice owner subject to where your practice is located.   

As part of any settlement period, practitioners will need to be careful to protect the records and maintain patient confidentiality. In some circumstances a consent may not be required and there are several exceptions that may apply. For e.g, where a practitioner sells their interest in the company that owns the practice as the entity running the practice will remain the same. 

It is important to note that in some states/territories, there is specific legislation that details how records are to be dealt with when selling a practice. In Victoria and the ACT, practices must advertise in a local newspaper the sale of the practice and how records will be dealt with in the process. 

The practice and practitioners will also need to be mindful of retaining patient records for the required periods outlined above and for their own off-risk purposes.

What do I do if I close the practice or am no longer able to operate the practice?

Similar to the sale of a practice, in some states/territories there is specific legislation that details how records are to be dealt with when closing or shutting down a practice. In Victoria and the ACT, practices must advertise in a local newspaper the closure of the practice and how patients will be able to access their records once closed.

The practice and practitioners will also need to be mindful of retaining their patient’s records for the required periods outlined above and for their own off-risk purposes. 

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

Want more information?

Medical records - the essentials

Storing, retaining and disposing of medical records

Planning for retirement: wat you need to know

Providing medical records to a third party

Medical records: Chapter two - legal requirements (member only eLearning course)

About the authors

Ben Ryan

Ben Ryan is a Senior Associate in the commercial and corporate law practice at Avant Law, based in Brisbane. Ben has been working with medical practices since 2013. Ben works primarily on commercial structuring and intellectual property matters to help clients achieve strategic and commercially sensible results. He pursued a career in law to provide reliable and honest support to those in need of legal assistance and enjoys working with clients to develop solutions-oriented legal strategy and advice.

Michael Mobberley

Michael Mobberley

Michael Mobberley is a Senior Associate in the estate planning and commercial law practices at Avant Law, based in Sydney. Michael is an accredited specialist in Wills & Estates and holds a Masters degree in Corporate, Commercial and Taxation Law. Michael provides advice to both individuals and businesses on a range of matters, as well as acting for clients in contested estate and family provision claims.


The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to 6 May 2024. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. © Avant Mutual Group Limited 2024.

To Top