Female presenting legal document to secondary individual

Responding to a request to access medical records

Requests for medical records may come from the patient themselves, from another person or organisation, or via a court order such as a subpoena, summons or other court notice. We summarise your responsibilities below.

Tuesday, 25 February 2025

Quick guide

  • Patients are entitled to request access to their medical records and should usually be given access, except in limited circumstances.
  • You should aim to provide the records in the format or by the method the patient has requested, for example electronically.
  • A request from a third party to access a patient’s records or health information must include a valid patient authority, except in limited circumstances.
  • The authority must be current, signed by the patient and specific enough for you to comply with – including which records or information should be released and to whom.
  • There are times when you may be legally required to release patient information to a third party without patient consent, such as when you receive a subpoena, summons or when legislation requires it.
  • You can charge for access to medical records, but the charge should not be excessive.

Doctors and practices often receive requests from patients to provide them or someone else with a copy of their medical records. Sometimes the request comes directly from a third party, such as a family member, lawyer or insurer, and may be a request for health information about a patient not a copy of the medical record as such. Patient request for access Generally, patients have a right to request access to their medical records. Access is usually granted, except in some limited situations.

Patient request for access

Generally, patients have a right to request access to their medical records. Access is usually granted, except in some limited situations.

Requests in the private sector

In the private sector, patient requests for access to their medical records are generally dealt with under privacy legislation.

Commonwealth privacy legislation and legislation in NSW, Victoria and the ACT include timeframes for responding to requests for access to medical records, as well as information about cost and how to provide the records. These are a useful guide in other jurisdictions.

JurisdictionTime period for responseResource
CommonwealthA reasonable time period, which will be no more than 30 days in most cases (agencies must respond within 30 days)

Privacy Act 1988 (Cth), APP 12.4

Chapter 4: Giving access to health information | OAIC

Australian Capital Territory

Within 2 weeks of receiving the request.

If a fee is payable, records must be provided within 1 week of payment or within 30 days of receiving the request.

Health Records (Privacy and Access) Act 1997 | Acts (section 12)
New South Wales

Private sector: Within 45 days of receiving the request.

Public sector: Within 28 days of receiving the request.

If a fee is payable, records must be provided within 7 days of payment, provided it is within the original 45-day timeframe.

Health Records and Information Privacy Act 2002

NSW Information Privacy Commissioner fact sheet

Victoria

Within 45 days of receiving the request, or

7 days from the date of payment, whichever is later.

Health Records Act 2001

Health Records Act | health.vic.gov.au

For all the above jurisdictions, responding includes advising a fee is payable or refusing to provide the records, as well as providing the records requested. In the ACT, it also includes advising that the request has been passed on to the person or entity that holds the records.  

Requests in the public sector

In the public sector, access requests should be dealt with in accordance with the hospital or health service’s policy.

These requests should be managed by the public hospital or health service. If you individually receive a request from a patient or someone else for records held in the public system, you should refer it to the facility to manage and respond. You should provide the request promptly as usually a response is required within about 30 days.

Refer to your hospital’s policy or hospital medical records department for further information.

Refusing access

In some circumstances, you may refuse to provide a patient access to their own medical records, such as when:

  • Providing access would pose a serious risk to the life, health, or safety of the patient or someone else.
  • It would unreasonably impact another person’s privacy.
  • Releasing the information would be unlawful.

If access is refused due to privacy concerns, you may be able to redact the sensitive information and provide the rest. If direct access is not appropriate due to concerns for the patient’s health or safety, you may consider providing the information through an agreed third party, such as another treating doctor. This may also be appropriate if you are no longer involved in the patient’s care or have not seen them recently enough to assess any risks. The patient must agree to this arrangement and any associated costs.

When refusing access, you must provide the patient with a written explanation outlining the reasons and informing them of their options to challenge the decision. In the ACT, NSW, and Victoria, legislation sets out the necessary approach and timeframes (see table above).

Fees for access

You can charge the patient for the cost of providing the records, but this should not be excessive. The cost may include staff costs in locating the records or in reproducing and sending the records, costs of postage or materials in giving access, and costs associated with using an intermediary to give access. This should be charged at a clerical rate.

If you as the doctor need to be involved, such as reviewing the information before providing access, some charge for professional time may be reasonable. We recommend you discuss this with the patient in advance before incurring costs and confirm with them this is acceptable. You may also consider offering ways of limiting costs – for example, if the request is for the patient’s complete medical records and this spans a number of years, it is often worthwhile discussing what information is needed as this can narrow the scope of the request and reduce costs.

In some jurisdictions there are specified or capped fees. If not, any fees charged should be reasonable and not excessive. You cannot charge the patient for making the request.

How to provide access to medical records

You should aim to provide access to records in the form that the patient requests, where possible.

Health information can be provided in several ways, such as: 

  • sharing a copy of the information (electronic or hard copy) 
  • providing a summary of the information 
  • providing information over the phone (for example, test results) 
  • allowing the patient to view or listen to an audio or video recording of the information and take notes. 

If you email a copy of the records, you should take reasonable steps to check the accuracy of the email address before sending.

If the requested form of access is unreasonable or impractical, consider other options and discuss this with the patient or third party.

Requests from third parties

Common requests from third parties for a patient’s medical records or health information include:

  • a letter from a solicitor asking for records for the purpose of legal proceedings
  • an insurer asking for medical records relevant to a patient’s workers’ compensation or life insurance claim
  • a patient's employer asking you for information about their medical condition.

You can provide information or copies of records to a third party if you have the patient’s consent to do so.

Consent can be verbal or written, except in NSW where all requests must be in writing.

A written consent is often referred to as an authority and should be signed and dated by the patient. The authority should also be reasonably current (as a guide, within 12 months). If unsure, contact the patient directly to clarify whether they consent and document the conversation. 

If verbal, document the patient’s consent in the medical record. Be clear about the scope of the patient’s consent, particularly any limits on what information the patient is happy to share or with whom the information can be shared.

Disclosure without consent

You have a legal obligation to provide a patient’s medical records to a third party (without the need to seek a patient's authority) in these circumstances:

  • Legislation requires you to do so – such as public health requirements to report infectious diseases or mandatory reporting of children at risk.
  • You receive a summons or subpoena to produce medical records to a court or tribunal.
  • You receive a notice of non-party disclosure (in Queensland and the ACT).
  • You receive a warrant from the police to produce documents. A verbal request from the police will not be enough for you to provide information or records.

If you are legally compelled to release records to a third party, you can let your patient know as a courtesy unless it might pose a risk to the patient or someone else (for example, in mandatory reporting circumstances).

What documents should you supply to third parties?

Generally, you should supply a copy of the documents requested and keep the originals in your possession.

Read the request carefully to ensure you do not include documents not captured by the request and the scope of the patient’s authority. For example, a request from an insurer may be for all the medical records but the authority signed by the patient may only authorise a release of records relevant to the claim. Sometimes you may need to speak to the patient or otherwise consider what is relevant as what is medically relevant might differ from what is ‘legally relevant’.

Where a medical record contains sensitive information, for example about mental or sexual health issues, check the patient is aware that the authority they signed extends to these documents and confirm the patient agrees they can be released. The patient may not have considered the implications of releasing all the information held within their record, particularly very sensitive information. Document any conversations you have with the patient about this.

Sometimes correspondence from other doctors states that their letters should not be supplied to third parties without their consent. These letters form part of the patient’s medical record once you receive them and, like any other part of the record, should be provided to the patient or third party if within the scope of the request. You may wish to contact the other doctor to let them know their correspondence will be provided to the patient or third party, but this is not required.

You may charge the third party for the cost of providing access (considerations are similar to when you charge a patient, see above). 

Providing medical records to a third party

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

Topic

Other resources

people in a court room

Coronial investigations and inquests

Shelf of medical records

Medical records - the essentials

Filing room of medical records

Privacy: the essentials

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

Key support services
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.