Female presenting legal document to secondary individual

Providing medical records to a third party

Requests for medical records may come from the patient themselves, from another person or organisation, or via a court order such as a subpoena, summons or other court notice. We summarise your responsibilities in this factsheet.

Tuesday, 5 October 2021

Quick guide

  • A valid authority must accompany a request for records from a third party.
  • Authorities must be current, signed by the patient and specific enough for you to comply with – including which records should be released and to whom.
  • There are times when you may be legally required to release patient information to a third party without consent, such as when you receive a subpoena, summons or when legislation requires it.

When to provide information to third parties

Patients often request their medical records themselves. However, you may receive a request for a patient's medical record from a third party. 

You can provide copies of records to a third party if you have the patient’s consent to do so. 

Requests can come in many forms, but the common ones include:

  • a letter from a solicitor for the purpose of legal proceedings
  • an insurer asking for medical records in relation to a patient’s workers’ compensation or life insurance claim
  • a patient's employer asking you for information about their medical condition

Where a request is accompanied by a valid 'authority' (the patient's consent), it is generally appropriate to provide copies of the records to the requesting third party. 

The requirements for an authority to be valid are that it should:

  • clearly indicate to whom the records can be released
  • clearly identify the records covered by the authority
  • be reasonably current. Generally, you should query authorities older than 12 months.

Ideally, the authority should be in writing and signed by the patient. If you received verbal authority to release the records, take a detailed note (including about the details above) and store it in the patient’s medical record. If you have any doubt about the patient’s authority, you should contact the patient to clarify. Document this discussion in the patient’s medical record.

Recent changes from the Financial Services Council allow life insurers to request your patient's health information using two standard authorities. Authority 1 allows the insurer access to a patient's records, including imaging and tests, but excluding, importantly, a GP's consultation notes. Authority 2 allows a life insurer to request the entire file, including the notes, if the GP doesn't respond to Authority 1.

Compulsion by law

You have a legal obligation to provide a patient’s medical records to a third party (without the need to seek a patient's authority) in these circumstances:

  • Legislation requires you to do so – such as public health requirements to report infectious diseases, or mandatory reporting of children at risk.
  • You receive a summons or subpoena to produce medical records to a court or tribunal.
  • You receive a notice of non-party disclosure (Queensland and the ACT).
  • You receive a warrant from the police to produce documents. A verbal request from the police will not be enough for you to produce information or records. 

If you are legally compelled to release records to a third party, we recommend you let your patient know.

What documents should you supply? 

You should supply a copy of the record and keep the original in your possession.

You should read the request carefully to ensure you do not include or exclude documents captured by the request and the scope of the patient’s authority. For example, a request from an insurer may be for all the medical records but the authority signed by the patient may only authorise a release of records relevant to the claim.

Where a medical record contains sensitive information, for example about mental or sexual health issues, check the patient is aware that the authority they signed may extend to these documents and confirm they can be released. The patient may not have considered the implications of releasing all the information held within their record, particularly very sensitive information. Document any conversations you have with the patient in this regard.

Sometimes specialists write to general practitioners stating that their letters should not be supplied to third parties without their consent. These letters form part of the patient’s medical record and, like any other part of the record, such as personal notes or photographs, should be produced to the patient or third party whether or not the specialist has provided specific consent. It is important to keep in mind though, who may read letters or patient notes when you are documenting care. Ensure your notes remain professional.

Limited exceptions not to provide records

There may be situations in which you are concerned about providing records to a third party even though there is a valid authority or a legal requirement to do so. It may be possible to object to providing records in certain circumstances.

This could include a situation where supplying the records will, in your opinion, result in significant harm to an individual, or you think the request is unclear. Objections are rarely successful in a medical case; we recommend you contact Avant for advice if you are concerned about providing records.

Providing medical records to a third party

More information

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.

Download factsheet

Providing medical records to a third party


This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

To Top