Skin clinic breached privacy laws for failing to provide patient access to her medical records

Privacy legislation in Australia gives patients the right to request access to their own medical records. Patients may also request a copy be provided to a third party. Unless they have a valid reason, healthcare providers who fail to provide the requested access, or do not respond within a reasonable time, are likely to breach their obligations under privacy laws.

Access to medical records

The complainant, Ms VU, contacted a clinic requesting access to records of laser skin treatments she had received from the clinic’s only practitioner. She asked for copies of these records to be provided to her and to her dermatologist and provided the contact details for her dermatologist.

When she received no reply to multiple email requests over a three-month period, she made a formal complaint to the Office of the Australian Information Commissioner (OAIC). She asked the commissioner to order the clinic to give her access to her records.

Privacy law

The OAIC notified the clinic and the practitioner of the complaint. The practitioner apparently telephoned the OAIC but did not provide any information in response to the complaint.

Neither the clinic nor the practitioner provided the requested records or any information relevant to the OAIC’s investigation, including any explanation for the failure to provide Ms VU’s records to her or her dermatologist as requested.

The commissioner determined that:

• the clinic and practitioner were entities covered by Australian privacy law and therefore must comply with it
• the practitioner had provided healthcare services to Ms VU and as such the information requested is covered by the privacy legislation provisions
• the clinic and the practitioner had received Ms VU’s request, had failed to respond to it within a reasonable period, and had not provided any reason for refusing access
• both the clinic and practitioner were in breach of their obligations under the privacy legislation.

The commissioner ordered the clinic and practitioner to provide Ms VU with a copy of the records she requested within 14 days of the order.

 Under Australian privacy law, all healthcare providers are required to give patients access their medical records or provide them with a copy, subject to some limited exceptions.

Provided that you have a valid authority from the patient, you will also usually be required to provide copies of patients’ records to a third party such as an insurer, solicitor or another healthcare practitioner.

A valid authority should:

• be current (generally no older than 12 months)
• clearly identify the records covered by the authority
• identify the person to whom they should be released
• ideally be in writing and signed by the patient. If you receive verbal authority to release the records, make a detailed note (including the information above) in the patient’s medical record.

If you have any doubt about the validity or scope of a patient’s authority, contact the patient to clarify. Document this discussion in the patient’s medical record.

If you are concerned about granting the patient access to their records, for example because of the effect on the patient’s health or wellbeing, contact Avant for advice.

Never ignore a request because failing to provide the records or to respond to a patient’s request for access within a reasonable time may be a breach of privacy laws. It will depend on the jurisdiction as to what is reasonable as some jurisdictions (the Commonwealth, Victoria, New South Wales and the Australian Capital Territory) stipulate the required timeframes responding to requests.   

Avant factsheet – Privacy essentials 

Avant factsheet – Medical records: the essentials

Avant factsheet – Providing medical records to a third party

Office of the Australian Information Commissioner – Privacy guidance for health service providers

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.