Doctor and patient in a consultation

Skin clinic breached privacy laws for failing to provide patient access to her medical records

Patients have the right to request a copy of their own medical records. You have obligations to respond to the request in a timely fashion.

Sunday, 23 February 2025

Key messages from the case

Privacy legislation in Australia gives patients the right to request access to their own medical records. Patients may also request a copy be provided to a third party. Unless they have a valid reason, healthcare providers who fail to provide the requested access, or do not respond within a reasonable time, are likely to breach their obligations under privacy laws.

Details of the decision

Access to medical records

The complainant, Ms VU, contacted a clinic requesting access to records of laser skin treatments she had received from the clinic’s only practitioner. She asked for copies of these records to be provided to her and to her dermatologist and provided the contact details for her dermatologist.

When she received no reply to multiple email requests over a three-month period, she made a formal complaint to the Office of the Australian Information Commissioner (OAIC). She asked the commissioner to order the clinic to give her access to her records.

Privacy law

The OAIC notified the clinic and the practitioner of the complaint. The practitioner apparently telephoned the OAIC but did not provide any information in response to the complaint.

Neither the clinic nor the practitioner provided the requested records or any information relevant to the OAIC’s investigation, including any explanation for the failure to provide Ms VU’s records to her or her dermatologist as requested.

Outcome

The commissioner determined that:

  • the clinic and practitioner were entities covered by Australian privacy law and therefore must comply with it
  • the practitioner had provided healthcare services to Ms VU and as such the information requested is covered by the privacy legislation provisions
  • the clinic and the practitioner had received Ms VU’s request, had failed to respond to it within a reasonable period, and had not provided any reason for refusing access
  • both the clinic and practitioner were in breach of their obligations under the privacy legislation.

The commissioner ordered the clinic and practitioner to provide Ms VU with a copy of the records she requested within 14 days of the order.

Key lessons

 Under Australian privacy law, all healthcare providers are required to give patients access their medical records or provide them with a copy, subject to some limited exceptions.

Provided that you have a valid authority from the patient, you will also usually be required to provide copies of patients’ records to a third party such as an insurer, solicitor or another healthcare practitioner.

A valid authority should:

  • be current (generally no older than 12 months)
  • clearly identify the records covered by the authority
  • identify the person to whom they should be released
  • ideally be in writing and signed by the patient. If you receive verbal authority to release the records, make a detailed note (including the information above) in the patient’s medical record.

If you have any doubt about the validity or scope of a patient’s authority, contact the patient to clarify. Document this discussion in the patient’s medical record.

If you are concerned about granting the patient access to their records, for example because of the effect on the patient’s health or wellbeing, contact Avant for advice.

Never ignore a request because failing to provide the records or to respond to a patient’s request for access within a reasonable time may be a breach of privacy laws. It will depend on the jurisdiction as to what is reasonable as some jurisdictions (the Commonwealth, Victoria, New South Wales and the Australian Capital Territory) stipulate the required timeframes responding to requests.   

Additional resources

Avant factsheet – Privacy essentials 

Avant factsheet – Medical records: the essentials

Avant factsheet – Providing medical records to a third party

Office of the Australian Information Commissioner – Privacy guidance for health service providers

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

The case discussed in this publication is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality. The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of its content. 



Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

To Top