A 'medical record' is a general term for all of the information
collated about a patient for the purpose of treating that patient,
Medical records should also comply with any relevant legislation
for record keeping.
PracticeHub is an online practice management platform providing you with essential tools and resources to help reduce complexities, risks and costs involved with managing a practice.
Find out more
Who owns the medical record?
In a private medical practice, the ownership of the medical
records depends on the structure of the practice in which the
doctor works. It is advisable for doctors to clarify ownership of
the medical records at the beginning of a contract to avoid any
disputes when the doctor leaves the practice as to whether copies
of the medical records can be taken with the doctor.
Subpoenas or summonses seeking production of medical records for
legal proceedings should be addressed to the owner of the
How should medical records be stored?
Medical records may be kept in paper or electronic format, or a
combination of both. Where a 'hybrid' of paper and electronic
records is used, a system is required to cross reference the
records for each patient. Electronic records need to be kept in a
form that allows them to be printed out as required.
How long should medical records be kept?
Medical records should be retained for as long as required by
relevant Australian, state or territory government legislation.
Generally, this means that inactive individual patient medical
records should be kept until the patient has reached the age of 25
years or for a minimum of seven years from the time of last contact
- whichever is the longer.
Disposal of paper-based medical records
Disposing of paper copies of notes that have been transferred or
scanned into the electronic records is allowed as long as the
disposal is done in a manner which preserves confidentiality and
complies with legislative requirements. In New South Wales, a
register of all records that have been destroyed should be kept.
Whilst this is not a requirement in other states, it would be
considered good practice to keep a record in other states as
Keeping medical records secure
Organisations that hold health information must take reasonable
steps to protect the information from loss and unauthorised use or
To ensure that electronic records are kept safe from damage,
loss or theft complete backup of the computer record should be
performed on a regular basis and the backup discs stored off-site.
Computers should be password protected and the passwords changed on
a regular basis.
Seek advice from an IT specialist regarding protection against
unauthorised access, amendment of records, computer viruses,
firewalls and quality of resolution of scanned documents.
See: RACGP Computer and information security standards
Access to medical records
At common law, a patient does not have a right of access to his
or her medical records. However, under privacy legislation,
patients have a right to request access to their records. Access must be provided subject to any limitations and
procedures set out in the legislation.
Patients should ideally provide a written request for access to their records
or to request a transfer of their records. A copy of the request
should be kept in the patient's medical record.
If a patient wishes to transfer to another doctor, the new
practitioner is entitled to a treatment summary or a copy of the
records. The transfer date and location of transferred records
should be maintained in a register, and the transfer date added to
A reasonable cost can be charged for providing copies of medical
Since July 2012, Australians have had the option of registering
for a personally controlled electronic health record (PCEHR). This
patient-controlled record is kept completely separate from the
patient's electronic medical record. The fact that a patient may
have a PCEHR does not alter the doctor's obligation to maintain a
medical record for the patient.
Access to, and disclosure of, information in the PCEHR is
subject to the PCEHR Act 2012 (Commonwealth) and associated rules
and regulations. Organisations registered with the PCEHR system
should be aware of their obligations under the legislation.
The Office of the Australian Information Commissioner (OAIC)
regulates the handling of information under the PCEHR system. It
recommends that health care providers should:
- Develop robust processes for handling e-health
records and ensure staff are adequately trained to follow them
- Tell your patients about what information you
intend to add to and access from their e-health records and explain
what you will do with the information
- Ensure that you do not collect more
information from an e-health records than is necessary
- Collect, use and disclose information in a
patient's e-health record only for the limited and authorised
purpose allowed under the e-health records system
- Know how the e-health record system can be
used in an emergency situation.
Improving your practice
- Doctors and medical staff owe a stringent ethical and legal
duty to keep given by their patients strictly confidential. These
duties survive a patient's death.
- Medical records should be kept secure. They should be stored
out of public view and access at all times. Staff should not
disclose their contents to anyone other than authorised
- Information from medical records should not be disclosed
without a patient's consent unless permitted as a matter of law.
You should seek advice from Avant if in doubt about the disclosure
of any health information.
- Staff should be discreet in the type and nature of information
they obtain from the patient in a public space.
- Entries in the medical record should be legible and include a
health summary with all relevant clinical information for that
patient, e.g. current health problems, allergies/sensitivities,
risk factors, medication, relevant social and family history and
past problems. This information should be documented in a
consistent location. The patient's contact details and who to
contact in an emergency should also be recorded and updated
- Each medical record should contain accurate information about
each consultation, including date, reason for consultation,
management plan, prescribed medication, preventative care
undertaken, written and/or verbal instructions given to the
patient, referral to other health care providers and identification
of who conducted the consultation.
- The information documented should be as factual and objective
as possible and not derogatory, prejudicial or irrelevant as this
may lead to inaccurate interpretation by other health care
professionals and medico-legal implications.
- Pathology results, diagnostic imaging reports and clinical
correspondence should be reviewed by a doctor prior to filing.
- The follow-up and recall of patients with abnormal results
should be managed in collaboration with the referring treating
- Identification, culling, storing and retrieving inactive
medical records should be done annually, e.g. in January each
- Access to medical records and financial/accounts information by
the patient/relative, legal representative or other medical
practitioners should comply with privacy legislation.
RACGP Electronic health records
RACGP Computer and Information security standards
Privacy obligations of medical practitioners in regard to patients' records and health information:
Nationally, the Privacy Act 1988
In New South Wales - Health Records and Information Privacy Act 2002
In Victoria - Health Records Act 2001
In Australian Capital Territory - Health Records (Privacy and Access) Act 1997