• Medical records

    Good quality medical records are essential to the proper ongoing care of patients and the defence of any claims made against doctors.

    What is a medical record?

    A 'medical record' is a general term for all of the information collated about a patient for the purpose of treating that patient, including:

    • Progress notes - handwritten or computerised 
    • Specialists' letters and other correspondence
    • Test results
    • X-rays and scans
    • Photographs
    • Digital recordings
    • Appointment books and patient accounts

    Medical records should include the following information:

    • Patient identification
    • Information relevant to diagnosis or treatment
    • Treatment plan
    • Medication and dosage levels
    • Information and advice given, consent discussions
    • Details of any medical or surgical procedure (date, nature, who performed procedure, type of anaesthetic, tissues sent to pathology, results or findings, written consent)
    • Health summary that is easily accessible, including significant history, medications, allergies

    Medical records should also comply with any relevant legislation for record keeping.



    PracticeHub is an online practice management platform providing you with essential tools and resources to help reduce complexities, risks and costs involved with managing a practice. Find out more

    Who owns the medical record?

    In a private medical practice, the ownership of the medical records depends on the structure of the practice in which the doctor works. It is advisable for doctors to clarify ownership of the medical records at the beginning of a contract to avoid any disputes when the doctor leaves the practice as to whether copies of the medical records can be taken with the doctor.

    Subpoenas or summonses seeking production of medical records for legal proceedings should be addressed to the owner of the records.

    How should medical records be stored?

    Medical records may be kept in paper or electronic format, or a combination of both. Where a 'hybrid' of paper and electronic records is used, a system is required to cross reference the records for each patient. Electronic records need to be kept in a form that allows them to be printed out as required.

    How long should medical records be kept?

    Medical records should be retained for as long as required by relevant Australian, state or territory government legislation. Generally, this means that inactive individual patient medical records should be kept until the patient has reached the age of 25 years or for a minimum of seven years from the time of last contact - whichever is the longer.


    Tools and Resources

    Medical records checklist

    Disposal of paper-based medical records

    Disposing of paper copies of notes that have been transferred or scanned into the electronic records is allowed as long as the disposal is done in a manner which preserves confidentiality and complies with legislative requirements. In New South Wales, a register of all records that have been destroyed should be kept. Whilst this is not a requirement in other states, it would be considered good practice to keep a record in other states as well.

    Keeping medical records secure

    Organisations that hold health information must take reasonable steps to protect the information from loss and unauthorised use or disclosure.

    To ensure that electronic records are kept safe from damage, loss or theft complete backup of the computer record should be performed on a regular basis and the backup discs stored off-site. Computers should be password protected and the passwords changed on a regular basis.

    Seek advice from an IT specialist regarding protection against unauthorised access, amendment of records, computer viruses, firewalls and quality of resolution of scanned documents.

    See: RACGP Computer and information security standards (CISS)

    Access to medical records

    At common law, a patient does not have a right of access to his or her medical records. However, under privacy legislation, patients have a right to request access to their records. Access must be provided subject to any limitations and procedures set out in the legislation.

    Patients should ideally provide a written request for access to their records or to request a transfer of their records. A copy of the request should be kept in the patient's medical record.

    If a patient wishes to transfer to another doctor, the new practitioner is entitled to a treatment summary or a copy of the records. The transfer date and location of transferred records should be maintained in a register, and the transfer date added to record.

    A reasonable cost can be charged for providing copies of medical records.

    E-health records

    Since July 2012, Australians have had the option of registering for a personally controlled electronic health record (PCEHR). This patient-controlled record is kept completely separate from the patient's electronic medical record. The fact that a patient may have a PCEHR does not alter the doctor's obligation to maintain a medical record for the patient.

    Access to, and disclosure of, information in the PCEHR is subject to the PCEHR Act 2012 (Commonwealth) and associated rules and regulations. Organisations registered with the PCEHR system should be aware of their obligations under the legislation.

    The Office of the Australian Information Commissioner (OAIC) regulates the handling of information under the PCEHR system. It recommends that health care providers should:

    • Develop robust processes for handling e-health records and ensure staff are adequately trained to follow them
    • Tell your patients about what information you intend to add to and access from their e-health records and explain what you will do with the information
    • Ensure that you do not collect more information from an e-health records than is necessary
    • Collect, use and disclose information in a patient's e-health record only for the limited and authorised purpose allowed under the e-health records system
    • Know how the e-health record system can be used in an emergency situation.

    Improving your practice

    • Doctors and medical staff owe a stringent ethical and legal duty to keep given by their patients strictly confidential. These duties survive a patient's death.
    • Medical records should be kept secure. They should be stored out of public view and access at all times. Staff should not disclose their contents to anyone other than authorised personnel.
    • Information from medical records should not be disclosed without a patient's consent unless permitted as a matter of law. You should seek advice from Avant if in doubt about the disclosure of any health information.
    • Staff should be discreet in the type and nature of information they obtain from the patient in a public space.
    • Entries in the medical record should be legible and include a health summary with all relevant clinical information for that patient, e.g. current health problems, allergies/sensitivities, risk factors, medication, relevant social and family history and past problems. This information should be documented in a consistent location. The patient's contact details and who to contact in an emergency should also be recorded and updated regularly.
    • Each medical record should contain accurate information about each consultation, including date, reason for consultation, management plan, prescribed medication, preventative care undertaken, written and/or verbal instructions given to the patient, referral to other health care providers and identification of who conducted the consultation.
    • The information documented should be as factual and objective as possible and not derogatory, prejudicial or irrelevant as this may lead to inaccurate interpretation by other health care professionals and medico-legal implications.
    • Pathology results, diagnostic imaging reports and clinical correspondence should be reviewed by a doctor prior to filing.
    • The follow-up and recall of patients with abnormal results should be managed in collaboration with the referring treating doctor.
    • Identification, culling, storing and retrieving inactive medical records should be done annually, e.g. in January each year.
    • Access to medical records and financial/accounts information by the patient/relative, legal representative or other medical practitioners should comply with privacy legislation.


    RACGP Electronic health records

    RACGP Computer and Information security standards

    Privacy obligations of medical practitioners in regard to patients' records and health information:
    Nationally, the Privacy Act 1988
    In New South Wales - Health Records and Information Privacy Act 2002
    In Victoria - Health Records Act 2001
    In Australian Capital Territory - Health Records (Privacy and Access) Act 1997