Female doctor writing on a medical record

Storing, retaining and disposing of medical records

You must take all reasonable steps to protect the security of your medical records. The requirements for securely storing records have different practical applications for electronic and hardcopy records.

Monday, 12 August 2019

Quick guide


  • Keep medical records securely and in a way that preserves the patient’s confidentiality.
  • Retain medical records of adult patients for a minimum seven years from the date of last entry and for children until they would have reached 25 years old. Follow any specific hospital policies that apply in your state or territory.
  • Destroy medical records securely to preserve patient confidentiality. Keep a register of all records that have been destroyed.


A medical record provides chronological information that you collect about a patient to help you or another practitioner understand the history, prognosis and treatment of that patient. There are specific requirements regarding the storage, retention and disposal of these records. The record not only includes the notes that you make, but can also include a variety of sources and media including:

  • information provided by the patient
  • progress notes (handwritten or electronic) made by you or another practitioner
  • referral letters
  • discharge summaries
  • x-rays, pathology and other test results
  • photographs
  • specialist letters and medico-legal reports.

Storing medical records

Medical records can be kept as physical files or electronically. Electronic files must be capable of being printed. All medical records, regardless of how they are kept, must be stored in a manner that:

  • preserves the confidentiality of the patient
  • protects against misuse or unauthorised access, disclosure or modification
  • prevents damage, loss or theft
  • allows reasonable access to ensure continuity of treatment.

You must take all reasonable steps to protect the security of your medical records. The requirements for securely storing records have different practical applications for electronic and hardcopy records.

For example, electronic medical records should be password protected, backed up regularly and backed up offsite. You should use antivirus software, keep your portable devices safe and secure and encrypt your files where possible. Hardcopy records should be stored in a locked filing cabinet or in a secured dedicated room at the practice, or by a secure storage provider. You must take all reasonable steps to protect the security of your medical records. For more tips on how to do this, please read our factsheet: Preventing data breaches.

Retaining medical records

Different jurisdictions and organisations have different requirements for retaining records. Many doctors keep medical records for as long as possible. While this may be sensible in some cases, it can be at odds with Australian privacy law requirements.

How long do I ordinarily have to retain medical records?

Avant recommends that all doctors retain the complete medical record of an adult patient for at least seven years from “the date of last entry” in the record. This usually means the patient’s last consultation with you but could also include entries such as the date you last telephoned the patient or received test results and updated the file.

If the patient was aged under 18 years at the date of the last entry in the medical record, you must wait until that patient would have turned 25 years old before you can dispose of the record.

New South Wales, Victoria and the Australian Capital Territory have specific legislation relating to medical records and health information. In these jurisdictions the legislation requires doctors to retain records for the times specified above. For doctors practising in states and territories without specific legislation, Avant recommends using the NSW, Victoria and ACT requirements as a guide and keeping records for the same minimum period.

Obstetric records, which often contain information about the baby and the mother, should be retained for 25 years from the birth of the child.

Patient age at date of last entryKeep record at least
Infant (obstetric records)For 25 years from child’s birth
Under 18Until child turns / would have turned 25
18 or over7 years from date of last entry

Other requirements to retain records

Doctors must keep all documents related to a claim under Medicare for at least two years from the date the service was provided. By keeping records for seven years you will also satisfy this requirement.

If Medicare claims are audited by the Department of Health, you are required to keep all the records relating to that claim until the audit is finalised.

If a patient has expressed dissatisfaction about their treatment or has had an adverse outcome, the patient or their family could take legal action or make a complaint to the regulator. In this situation, your medical records will become the foundation of your defence so you should retain them for as long as needed to defend the claim or complaint. If litigation or an investigation has commenced, retain your medical records until the action has concluded and you have sought legal advice about how long to keep them.

What if I work in the public sector?

Public sector hospitals and facilities have specific authorities, policies and guidelines to manage medical records. Record management requirements can depend on a number of factors including the state or territory where the patient sought care, their illness, their age and even their ethnicity. Doctors will need to be aware of these requirements if they are practising in both public and private facilities, such as co-located hospitals. Generally, if the hospital or facility holds the medical record it will be managed by that facility and covered by its policies. However, you should check for any specific requirements relating to medical records in hospitals or organisations where you work.

If you also see a patient in your private rooms, that medical record is covered by the privacy and medical records legislation and the rules as outlined in this factsheet.

Disposing of medical records

Do I have to dispose of records at a particular time?

There is no legislation that mandates that you have to destroy records at a specific time. However, you do have an obligation under Australian privacy law to destroy or permanently de-identify information collected for a specific purpose when you no longer need it for that purpose. This includes medical records.

Avant recommends that if you have kept a medical record for the minimum period (as outlined above) and there is no other reason to keep it (as outlined above), you should dispose of the record.

How should I dispose of records?

Records must be destroyed securely to maintain the patient’s confidentiality and to protect the records against misuse or unauthorised access, disclosure or modification, and damage, loss or theft.

Many practices have secure destruction bins on site, which is a good option for hardcopy files or documents. These bins are routinely collected or special collection can be arranged.

There are service companies that offer secure document destruction that can also provide certification that the records were destroyed securely. If you dispose of the medical records yourself, destroy them in a way that ensures the patient cannot be identified.

For electronic records, ensure you completely delete files or dispose of devices appropriately. You should refer to your IT service provider to understand your options about deleting electronic files and disposing of devices.

In NSW, Victoria and the ACT, legislation states that you must keep a register of all medical records that are destroyed. The register must include the patient’s name, the period covered by the medical record and the date it was destroyed. Keep the register securely as it contains patients’ private information. Avant recommends doctors in all state and territories keep a register. See template of a register that you could use below.

Patient name:Patient’s date of birth:Date of first entry in record:Date of last entry in record:Date record destroyed:
     
     
     


More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

Download factsheet

Storing, retaining and disposing of medical records (PDF)

Disclaimers

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

Want more? Listen to a podcast.

Find out more about your legislative requirements. We have a series of podcasts on medical records. 

Listen now

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

To Top