Storing, retaining and disposing of medical records

• Keep medical records securely and in a way that preserves the patient’s confidentiality.
• Retain medical records of adult patients for a minimum seven years from the date of last entry and for children until they reach or would have reached 25 years old. Follow any specific hospital policies that apply in your state or territory.
• Destroy medical records securely to preserve patient confidentiality. Keep a register of all records that have been destroyed.

The term ‘medical record’ refers to the collection of various heath information held about a patient’s medical history, care and treatment. It includes information contained in a patient’s progress notes, correspondence between healthcare providers and with the patient, pathology and radiology images and reports, other test results, clinical images, medical certificates and assessments.  It may also include medico-legal reports prepared by a treating doctor at the request of lawyers or insurers (but not those reports prepared as an independent expert witness as these are not records for a patient).   For more information see Avant’s factsheet: Medical records the essentials

All medical records, regardless of how they are kept, must be stored in a manner that:

• preserves the patient’s confidentiality
• protects against misuse or unauthorised access, disclosure or modification
• prevents damage, loss or theft
• allows reasonable access to ensure continuity of treatment.

You must take all reasonable steps to protect the security of your medical records. This means there must be practical measures in place for how records are stored and who has access to them. These will be different for electronic and hard copy records.

You can keep medical records in paper or electronic format, or a combination of both. Where there is a hybrid of paper and electronic records, use a system that allows you to cross-reference between all records for each patient.

Electronic medical records should be password-protected, backed up regularly and backed up offsite. You should use antivirus software, keep your portable devices safe and secure and encrypt your files where possible so they are protected from unauthorised access, for example through a cyber-attack.

Hard copy records should be stored in a locked filing cabinet or a secured dedicated room at the practice, or with a secure storage provider.

Privacy legislation requires you to preserve the confidentiality of the patient’s information and prevent damage, loss or theft of records. While it is unlikely you would be considered responsible for the theft of records from a properly secured practice premises, you may be responsible for the theft of patient information from a vehicle or home if not properly secured.

If a data breach does occur, you may be required to notify the patients affected and the Australian Information Commissioner. For more information, see our factsheet: Responding to a data breach 

Different jurisdictions and organisations have different requirements for retaining records. Many doctors keep medical records for as long as possible, however, this may not comply with your obligations under Australian privacy law.

How long should I keep medical records?

We recommend that you keep the complete medical record of an adult patient for at least seven years from “the date of last entry” in the record. This usually means the patient’s last consultation with you but could also include entries such as the date you last telephoned the patient or received test results and updated the file.

If the patient was under 18 years of age at the date of the last entry in the medical record, you must wait until that patient turns or would have turned 25 years old before you can dispose of the records.

New South Wales, Victoria and the Australian Capital Territory have specific legislation relating to medical records and health information. In these jurisdictions, the legislation requires doctors to retain records for the length of time specified above.

For doctors practising in states and territories without specific legislation, we recommend using the NSW, Victorian and ACT requirements as a guide and keeping records for the same minimum period.

Obstetric records, which often contain information about the baby and the mother, should be kept for 25 years from the birth of the child.

Other requirements to keep records

You must keep all documents related to a claim under Medicare for at least two years from the date the service was provided. By keeping the patient’s records for seven years you will also satisfy this requirement.

If Medicare claims are audited by the Department of Health and Aged Care, you must keep all the records relating to each claim until the audit is finalised.

If a patient has expressed dissatisfaction about their treatment or has had an adverse outcome, the patient or their family could take legal action or make a complaint to the regulator. In this situation, your medical records will be important when investigating the claim or complaint, so you should retain them for as long as needed to defend the claim or complaint. If litigation or an investigation has commenced, keep your medical records until this has been finalised. If this applies to you, seek advice from your lawyer.

What if I work in the public sector?

Public hospitals and facilities have specific legislation, policies, and guidelines about managing medical records. The requirements can depend on several factors including the state or territory where the patient sought care, their illness, their age, and other individual factors.

If you work across both public and private facilities, be aware that different legislation, policies, and guidelines may apply in each facility. It is important to understand the requirements that apply in all settings where you work, to ensure you remain compliant.

Generally, if the hospital or facility holds the medical record it will be managed by that facility and covered by its policies. However, check for any specific requirements relating to medical records in hospitals or organisations where you work.

When do I have to destroy records?

There is no legislation that mandates that you must destroy records at a specific time. However, you do have an obligation under Australian privacy law to destroy or permanently de-identify information collected for a specific purpose when you no longer need it for that purpose. This includes medical records where the patient’s health information is collected for the purpose of providing healthcare.

We recommend that if you have kept a medical record for the minimum period and there is no other reason to keep it (as outlined above), you should destroy the record once the minimum period has passed.

How should I dispose of records?

Records must be destroyed securely to maintain the patient’s confidentiality and to protect the records against misuse or unauthorised access, disclosure or modification, and damage, loss or theft. 

Many practices have secure destruction bins on-site managed by specialist providers, which is a good option for hard copy files or documents. 

Companies that offer secure document destruction can also often provide certification that the records were destroyed securely. If you dispose of the medical records yourself, destroy them in a way that ensures the patient cannot be identified. 

For electronic records, ensure you completely delete files or dispose of devices appropriately. You should refer to your IT service provider to understand your options for deleting electronic files and disposing of devices. 

In NSW, Victoria and the ACT, legislation states that you must keep a register of all medical records that are destroyed. The register must include the patient’s name, the period covered by the medical record and the date it was destroyed. Keep the register secure as it contains patient information. We recommend this type of register be used in all states and territories. Here is a suggested template:

Avant factsheet: Medical records-the essentials

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.