Storing, retaining and disposing of medical records

• Keep medical records securely and in a way that preserves the patient’s confidentiality.
• Retain medical records of adult patients for a minimum seven years from the date of last entry and for children until they would have reached 25 years old. Follow any specific hospital policies that apply in your state or territory.
• Destroy medical records securely to preserve patient confidentiality. Keep a register of all records that have been destroyed.

A medical record provides chronological information that you collect about a patient to help you or another practitioner understand the history, prognosis and treatment of that patient. There are specific requirements regarding the storage, retention and disposal of these records. The record not only includes the notes that you make, but can also include a variety of sources and media including:

• information provided by the patient
• progress notes (handwritten or electronic) made by you or another practitioner
• referral letters
• discharge summaries
• x-rays, pathology and other test results
• photographs
• specialist letters and medico-legal reports.

Medical records can be kept as physical files or electronically. Electronic files must be capable of being printed. All medical records, regardless of how they are kept, must be stored in a manner that:

• preserves the confidentiality of the patient
• protects against misuse or unauthorised access, disclosure or modification
• prevents damage, loss or theft
• allows reasonable access to ensure continuity of treatment.

You must take all reasonable steps to protect the security of your medical records. The requirements for securely storing records have different practical applications for electronic and hardcopy records.

For example, electronic medical records should be password protected, backed up regularly and backed up offsite. You should use antivirus software, keep your portable devices safe and secure and encrypt your files where possible. Hardcopy records should be stored in a locked filing cabinet or in a secured dedicated room at the practice, or by a secure storage provider. You must take all reasonable steps to protect the security of your medical records. For more tips on how to do this, please read our factsheet: Preventing data breaches.

Different jurisdictions and organisations have different requirements for retaining records. Many doctors keep medical records for as long as possible. While this may be sensible in some cases, it can be at odds with Australian privacy law requirements.

How long do I ordinarily have to retain medical records?

Avant recommends that all doctors retain the complete medical record of an adult patient for at least seven years from “the date of last entry” in the record. This usually means the patient’s last consultation with you but could also include entries such as the date you last telephoned the patient or received test results and updated the file.

If the patient was aged under 18 years at the date of the last entry in the medical record, you must wait until that patient would have turned 25 years old before you can dispose of the record.

New South Wales, Victoria and the Australian Capital Territory have specific legislation relating to medical records and health information. In these jurisdictions the legislation requires doctors to retain records for the times specified above. For doctors practising in states and territories without specific legislation, Avant recommends using the NSW, Victoria and ACT requirements as a guide and keeping records for the same minimum period.

Obstetric records, which often contain information about the baby and the mother, should be retained for 25 years from the birth of the child.

Other requirements to retain records

Doctors must keep all documents related to a claim under Medicare for at least two years from the date the service was provided. By keeping records for seven years you will also satisfy this requirement.

If Medicare claims are audited by the Department of Health, you are required to keep all the records relating to that claim until the audit is finalised.

If a patient has expressed dissatisfaction about their treatment or has had an adverse outcome, the patient or their family could take legal action or make a complaint to the regulator. In this situation, your medical records will become the foundation of your defence so you should retain them for as long as needed to defend the claim or complaint. If litigation or an investigation has commenced, retain your medical records until the action has concluded and you have sought legal advice about how long to keep them.

What if I work in the public sector?

Public sector hospitals and facilities have specific authorities, policies and guidelines to manage medical records. Record management requirements can depend on a number of factors including the state or territory where the patient sought care, their illness, their age and even their ethnicity. Doctors will need to be aware of these requirements if they are practising in both public and private facilities, such as co-located hospitals. Generally, if the hospital or facility holds the medical record it will be managed by that facility and covered by its policies. However, you should check for any specific requirements relating to medical records in hospitals or organisations where you work.

If you also see a patient in your private rooms, that medical record is covered by the privacy and medical records legislation and the rules as outlined in this factsheet.

Do I have to dispose of records at a particular time?

There is no legislation that mandates that you have to destroy records at a specific time. However, you do have an obligation under Australian privacy law to destroy or permanently de-identify information collected for a specific purpose when you no longer need it for that purpose. This includes medical records.

Avant recommends that if you have kept a medical record for the minimum period (as outlined above) and there is no other reason to keep it (as outlined above), you should dispose of the record.

How should I dispose of records?

Records must be destroyed securely to maintain the patient’s confidentiality and to protect the records against misuse or unauthorised access, disclosure or modification, and damage, loss or theft.

Many practices have secure destruction bins on site, which is a good option for hardcopy files or documents. These bins are routinely collected or special collection can be arranged.

There are service companies that offer secure document destruction that can also provide certification that the records were destroyed securely. If you dispose of the medical records yourself, destroy them in a way that ensures the patient cannot be identified.

For electronic records, ensure you completely delete files or dispose of devices appropriately. You should refer to your IT service provider to understand your options about deleting electronic files and disposing of devices.

In NSW, Victoria and the ACT, legislation states that you must keep a register of all medical records that are destroyed. The register must include the patient’s name, the period covered by the medical record and the date it was destroyed. Keep the register securely as it contains patients’ private information. Avant recommends doctors in all state and territories keep a register. See template of a register that you could use below.

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.