Two professional women looking at a medical record

Interview with SA Health CMIO: when is it appropriate to access medical records?

We spoke to the CMIO of SA Health, Dr Santosh Verghese, about how his organisation uses technology to encourage safe, quality and professional medical practice when it comes to accessing medical records.

Georgie Haysom, BSc, LLB (Hons) LLM (Bioethics), GAICD, General Manager, Advocacy, Education and Research, Avant

Clinicians access patients’ medical records all the time, but not every instance is appropriate. In fact, the consequences of inappropriately accessing medical records can be severe. 

In South Australia, there have been multiple high-profile incidents of clinicians inappropriately accessing medical records and losing their jobs as a result. To find out more about how the health department handles privacy breaches, and how clinicians can avoid doing the wrong thing, we spoke to Dr Santosh Verghese, the Chief Medical Information Officer (CMIO) at SA Health. 

Dr Verghese has 24 years of experience as an intensive care physician and works at Flinders Medical Centre in South Australia. “I split my time equally between working as an intensive care specialist and serving as a Chief Medical Information Officer (CMIO), where I bridge the gap between frontline clinical care and the digital health environment,” he says.  

“I use my clinical experience to ensure the digital capabilities we design and implement are practical, fit for purpose, and genuinely support the needs of patients, clinicians, and the broader health system.” 

When it comes to accessing medical records, Dr Verghese says that, while hospitals and health departments have policies and procedures in place, many clinicians aren’t aware of the rules within the organisation they work for. In SA Health, all policies and procedures relating to safe medical practice are on the intranet for clinicians to access, but he admits that sometimes this information is hard to find. 

“There are very clear policies on access to records: who can access the record, in what circumstances you can access the record, and how you can use that record within your scope of practice,” he says. 

“All of us have to do mandatory training on data access and data privacy, but it’s not every year.” 

Dr Verghese also points out that when a clinician enters an electronic medical record (EMR) for the first time, they’ll be asked to confirm they are accessing it for the right reasons, but many clinicians don’t read the terms and conditions. 

“Most people click past the prompt and don’t read through their responsibilities,” he says. “When there is a major update, we try to bring it to their attention, but we don’t want to do it every time a clinician accesses the EMR because it hinders them.” 

It is the clinician’s responsibility, contractually, to understand the policies and not breach privacy legislation, he says. 

Detecting and dealing with misconduct in South Australia

So how did it come to the attention of SA Health that clinicians were inappropriately accessing high-profile patients’ medical records? 

Digital Health SA (DHSA) uses technology to monitor activity within EMRs and clinical systems, tracking who accesses them, particularly when a high-profile individual is admitted to the hospital. 

"The EMR includes a 'break glass' feature," he explains. "When a clinician accesses a patient’s record outside their direct care, a popup appears, and the clinician must enter a valid reason to view the patient’s case notes. To proceed, the clinician documents the clinical justification into the patient record, verifying the legitimacy of their access. On the backend, this action is flagged, indicating that 'glass has been broken’.” 

When a clinician accesses a record outside their direct care, an informal assessment takes place to evaluate the situation. 

“DHSA’s security team can review who has triggered the 'break glass' feature and track every screen and document accessed. If there are concerns about inappropriate access to a patient’s clinical record, a review is conducted. As part of the review process, the organisation sends an initial email to the clinician, asking them to explain the reason for access. In 99% of cases, this is the result of a valid request to consult on the patient. However, for the 1% who cannot provide a valid explanation, the case is escalated for further assessment.” 

Dr Verghese says the patient doesn’t have to be high profile for DHSA to monitor activity in the EMR. It could be a vulnerable person, like a victim of a violent relationship. The organisation can also run random audits to ensure that patient privacy is maintained. 

We asked Dr Verghese how clinicians feel about being monitored in this way. 

“There are two parties involved,” he explains. “The patient, who has no power in this situation, relies on us to provide care while safeguarding their privacy. They expect that everyone involved will act responsibly and do the right thing. 

“The way I explain this to clinicians is by comparing it to banking security. If you had a bank account, would you want the bank to run random checks to detect unauthorised access? And would you consider that ethical and legal? Absolutely. That’s exactly what we’re doing.” 

Accessing medical records for educational purposes

A common reason clinicians face scrutiny for accessing medical records is using them for training purposes. For example, a clinician may have treated a patient and later wants to review the record to see the treatment outcome. Alternatively, a consultant may instruct a clinician to review a record for learning purposes. 

So how do clinicians navigate this? 

“That’s a great question, and one I get asked often,” says Dr Verghese. “In our system, when you trigger the ‘break glass’ feature, there is a designated field where you can enter the reason for accessing the record.  

“Make the most of the features available,” he advises. "We are looking for every legitimate reason a clinician had to access the record. Our goal is not to penalise clinicians for doing the right thing – if there’s a valid reason, document it." 

Situations where clinicians get in trouble

"One area where clinicians run into issues is with the integration of the EMR and My Health Record," explains Dr Verghese.  

"Although this is widely known, many clinicians don’t realise that when they access a patient’s My Health Record, it immediately triggers a notification on the patient’s mobile. However, this does not provide the patient with information about why the record has been accessed. 

"The other issue is a lack of awareness around the intended use of My Health Record. According to its guidelines, it is meant for primary use – direct patient care – not secondary use, such as research. We’re working with the Digital Health Agency on this, and we are adding a popup reminder stating, ‘You shouldn’t be using this for research.’ This pop up will need to be acknowledged before opening ‘My Health Record’. Our goal is to make compliance as straightforward as possible.” 

The uncertainty around whether records can be accessed for educational purposes understandably creates confusion. However, Dr Verghese emphasises that in over 95% of cases, clinicians have a valid clinical reason for access, and the issue does not escalate. When a clinician does not have a legitimate reason, it becomes an HR matter. Depending on the nature of the breach, they may be required to retake patient confidentiality training or face other disciplinary action.  

"It could be a first-time mistake or a medical student who wasn’t aware of the rules, in which case they might receive a warning – depending on the severity of the breach and whether they acknowledge it. But if it’s a repeated issue or results in a breach of patient privacy, it can become much more serious.” 

Dr Verghese advises clinicians to seek clarification if they are unsure about accessing a record. 

"Most people encounter problems right after transitioning to a new system. I recommend asking colleagues who are familiar with it, ‘Is this allowed?’ That’s a good way to avoid issues. 

"And if in doubt, document it. Good documentation is key." 

Key takeaways

The main takeaways for clinicians from our chat with Dr Verghese are: 

  • Hospitals and local health districts have their own policies and procedures about data access. You should familiarise yourself with the policies to ensure you are not in breach. 
  • You should not access a medical record unless you have a legitimate reason to do so. 
  • Document every time you access the medical record of a patient not in your care, for patient follow-up, or for approved research. 
  • If you require medico-legal advice about accessing records, contact our Medico-legal Advisory Service 
  • For more information about medical records, visit our collection page of educational resources like factsheets and eLearning courses. 

References and further reading

Factsheet: Medical records the essentials 

Ahpra – Meeting your professional obligations when using artificial intelligence in healthcare

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

Topic

Other resources

Medical record documents and computer

Medical record issues in claims

young female doctor holding medical record

Unauthorised access to 35 patients’ records sees trainee doctor suspended

Medical records: what you need to know

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

Key support services
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.



The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.