This section provides information about what rights you have to access your health or medical records, what limits there are on these rights, how to exercise your rights and other related issues.
There are sections on:
Generally, you need give consent, or agree, to have your health information collected. In NSW, there is a requirement that health information should only be collected from the person it relates to, unless this is not practical or not reasonable.
Your consent does not have to be in writing. It can be implied. For example, if you attend a health service and provide your medical history to a doctor, it can be assumed that you consented to providing that health information.
If you expressly refuse consent or cannot consent because of an impairment or lack of capacity, the health service provider needs to rely on another part of privacy law to explain why they are collecting health information. For example, health services can collect your health if there is a serious threat to life or health and you are not able to consent.
Health services should generally only collect information that is necessary for their lawful functions.
You have a right to access your health records held by a health care professional, such as a doctor or dentist, or held by a health care provider, such as a hospital, clinic or community health service.
In NSW, the right people have to access their health records comes from several sources. There are both Commonwealth and NSW Acts of Parliament about information privacy giving you access to records held by both private and public health care providers . In NSW, you can also access medical and hospital records held by NSW Government bodies such as public hospitals and community health centres using Government Information(Public Access Act 2009) law (formerly Freedom of information (FOI) law.
Usually the actual record, that is, the paper, the folder, the CD, etc, is kept by the health care professional or health care provider who made or who holds the record.
Getting access to your health record usually means the person or body holding the record gives you a copy. If you get access to your records this way, you may have to pay for the costs of making and sending you the copy.
Right of access can also mean that you are allowed to look at the original record at the office of the holder of the record. Sometimes, with private doctors, you may be only given a summary of the records.
There are exceptions to the right of access, click here to find out about the exceptions.
For more about making an Information Access application for access to your health records held by public health care providers, click here.
For more about accessing your health records using privacy law, click here.
The Government Information (Public Access) Act 2009 (‘GIPA Act’) aims to create a proactive, more open approach to gaining access to government information in NSW. The Act aims to maintain and advance a system of responsible and representative democratic government that is open, accountable, fair and effective.
The GIPA Act:
NSW public hospitals will ask you to make a GIPA Access application if you want a copy of your health records. You could also ask for access under NSW privacy laws, but NSW Health (the Government Department) has a system of access based on the GIPA Act. If you want the health records of someone else (including someone who has passed away) then you usually need to make a GIPA Access application.
Every public hospital has a records department that deals with GIPA Access applications. They have a set fee for applications, with a discount rate for Health Care Card holders.
Not only do you have a right to access your records, but it is considered ‘best practice’ for all those providing a health care service to be open about what is recorded, and in the patient’s medical record.
If you think or have been told that a private health care provider is reluctant to give you a copy of your records, it is probably best to put your request in writing, stating very clearly the particular records you want to access, and how you want to access the records, i.e. that you want to photocopy them, or just view them, etc. If the health care provider refuses to give you access, you should also ask for the reasons for this refusal in writing.
There are certain situations where the law allows access to records to be refused. These are exceptions to the right of access. Click here to find out about the exceptions.
You have a right to access records about you made by both public and private health care providers under privacy laws. In relation to private health care providers, you can only ask for records about you that were made after 2001 (when the Privacy Act 1988 (Cth) was amended to include some private sector agencies).
If you want to access your medical record using privacy law, you should start by asking the health care provider to show or give you a copy. It is best if you put your request in writing, including your name, address and enough information so the health care provider understands what information you are seeking access to. Under the Health Records and Information Privacy Act 2002 (NSW), the health care provider must respond within 45 days.
In NSW, an ‘authorised representative’ can access your health records if you cannot do it because you do not have capacity because of physical or mental impairment. This person could include an attorney under an enduring power of attorney, or a guardian under the Guardianship Act 1987 (NSW).
If the health care provider refuses or you are not happy with the amount of information you are given, or believe that the record is incorrect in some way, you should speak to the health care provider to try to sort this out. If that does not resolve your concerns, you may be able to make a privacy complaint. To find out more, click here.
In limited circumstances, the body holding the records can refuse to give you access; these are called ‘exceptions to the right of access’. Click here to find out about these exceptions.
If you are changing health care providers (within the same part of the health care profession, eg, moving from one GP to another), they will usually, with your written consent, pass a copy of your records to your new health care provider. They can ask you for a ‘reasonable’ fee to do this (called an ‘administrative fee’). Some health care providers have a set fee, so it doesn’t matter how many pages are in the records. A set fee is permitted so long as the fee is not excessive. If you can’t afford the fee suggested, you could try to negotiate with the health care provider, setting out why you can’t afford the fee. Alternatively, if the fee is large because of the amount of documents involved, you should talk to your new health care provider about what records are absolutely necessary for your ongoing health care and limit your request for transfer to those records.
Privacy laws require holders of your health information to take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure of that information.
Health care providers must keep copies of medical records for seven years (longer for children).
Seven years after the last consultation you had with a health care provider, that provider can destroy the records made about your treatment and care.
Many hospitals and even some private doctors keep copies of their records much longer than seven years. The rule for health privacy and access to information is that if the health care provider has a record, you are entitled to access a copy of that record if it is about you. The exception is that you have no right of access under the Privacy Act 1988 (Cth) to health records made before 2001 by private health service providers. For information about other exceptions, click here.
Both the privacy and access to information laws have exceptions to the right of access. This means there are circumstances where the holder of the information can refuse to give you access to all or parts of your records. These circumstances are known as exemptions.
If you are using access to information law to ask for access health records and the holder of the record thinks you may be seriously affected by accessing information about your physical or mental health, then they can regard the document as exempt from access and refuse access. Under NSW information access law guidelines, you can ask that your medical doctor be given access to the information so that he or she can tell you about it in the most appropriate way.
The most common exception in the privacy principles is that access can be refused if letting a person see their records would pose a serious threat to the person’s life or health, or the life or health of someone else (such as a relative, a health care provider, staff or other patients).
Under the Commonwealth privacy principles the threat must be significant. An example would be where there is a serious risk that the person may harm himself or herself or another person if they saw the information.
The threat can be to physical or mental health and wellbeing, but this doesn’t mean it needs to be imminent; it can also be a serious threat that might occur some-time after access is granted.
Because of this exception, access to records held by psychiatrists or psychiatric hospitals is sometimes denied.
If you want access to your records in this situation, you could ask for a copy of the records to be supplied to another person, usually another health care professional. This other person can then talk to you about what is in the records. If this is refused, you can ask for a review or appeal.
For more about asking for a review or appeal, click here.
You can ask for a review of any decision to refuse you access to your health records.
To find out what you can do if your GIPA Access application for access to your records is refused, click here.
To find out what you can do if your application for access to your records under privacy law is refused, click here.
Under Government Information (Public Access) Act 2009 in NSW, if you are not happy with a decision to refuse you access to your records or about the amount of access you are given, you can first ask for an internal review of the decision. You should make your written request for a review, preferably with reasons, to the place where you made the original GIPA Access request.
Each NSW Health service has a Right to Information Coordinator who can answer questions about GIPA Access requests, including internal review processes. You will be able to find the Right to Information Coordinator for the health service that holds the records you want by following this link.
To understand your review rights under Government Information (Public Access) Act 2009 (GIPA Act) click here.
If you are not happy with the outcome of the internal review, you can apply to have that decision reviewed by the NSW Civil and Administrative Tribunal.
If a private health care provider refuses to give you access to your medical records you can complain to either the Commonwealth Privacy Commissioner or the NSW Privacy Commissioner. If you do not get what you want through the NSW Privacy Commissioner, you can take your request to the NSW Civil and Administrative Tribunal. This process only applies to requests under NSW privacy law.
Often, the staff of the Privacy Commissioners (Commonwealth and NSW) can help you get what you want by talking to the doctor or health care provider. However, if this does not work, it can take some time before the NSW Civil and Administrative Tribunal can deal with your request. If you want or need access to your health information urgently, you may have to negotiate and compromise. Sometimes doctors will agree to provide your records to another doctor who can discuss them with you. If you are simply changing doctors and want your records to give to your new doctor, sometimes your previous doctor will be more willing to send a copy directly to the new GP, rather than give you a copy. Also, more than one doctor or health care provider may have a copy of the same documents that you urgently want.
The Office of the Privacy Commissioner (Commonwealth) in particular, has lots of information available on the Internet about health information privacy, as well as how to make a complaint. Click here to go to its website. The Office of the Privacy Commissioner (Commonwealth) can be contacted by phone on 1300 363 992.
The NSW Information and Privacy Commission can be contacted on 1800 472 679. Click here to go to the NSW Information and Privacy Commission’s website.
If you have accessed a copy of your medical records and have noticed something in the records that you think is wrong, not complete or out of date, you have a right to have the mistakes corrected. This right is found in both privacy law and Government Information (Public Access) Act 2009 (NSW) and Freedom of Information 1982 (Cth).
This does not mean that the mistake can be crossed out and the correct information put in to replace it. The rules are very strict about changing medical records after they are made. Certainly, if the holder of the records agrees with you about the mistake, then the record should very clearly note the correct information so that anyone reading the information will not be misled.
However, it is possible that the holder of the information will not agree with you that their record is inaccurate.
If you disagree with someone’s opinion that has been included in your medical records, then it is not likely that there will simply be a change to the record. A diagnosis is an opinion, including a diagnosis of a mental illness or mental disorder. If you disagree with a doctor’s diagnosis of your physical or mental health, then this is seen as a disagreement about opinion, not fact.
The part of your record you may wish to change is likely to be prepared by health care professionals. In particular, medico-legal reports prepared for tribunals and courts and sometimes for private bodies like insurance companies, are opinion. They contain conclusions drawn by the health care professional who wrote the report based on the facts presented to that professional.
If there is disagreement about whether information or an opinion written in your medical record is correct, you may still ask to have a note included in your medical record showing that you think the information is not accurate, complete or up to date and why you think that. If you write to the body that has your medical record setting out what you believe is an error, you should specifically ask that a copy of your letter is placed next to the documents in your records that you say contain the error (most hospitals keep at least two sets of files, a clinical file that records your treatment and an administrative file that deals with your complaints, etc). If you have another health care professional’s report that disagrees with, for example, the diagnosis in your medical record, you can ask for a copy of that report to be placed next to the other report in the clinical file.
If you are not satisfied with how a health care provider has dealt with your request to correct records, you can complain to the NSW Information and Privacy Commission and/or the Commonwealth Privacy Commissioner, and, if your complaint is about a NSW authority, you can also make a complaint under Government Information (Public Access) law.
If you want to correct your health record you are strongly advised to put your request in writing. Given current practice, if the holder of the record disagrees with you about the accuracy of the record, unless you put your complaint about the accuracy of the record in writing or you complain as set out above, there is no guarantee that the staff of the health care provider, either private or public, will either record or do anything about a verbal complaint of this nature.
For information about where to get help with a complaint about correction to your records, click here.
A personally controlled electronic health record, or ‘eHealth record’, is secure on-line electronic record of all your personal health information. You control what information is included in it, and who is allowed to access it. It may include information about your medical history, such as immunisations, allergies, test results, prescribed medication, hospital assessments discharge summaries, referrals to specialists and specialists’ letters.
Your eHealth record allows you and your doctors, hospital and other healthcare providers to view and share your health information so that they are able to provide you with timely, safe and effective care. For example, eHealth will allow your GP to access information about the consultation you had at the after-hours medical centre, about tests and assessments, your consultations with a specialist, information about the treatment you received in hospital and the prescriptions that were dispensed at the pharmacy. At home, you can also choose to access your eHealth record to see a summary of your health information which now includes information about your recent healthcare event.
eHealth records are not compulsory. Every Australian was offered a My Health Record unless they choose not to have one during the three-month opt out period which ran from 16 July to 31 January 2019. You can cancel your My Health Record at any time after the end of the opt out period – or create one, if you opted out.
Privacy protection and appropriate security are critical aspects to eHealth. Policy, governance and legislative safeguards are in place to facilitate access by the right people and prevent inappropriate access and use of healthcare information.
A booklet is available to help you understand the eHealth record registration process. This document explains the terms used, your eHealth privacy safeguards, details about how your information is handled, and where and how you can apply for an eHealth record.
Updated October 31, 2019