How Long Must Patient Records Be Kept? Retention Rules For Medical Practices

If you run a hospital, medical centre, GP clinic, allied health practice, or any health service that creates and stores clinical notes, one question comes up again and again: how long do hospitals keep patient records in Australia?

It’s a fair question. Patient records aren’t “just paperwork” - they’re sensitive health information, they can be critical in a complaint or claim years later, and they’re often required for clinical continuity of care.

At the same time, keeping records forever creates real risks and costs. The longer you store records, the more you expose your business to data breach risk, storage overheads, and messy “who has access to what” problems.

Below, we’ll walk you through typical retention periods (and why they differ across Australia), what “patient records” really includes, what to do for children’s records and other special cases, and how to set up a practical retention system that fits a busy practice.

Note: This article provides general information only and does not constitute legal advice. Record retention obligations can vary depending on your state or territory, whether you’re a public or private provider, the type of record, and your specific circumstances. If you need advice for your practice, consider getting tailored legal guidance.

Why Medical Record Retention Matters For Your Practice

Record retention is one of those compliance tasks that’s easy to push down the list - right up until you need a record urgently.

From a small business perspective, retaining patient records for the correct amount of time matters because it helps you:

• Provide ongoing care (your future clinical decisions may depend on past notes, results, referrals and correspondence).
• Respond to complaints (patients may raise concerns months or years later, and your records are often the best evidence of what happened).
• Manage legal and insurance risk (civil claims can be brought after the event, and insurers may expect you to have a clear retention approach).
• Comply with privacy and health records laws (including storage security, access, and proper disposal).
• Protect your reputation (poor record keeping can undermine trust, even where clinical care was appropriate).

It’s also important to remember: retention is not just “how long you keep it”. It also includes how you store it, who can access it, and how you destroy it when it’s time.

If you’re collecting health information through forms or portals, it’s also worth aligning your patient-facing communications with your Privacy Policy so your patients understand what you collect, why you collect it, and how you handle it.

What Counts As A “Patient Record” (And Who Needs To Keep It)?

Before we talk about timeframes, it helps to be clear about scope. “Patient record” (or “medical record”) is broader than many practice owners expect.

Common Examples Of Patient Records

Depending on your service, patient records can include:

• clinical notes (including progress notes and consultation notes)
• medical histories, diagnoses and treatment plans
• prescriptions and medication records
• test results, imaging, pathology and specialist reports
• referrals, discharge summaries and correspondence
• consent forms and capacity assessments
• appointment records and attendance notes
• telehealth notes and messages relating to clinical care
• incident reports connected to patient care

Even if you’re not a GP clinic, many allied health and wellness businesses still create “health information” records - for example, physiotherapy, psychology, occupational therapy, dental, cosmetic medical clinics, and some NDIS providers.

Hospitals vs Doctors vs Medical Practices

The retention question often gets framed as “how long do hospitals keep patient records in Australia”, but the same core issue applies across the board:

• Public hospitals often have additional obligations as government entities, including public records and state archive rules.
• Private hospitals and private medical practices are usually dealing with health records laws, privacy rules, professional standards, and (sometimes) contractual requirements from insurers or accreditation bodies.
• Individual doctors (or corporate medical service entities that employ/engage them) generally need systems that ensure retention continues even if a practitioner leaves.

In other words, the “right” retention period is rarely just a single number. It depends on your state/territory, the age of the patient, and the type of record.

So, How Long Do Hospitals Keep Patient Records In Australia?

Here’s the practical reality: medical record retention rules in Australia are not fully uniform. Retention is usually governed by a mix of:

• state/territory health records legislation and policies
• professional obligations and clinical practice standards
• limitation periods for legal claims (which can differ depending on the claim)
• public records / state archives requirements (especially for public hospitals)

That said, there are common “baseline” approaches that many health services use as a starting point - but you should treat these as general guidance and then confirm what applies to your setting and location.

A Common Baseline: Often 7 Years For Adults (But Check Your State/Territory And Setting)

For adult patients, many clinics and private providers adopt a baseline of keeping records for at least 7 years from the last date of service (or last entry in the record).

This is often used as a starting point because:

• it aligns with common limitation period thinking (even though claims can be more complex than a simple 7-year window)
• it’s consistent with many industry and regulatory expectations
• it is practical for storage and risk management

However, this is not a one-size-fits-all rule. Some jurisdictions and settings use longer periods (including 10 years in some contexts), and public hospitals can have longer retention schedules due to archives requirements.

Children’s Records Usually Need To Be Kept Longer

When it comes to patients who were minors at the time of treatment, retention almost always extends well beyond the adult baseline.

A commonly applied approach is to keep records until the patient turns 25 years old (or for a minimum period after they reach adulthood, depending on your jurisdiction and applicable rules).

This is because a child generally can’t commence legal action in the same way as an adult, and some limitation periods effectively “start running” later.

What About “How Long Do Doctors Keep Medical Records” If They Move Or Retire?

From a business point of view, this is a big operational risk.

If a practitioner leaves your clinic, or if a practice closes or changes ownership, your obligations around retention don’t simply disappear. You’ll typically need a plan for:

• ongoing storage and access (including patient access requests)
• secure handling and confidentiality controls
• handover arrangements if another entity becomes the custodian
• how you will respond to subpoenas, insurer requests, or regulator enquiries

Where you’re collecting consents or permissions (for example, to release records to another provider), it helps to have clear paperwork in place such as a medical release consent form, tailored to the way your clinic operates.

State And Territory Differences (Why You Can’t Rely On A Single Number)

If you’re searching “how long are medical records kept” or “how long do medical records need to be kept” you’ll see lots of definitive answers online - but many are missing the nuance that your state or territory matters.

Retention requirements and guidance can differ based on:

• where the service is delivered (and which local laws/policies apply)
• whether you are a public hospital, private hospital, or private practice
• the type of service (e.g. mental health records may have additional considerations)
• the patient’s age

As a practical step, many health businesses adopt a baseline policy (e.g. 7 years for adults and until age 25 for minors), then apply longer retention where required by local rules, contracts, archive schedules, or risk factors.

If you operate across multiple states (for example, a multi-site practice or telehealth service), you should consider a “highest standard” approach or a jurisdiction-by-jurisdiction retention schedule - and make sure your team actually follows it.

Special Situations: When You May Need To Keep Records Longer (Or Handle Them Differently)

Even where you have a general retention policy, some categories of records and situations need extra attention.

Medico-Legal Risk And Long-Tail Claims

Some disputes and claims can arise long after treatment, particularly where an injury or issue becomes apparent later. This is one reason many clinics choose retention periods that are conservative rather than minimal.

While your insurer may not dictate your exact retention period, your insurance and risk advisers may expect your record keeping to be strong and consistent - especially for high-risk services.

Records Relating To Complaints, Incidents Or Investigations

If a complaint has been made (internally, to a regulator, or to an insurer), it’s often sensible to “lock” the record and preserve it, even if it is approaching the end of your normal retention period.

In practice, many businesses keep complaint-related materials until the matter is fully resolved and for a further period after resolution.

Electronic Records, Backups And Cloud Systems

Most practices now use practice management software and cloud storage. This can make retention easier - but it can also create blind spots.

Common issues we see include:

• no clear separation between “active” records and archived records
• staff access not being limited by role (for example, too many team members can access clinical notes)
• records remaining in legacy systems after software changes
• backups being kept indefinitely without a documented retention plan

This is where a documented security approach becomes important. An information security policy can help you define access rules, storage standards, and what happens when staff leave.

Patient Access Requests (You Need A Process, Not Just Storage)

Retention is closely tied to access. If a patient requests a copy of their records, you need to be able to locate and provide them within a reasonable timeframe, consistent with privacy and health records requirements.

For many practices, it helps to standardise this workflow using an access request form so your team can verify identity, clarify what’s being requested, and record what was provided and when.

How To Set Up A Practical Retention System In A Hospital Or Medical Practice

A retention rule isn’t helpful if it’s sitting in a policy folder nobody reads. The goal is a system your team can actually follow.

Here are the core building blocks we usually recommend for small to mid-sized health businesses.

1. Create A Written Retention Schedule (And Make It Easy To Follow)

Start by documenting:

• your baseline retention periods (adults vs minors)
• any longer retention periods you apply for certain records or services
• how you calculate the start date (e.g. last date of service)
• who is responsible for archiving and destruction decisions

If you’re a larger practice or hospital department, it can be helpful to separate retention schedules by record type (e.g. clinical notes, imaging, consent forms, correspondence).

2. Build Retention Into Your Day-To-Day Systems

Retention works best when it’s “built in” to the platforms and workflows your team already uses.

For example:

• use consistent naming conventions for scanned documents
• set user permissions by role (not by convenience)
• ensure practitioners know where to record clinical notes (and where not to)
• avoid storing patient information in personal email inboxes or unapproved apps

If your staff handle patient data as part of their role, your employment documentation should support this too. An Employment Contract and internal policies can help set clear expectations around confidentiality, systems use, and what happens when employment ends.

3. Have A Secure Destruction Process (And Keep A Destruction Log)

When you reach the end of your retention period, you generally shouldn’t just “delete and forget”. You need to destroy records securely and keep a log that shows:

• what was destroyed (record identifiers, not the clinical content)
• the date of destruction
• the method of destruction (secure shredding, secure deletion, etc.)
• who authorised and carried out the destruction

This is particularly important for health information because improper disposal can create privacy breaches.

4. Plan For Data Breaches And Near Misses

Even with strong systems, breaches happen - an email sent to the wrong recipient, a lost device, a compromised account, or an exposed cloud folder.

Because health information is sensitive, it’s a good idea to have a written response plan so your team isn’t making it up under pressure. A data breach response plan can set out your containment steps, investigation workflow, decision-making, and patient/regulator communication approach.

Depending on your obligations, you may also need a data breach notification process ready to go.

5. Manage “Practice Changes”: Closing, Selling Or Restructuring

Retention issues often become urgent during change events, such as:

• selling a practice
• merging clinics
• changing practice management software
• closing a location
• practitioner departures (especially principal practitioners)

If you’re heading into one of these transitions, it’s worth reviewing:

• who is the legal custodian of records after the change
• how patient consent will be managed (where required)
• how access requests will be handled in the future
• what happens to archived records and backups

These transitions are also where clear documentation, good governance, and tailored legal advice can save you a lot of time (and prevent mistakes that can become expensive later).

Key Takeaways

• When people ask “how long do hospitals keep patient records in Australia”, the answer depends on your state/territory, your setting (public vs private), the patient’s age, the type of record, and (for public providers) applicable archive/records schedules.
• Many practices use a baseline of at least 7 years from last entry for adult records, but you should confirm the rules that apply to your jurisdiction and setting (and keep records longer where required).
• Minors’ records are usually kept significantly longer than adult records (commonly to around age 25, depending on applicable rules).
• Retention isn’t just about timeframes - it also includes secure storage, controlled access, and secure destruction with proper logging.
• If you use cloud systems or electronic records, make sure you manage permissions, backups, and software changes so you don’t accidentally keep records forever (or lose them too early).
• Having the right privacy documentation and processes (including access requests, consents, and breach response) helps you handle health information responsibly and consistently.

If you’d like help setting up a compliant patient record retention policy (or reviewing your privacy and data handling processes), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.