Medical information is one of the most private and personal kinds of information for every individual. No one wants their medical information falling into the wrong hands. 

Therefore, it’s crucial that medical records are stored and even destroyed in a way that proactively protects the privacy of patients. 

Whether you’re running a telehealth business or a brick-and-mortar medical practice, it’s important to follow the relevant rules and regulations to make sure all your medical records are being dealt with in a legally compliant manner.    

Read on to learn more. 

What Are The Laws Around Medical Records?

The laws you are obligated to follow regarding medical records depends on the state you operate in. Like we mentioned above, this means you need to follow certain processes and rules when it comes to how you handle and destroy medical records. 

Western Australia, Queensland, the Northern Territory, South Australia and Tasmania will need to look to the Privacy Act 1988 for guidance on dealing with medical records. 

In addition to this Act, New South Wales, Victoria and the Australian Capital Territory have to be familiar with their states’ respective legislation. They are as follows: 

Who Can Access Medical Records In Australia?

The only people that can access a patient’s medical records are those that are providing medical care to them. Doctors or any other hospital staff that are involved in the care of a patient can access their medical records without obtaining explicit permission from them. 

The only other people who are able to access a patient’s medical records are those that have been authorised or nominated by the patient to do so. 

Privacy Act 1988 And Medical Records

As we touched on above, some states will be subject to the regulations under the Privacy Act in order to determine what they need to do with medical records. 

The Privacy Act also covers the limited circumstances in which health and personal information can be accessed for research purposes where the consenting individual is unable to provide their approval. 

These circumstances involve scenarios where accessing the information is needed for protecting public health or unexpected uses that go beyond healthcare.  

Is Your Business Handling Health Information?

If your business collects and handles any type of personal information, then the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to you. This means you’lll likely need to have an appropriate Privacy Policy in place to assure consumers that you’re handling their information responsibly. 

However, this generally applies to businesses with an annual turnover that exceeds $3 million. But if your business is handling medical information, the Privacy Act applies regardless of your turnover, which goes to show how sensitive medical information is under privacy laws. 

Do I Need A Privacy Policy? 

The Privacy Act and the APPs provide that any website that collects the private information of their users must have a Privacy Policy in place. For those collecting health information, the standard is even higher – you need to have the consent of your customers prior to getting their information.

There are a number of reasons why you could be handling health information as part of your business. You may not even be a medical provider, however, your customers may be giving their personal health information to buy certain products or sign up for courses. 

As they are sharing this information, you have a legal obligation to gain their permission and have a Health Service Provider Privacy Policy in place. 

A Privacy Policy lets consumers know what information is being done with their personal information, including:

  • The kind of information being collected
  • How that information is stored
  • The purposes it is collected for
  • How the information is used
  • For how long the information is kept
  • What consumers can do if they want to obtain their information 

Transferring Medical Records To A New Doctor In Australia

In some circumstances, you may need to find a new doctor. If you’ve moved to a different part of Australia, your current doctor has retired or you simply want a change, you can see a different doctor and have your current medical records transferred to them. 

You will need to provide a written request to have this done. If there are costs associated with transferring the records, the medical practice may charge you for it. 

I Manage Medical Records Online – What Do I Need To Know?

Managing medical records online has become one of the primary choices and most effective ways of recording health information. There’s no more having to deal with manual locks, pages of files, bad handwriting, storage issues and potentially misplacing a file. When it’s all in one secured network, it’s a much more functional system. 

However, having information online exposes it to different kinds of risks and challenges, primarily involving cyber security

If you’re managing medical health records with an online platform, such as My Health Records and HealtheNet, then you will still need to comply with the relevant legislation and take reasonable steps to ensure the information is protected. In NSW, the My Health Records Act 2012 applies. If you’re not in NSW, it’s best to check the relevant legislation for your state. 

As a safety measure, you may also wish to have a Cyber Security Policy in place. Our team of lawyers can help you craft a strong cyber security system through advice and the correct documentation – chat to us today. 

I’m A Telehealth Business – What Are My Obligations Around Medical Records?

A telehealth business is still subject to the same regulations regarding keeping private medical information secured. The information will most likely be stored online, so it’s important to make sure you’ve done everything in your power to keep it free from potential security breaches. 

Be sure to gain the consent of your patients first and have the correct online policies in place, such as Privacy Policies, Cookie Policies and Cyber Security Policies. 

You may also wish to have certain disclaimers on your website (or mobile app, if your business has one). 

Online Pharmacies And Medical Records

Online pharmacies may also keep medical records. The same concept applies to online pharmacies as it does to all medical health service providers. 

You will require the explicit permission of your customers to collect their information, have a Privacy Policy in place and a secure way of storing their information. 

For extra security measures, you can always look into getting a Data Breach Response Plan in case something goes wrong. This just means your business will have a clear process for staff to follow if there is a data breach, and how to inform affected individuals. 

Can Customers Opt Out Of Electronic Medical Records?

It’s not unknown for people to want to cease using electronic medical records. In fact, many Australians decided to opt out of the My Health Record system when they were presented with the opportunity. 

Some people may be hesitant when it comes to having their medical records stored on an online database, due to the level of risk involved. As a business, you might want to provide them with an alternative option.    

How Do Blockchain Medical Records Work?

Blockchain medical records are another way to store medical information online. It’s generally considered a relatively safe practice. However, even with block chain medical records, it’s important to ensure the patient’s privacy is being protected in the best way possible. 

Blockchain is a system that allows everyone with access to view the same records.  However, the information is encrypted and secure through programming. 

Amending Medical Records

At times, patients may come to you with a request to amend information on their medical records. This request is fine, however, it is your duty to ensure the information on those records are correct, up to date and not misleading in any way. 

Therefore, whether or not the information should be changed will be your call. For example, if a patient demands that part of their medical history be erased permanently, this cannot be granted (this is similar to the right to be forgotten which exists in the EU, but it’s worth noting that this right doesn’t exist in Australia). . 

On the other hand, if the medical records have put down an incorrect date of birth for a patient, that should be corrected immediately. 

Can Any Doctor Access Medical Records?

No, doctors are able to access the medical records of their patients but in most cases, it would be deemed unethical for them to look through the medical records of a patient that is not their own. 

If they don’t have a valid reason or the permission of the patient, it is unlikely that just any doctor can access whatever medical records they want. 

Running A Medical Practice In Australia? Make Sure You’re Doing It Right

Medical records are just one aspect of running a medical practice. There’s so much more that goes into it such as staff contracts, medical equipment and even intellectual property. 

There’s no need to stress though! We’ve put together a Legal Guide to Running a Medical Practice in Australia, so you know which documents and laws you need to be aware of before you hit the ground running. 

Key Takeaways

Dealing with medical records the right way is an extremely important part of running a healthcare business or medical practice. To summarise what we’ve discussed: 

  • The laws around medical records vary per state 
  • Doctors and other healthcare workers can access medical records as well as those with permission 
  • If your health  practice is online, it’s important to look into a Healthcare Provider Privacy Policy 
  • Online medical records should be stored as securely as possible. This applies to all medical businesses that are online, such as pharmacies and telehealth providers 
  • Customers should be given the option to opt out of electronic record keeping
  • Blockchain medical records are another way of storing them online 

Medical records can be amended only in certain circumstances i.e false information 

If you would like a consultation on who can access medical records, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Sapna Goundan
Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0
(based on Google Reviews)
Running a healthcare business?

Get expert legal advice, quick and online.

  • This field is for validation purposes and should be left unchanged.

Related Services

Access Request Form

Meet your obligations under Australian Privacy Law
Learn More

Medical Release Consent Form

Get a consultation for a Medical Release Consent Form.
Learn More

Deed of Access & Indemnity

Get your Deed of Access & Indemnity.
Learn More
Related Articles
Is It Legal To Have Workplace Cameras And Surveillance?
Posted 17th October, 2023
Is ChatGPT Copyright Free?
Posted 5th May, 2023
Get A Cross-Border Data Processing Agreement
Posted 16th March, 2023
Business Call Recording Laws In Australia
Posted 7th March, 2023
A Guide To The Privacy And Data Protection Act 2014 (Vic)
Posted 9th December, 2022
Australian Law Data Breaches: What You Need To Know
Posted 18th November, 2022