Medical information is one of the most private and personal kinds of information for every individual. No one wants their medical information falling into the wrong hands. 

Therefore, it’s crucial that medical records are stored and even destroyed in a way that proactively protects the privacy of patients. 

Whether you’re running a telehealth business or a brick-and-mortar medical practice, it’s important to follow the relevant rules and regulations to make sure all your medical records are being dealt with in a legally compliant manner.    

Read on to learn more. 

What Are The Laws Around Medical Records In Australia?

The laws you are obligated to follow regarding medical records depend on the state in which you operate. As mentioned above, these laws dictate specific processes and rules for handling and destroying medical records.

  • Western Australia, Queensland, the Northern Territory, South Australia, and Tasmania: These states and territories must adhere to the Privacy Act 1988, which provides guidance on dealing with medical records.
  • New South Wales, Victoria, and the Australian Capital Territory: In addition to the Privacy Act, these regions have their own legislation that must be followed:
    • New South Wales: Health Records and Information Privacy Act 2002
    • Victoria: Health Records Act 2001
    • Australian Capital Territory: Health Records (Privacy and Access) Act 1997

Who Can Access Medical Records?

Only individuals directly involved in a patient’s medical care can access their medical records without the patient’s explicit permission. This includes doctors and other hospital staff providing care to the patient.

Additionally, individuals authorised or nominated by the patient can also access their medical records.

Privacy Act 1988 And Medical Records

As noted above, certain states and territories are subject to the regulations under the Privacy Act 1988, which governs how medical records must be handled.

The Privacy Act also outlines the limited circumstances under which health and personal information can be accessed for research purposes, even when the individual cannot provide consent. These circumstances typically involve situations where access to the information is necessary to protect public health or for purposes that extend beyond healthcare.

Is Your Business Handling Health Information?

If your business collects and handles any type of personal information, then the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to you. This means you’ll likely need to have an appropriate Privacy Policy in place to assure consumers that you’re handling their information responsibly. 

However, this generally applies to businesses with an annual turnover that exceeds $3 million. But if your business is handling medical information, the Privacy Act applies regardless of your turnover, which goes to show how sensitive medical information is under privacy laws. 

Do I Need A Privacy Policy? 

The Privacy Act and the APPs provide that any website that collects the private information of their users must have a Privacy Policy in place. For those collecting health information, the standard is even higher – you need to have the consent of your customers prior to getting their information.

There are a number of reasons why you could be handling health information as part of your business. You may not even be a medical provider, however, your customers may be giving their personal health information to buy certain products or sign up for courses. 

As they are sharing this information, you have a legal obligation to gain their permission and have a Health Service Provider Privacy Policy in place. 

A Privacy Policy lets consumers know what information is being done with their personal information, including:

  • The kind of information being collected
  • How that information is stored
  • The purposes it is collected for
  • How the information is used
  • For how long the information is kept
  • What consumers can do if they want to obtain their information 

Transferring Medical Records To A New Doctor In Australia

In some circumstances, you may need to find a new doctor. If you’ve moved to a different part of Australia, your current doctor has retired or you simply want a change, you can see a different doctor and have your current medical records transferred to them. 

You will need to provide a written request to have this done. If there are costs associated with transferring the records, the medical practice may charge you for it. 

I Manage Medical Records Online – What Do I Need To Know?

Managing medical records online has become one of the primary choices and most effective ways of recording health information. There’s no more having to deal with manual locks, pages of files, bad handwriting, storage issues and potentially misplacing a file. When it’s all in one secured network, it’s a much more functional system. 

However, having information online exposes it to different kinds of risks and challenges, primarily involving cyber security

If you’re managing medical health records with an online platform, then you will still need to comply with the relevant legislation and take reasonable steps to ensure the information is protected. In NSW, the My Health Records Act 2012 applies. If you’re not in NSW, it’s best to check the relevant legislation for your state. 

As a safety measure, you may also wish to have a Cyber Security Policy in place. Our team of lawyers can help you craft a strong cyber security system through advice and the correct documentation – chat to us today. 

I’m A Telehealth Business – What Are My Obligations Around Medical Records?

A telehealth business is still subject to the same regulations regarding keeping private medical information secured. The information will most likely be stored online, so it’s important to make sure you’ve done everything in your power to keep it free from potential security breaches. 

Be sure to gain the consent of your patients first and have the correct online policies in place, such as Privacy Policies, Cookie Policies and Cyber Security Policies. 

You may also wish to have certain disclaimers on your website (or mobile app, if your business has one). 

Online Pharmacies And Medical Records

Online pharmacies may also keep medical records. The same concept applies to online pharmacies as it does to all medical health service providers. 

You will require the explicit permission of your customers to collect their information, have a Privacy Policy in place and a secure way of storing their information. 

For extra security measures, you can always look into getting a Data Breach Response Plan in case something goes wrong. This just means your business will have a clear process for staff to follow if there is a data breach, and how to inform affected individuals. 

Can Customers Opt Out Of Electronic Medical Records?

It’s not unknown for people to want to cease using electronic medical records. In fact, many Australians decided to opt out of the My Health Record system when they were presented with the opportunity. 

Some people may be hesitant when it comes to having their medical records stored on an online database, due to the level of risk involved. As a business, you might want to provide them with an alternative option.    

How Do Blockchain Medical Records Work?

Blockchain medical records are another way to store medical information online. It’s generally considered a relatively safe practice. However, even with block chain medical records, it’s important to ensure the patient’s privacy is being protected in the best way possible. 

Blockchain is a system that allows everyone with access to view the same records.  However, the information is encrypted and secure through programming. 

Amending Medical Records

At times, patients may come to you with a request to amend information on their medical records. This request is fine, however, it is your duty to ensure the information on those records are correct, up to date and not misleading in any way. 

Therefore, whether or not the information should be changed will be your call. For example, if a patient demands that part of their medical history be erased permanently, this cannot be granted (this is similar to the right to be forgotten which exists in the EU, but it’s worth noting that this right doesn’t exist in Australia). . 

On the other hand, if the medical records have put down an incorrect date of birth for a patient, that should be corrected immediately. 

Can Any Doctor Access Medical Records?

No, doctors are able to access the medical records of their patients but in most cases, it would be deemed unethical for them to look through the medical records of a patient that is not their own. 

If they don’t have a valid reason or the permission of the patient, it is unlikely that just any doctor can access whatever medical records they want. 

Running A Medical Practice In Australia? Make Sure You’re Doing It Right

Medical records are just one aspect of running a medical practice. There’s so much more that goes into it such as staff contracts, medical equipment and even intellectual property. 

There’s no need to stress though! We’ve put together a Legal Guide to Running a Medical Practice in Australia, so you know which documents and laws you need to be aware of before you hit the ground running. 

Key Takeaways

Dealing with medical records the right way is an extremely important part of running a healthcare business or medical practice. To summarise what we’ve discussed: 

  • The laws around medical records vary per state 
  • Doctors and other healthcare workers can access medical records as well as those with permission 
  • If your health  practice is online, it’s important to look into a Healthcare Provider Privacy Policy 
  • Online medical records should be stored as securely as possible. This applies to all medical businesses that are online, such as pharmacies and telehealth providers 
  • Customers should be given the option to opt out of electronic record keeping
  • Blockchain medical records are another way of storing them online 

Medical records can be amended only in certain circumstances i.e false information 

If you would like a consultation on who can access medical records, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Running a healthcare business?

Get expert legal advice, quick and online.

  • This field is for validation purposes and should be left unchanged.

Related Articles
Is ChatGPT Copyright Free?