Is It Illegal to Delete Medical Records? Risks for Australian Healthcare Businesses

If you run a healthcare business in Australia, you’re probably holding more sensitive information than most other industries. Patient files, clinical notes, referral letters, diagnostic reports, billing records, consent forms, and correspondence can quickly add up - especially if you’re a growing practice.

At some point, most healthcare owners ask the same question: is it illegal to delete medical records?

The practical answer is: it can be. Deleting (or even “tidying up”) medical records too early, or without the right process, can create serious legal, regulatory, and reputational risks. Even when deletion is allowed, how you delete matters just as much as when you delete.

Below, we’ll walk you through how record retention works in Australia, the key legal risks, and the compliance steps that help you manage medical records confidently as a small business. (This article is general information only - record-keeping rules can vary by profession, setting, funding arrangements and state/territory, so get advice for your specific clinic.)

Is It Illegal To Delete Medical Records In Australia?

Deleting medical records is not automatically illegal in Australia. The legality depends on:

• what type of record it is (clinical notes vs billing records vs consent forms)
• which laws apply to your business (Commonwealth privacy law, state/territory health information rules, professional obligations, and sometimes contract obligations)
• how long you have kept the record (retention period rules)
• whether deletion could be seen as improper (for example, deleting when a complaint, claim, investigation, or audit is on foot)
• how you delete it (secure destruction vs casual deletion)

From a risk perspective, the biggest legal problems usually arise when a business:

• destroys records before the minimum retention period
• deletes selectively (for example, removing “bad notes” but keeping other parts of the file)
• can’t produce records requested by a patient or regulator
• deletes records after receiving notice of a likely dispute, complaint, coronial matter, insurer request, or regulator inquiry

Even if you believe you’re just decluttering, deletion can look very different when viewed by a regulator, professional board, court, or insurer.

Which Laws And Rules Affect Medical Record Deletion?

Healthcare record retention and deletion in Australia is a “layered” compliance area. You’re rarely dealing with only one rule.

Depending on your services and where you operate, your obligations may come from the following sources.

Privacy Law (Including The Privacy Act And APPs)

If your business is covered by the Privacy Act 1988 (Cth) (including the Australian Privacy Principles), you generally need to:

• handle personal information transparently and securely
• only use/disclose it for permitted purposes
• allow access and correction in many cases
• destroy or de-identify personal information when it’s no longer needed for any purpose permitted under the APPs (subject to other legal retention requirements)

That last point is important: privacy law can push you towards not keeping records forever, but it does not override other laws or obligations that require you to keep records for a minimum time (including professional, funding, insurer, or contract requirements).

This is one reason having a clear Privacy Policy and internal procedures is so useful - it helps you explain your retention approach and apply it consistently.

State And Territory Health Information Rules (And Sector-Specific Requirements)

States and territories regulate health information in different ways (often through health privacy/health records frameworks, and sometimes through sector-specific rules for certain providers).

It’s important not to assume that “health records laws” always set a single, clear minimum retention period for every private clinic. In many cases, the practical retention timeframes come from a combination of:

• professional standards and guidelines
• complaints/disciplinary expectations
• limitation period risk management (how long a claim might arise after treatment)
• specific rules that apply to certain settings (for example, some regulated facilities or programs)

The specific rules vary by jurisdiction. If you operate across multiple states (including telehealth), you may need a retention approach that meets the strictest applicable standard.

Professional And Accreditation Obligations

If you’re a registered health practitioner, operate a clinic with registered practitioners, or are subject to accreditation standards, record-keeping expectations usually include:

• maintaining adequate clinical notes
• keeping records for a required period
• being able to respond to complaints and audits

Even where legislation is not explicit, professional and insurer expectations can effectively set a “baseline” for what’s considered reasonable record management.

Medicare, NDIS, Insurer, Contract, And Funding Requirements

If you bulk bill, claim Medicare items, provide services funded by third parties, or operate under government programs, you may have separate contractual or program-based retention obligations.

For example, you may need to retain records that substantiate claims, eligibility, or service delivery. Deleting those records too early can create audit issues and repayment risk. Because these requirements can differ depending on the program and your agreements, it’s worth checking the specific terms that apply to your business.

How Long Do You Have To Keep Medical Records?

There isn’t one single retention period that applies to every Australian healthcare business in every state and every clinical scenario. Retention can depend on:

• your location (state/territory and any sector-specific rules that apply)
• the type of practice (e.g. allied health, medical clinic, dental, specialist)
• the age of the patient (adult vs minor)
• the nature of treatment (for example, records relevant to long-term conditions may need to be retained longer for continuity of care)
• any anticipated medico-legal issues

That said, many Australian healthcare businesses and practitioners adopt a common baseline approach (often reflected in professional guidance and insurer expectations):

• Adults: keep clinical records for at least 7 years from the last entry/last attendance.
• Children: keep clinical records until at least age 25 (often framed as 7 years after they turn 18, or until 25 - whichever is later).

These timeframes are a widely used starting point, not a substitute for checking what applies to your profession, your state/territory, and any specific funding or facility rules that cover your services.

Adults vs Children: Why This Matters

A common approach across Australia is that children’s records are retained for longer than adult records, because legal issues may not emerge until after the patient turns 18.

As a business owner, the key is to avoid an overly simplistic “we delete after X years” approach if you see minors or family patients. Your retention schedule should clearly distinguish between adult and minor records (and any special categories you decide to retain longer).

Different Types Of Records May Have Different Retention Needs

It also helps to separate:

• clinical records (notes, test results, referrals, imaging reports)
• administrative records (appointments, communications, operational notes)
• billing and financial records (invoices, receipts, payment records)
• consents and authorities (consent forms, privacy consents, releases)

Some records might be needed to defend a complaint or claim even if the clinical episode was years ago. Others may be retained for tax, accounting, or program audit reasons.

When Is It OK To Delete Medical Records (And When Is It Risky)?

Most healthcare businesses will eventually need to delete or securely destroy records - for privacy, cyber security, cost, and storage reasons.

The question is how to do it in a way that doesn’t expose you to legal consequences.

When Deletion Is Usually Permissible

Deletion is commonly permissible when:

• the applicable minimum retention period has passed
• you don’t have another legal reason to keep the record (such as an ongoing complaint, claim, or audit requirement)
• the record is not required for ongoing care (for example, for active patients where continuity of care relies on historical data)
• you delete or destroy the records securely and in line with your policies

In many cases, privacy law supports deletion once information is no longer needed - but only after you’ve confirmed no retention requirement still applies.

When Deletion Can Create Serious Legal Risk

Even if a record is “old”, deletion can become high-risk if there’s any chance it may be relevant to:

• a patient complaint or adverse incident
• a professional conduct issue
• a medico-legal claim (or a threatened claim)
• a regulator investigation
• an insurer request
• a coronial process
• an audit (Medicare, insurer, funding body, or program compliance)

If you’re on notice that records may be needed, deletion can be viewed as improper - and in the worst-case scenario, it can be alleged to be an attempt to conceal information. That’s the kind of issue that can escalate quickly.

What About A Patient Requesting Deletion (“Right To Be Forgotten”)?

Patients sometimes ask a clinic to delete their records. In Australia, this is not as straightforward as “the customer asked, so we must delete”.

Even where a concept like the right to be forgotten is discussed, healthcare records are often subject to mandatory retention obligations and strong public interest considerations.

In practice, you may need to explain (politely and clearly) that you can’t delete records before the required retention period expires, but you can still address concerns through careful access controls, correction processes, and clear explanations of how information is used and stored.

A Practical Compliance Checklist For Healthcare Businesses

Knowing the law is one part of the puzzle. The other part is building systems your team can actually follow day to day.

Here’s a practical checklist you can use to reduce risk when handling retention and deletion.

1) Create A Written Record Retention And Destruction Policy

A clear retention policy helps you show that your business:

• has a consistent approach
• is not deleting ad hoc or selectively
• is taking privacy and compliance seriously

Your policy should cover:

• retention periods (adult vs minor, and any special categories)
• how “last contact date” is defined (e.g. last appointment, last clinical entry)
• how deletion/destruction is approved (who signs off)
• how deletion is carried out for paper and electronic records
• what happens when there is a complaint, incident, or claim (a “legal hold” process)

2) Build Privacy Compliance Into Your Patient Journey

Good compliance starts before you ever think about deletion. It begins with telling patients what you collect, why you collect it, and how long you keep it (at a high level).

Alongside your Privacy Policy, you may also want a short collection notice for patient onboarding and online forms, especially if you take online bookings or accept intake forms via your website.

3) Use Access Controls And Security Measures (Not Just “Trust”)

Many medical record issues don’t come from deletion - they come from unauthorised access, accidental sharing, or weak systems.

Even small practices should consider:

• role-based access (only staff who need records can access them)
• strong password policies and multi-factor authentication
• audit logs where possible
• secure backups (and a plan for how backups are handled when a record is deleted)
• vendor controls (practice management software providers, cloud storage providers)

A documented Information Security Policy can be a practical way to translate “privacy law obligations” into real procedures your team follows.

4) Have A Clear “Legal Hold” Procedure

If something goes wrong - a complaint, adverse event, or dispute - you want a clear internal rule: stop any deletion that could relate to the matter.

This includes auto-deletion settings in software systems. A “legal hold” process is often where good intentions fail, because a clinic might have automated deletion scheduled without anyone thinking about a new complaint that just came in.

5) Make Deletion Secure (And Keep A Destruction Log)

“Deleting” is not always the same thing as “destroying”. For example:

• electronic data may still be recoverable if not securely wiped
• paper records need shredding or secure destruction (not normal disposal)
• hardware disposal (old laptops, drives) can be a major risk point

It’s also a good idea to keep a destruction log that records:

• what was destroyed (at a file-level reference, not clinical content)
• the destruction method
• the date
• who approved it
• who performed it (including third-party providers)

This gives you a defensible trail if you’re ever questioned about what happened to records.

6) Prepare For Access Requests And Data Breaches

Patients may request access to records, and regulators may expect you to respond appropriately and within reasonable timeframes. Having a standard workflow reduces stress when the request arrives.

An Access Request Form can help your team collect the right information and follow a consistent process.

Separately, healthcare businesses are increasingly targeted for cyber incidents. If you have a suspected breach involving patient information, you may have reporting obligations and urgent containment steps to take. A documented Data Breach Notification process (and an incident plan behind it) can be the difference between a controlled response and a costly, chaotic one.

7) Use The Right Consents And Authorities

Medical records often involve third-party sharing: referrals, treating team collaboration, insurers, employers, and family members.

Make sure your business is clear on when consent is required, and how you evidence it. In many cases, a Medical Release Consent Form can help document authority to release information, reduce misunderstandings, and protect your staff from being put in a difficult position.

Key Takeaways

• Is it illegal to delete medical records? It can be, especially if you delete records before the minimum retention period, during a dispute, or without secure destruction processes.
• Medical record deletion and retention is governed by a mix of privacy law, state/territory health information rules, professional expectations, and funding/audit or contract requirements.
• Many clinics use a baseline of at least 7 years for adults and until at least age 25 for children, but you should confirm what applies to your profession, setting and state/territory.
• Even when deletion is allowed, you should delete securely and keep a destruction log so you can explain what happened if questioned later.
• Strong policies (privacy, security, retention, and breach response) help you manage compliance as you grow and reduce the chance of accidental non-compliance.

If you’d like help setting up a legally compliant medical records retention and privacy framework for your healthcare business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.