If you run a private medical service, you may receive data access requests from your patients. Under the Privacy Act, people have a right to access the personal information that a business holds about them. The medical record laws in different states and territories also set out rules for patient access to medical records. This article will explain what you need to know about these laws if a patient wants to access their health records.
What Is the Law Around Access Requests?
If someone requests access to the personal information you hold about them, you have an obligation to give them access to that information. You should respond to an access request within 30 days of receiving it.
An access request can come in different forms.
If you wish, you can charge a fee that individuals must pay if they want to gain access to their information. However, there are limits on this. The fee must be reasonable and reflect the actual administrative costs of processing the request. You must also notify the person of the fee.
Can You Deny an Access Request?
In some circumstances, you will have the right to deny an access request. These situations include if:
- you reasonably believe providing access would pose a serious threat to someone’s life or health and safety;
- you reasonably believe providing access would have an unreasonable impact on the privacy of others;
- the information relates to legal proceedings between you and them;
- giving access would reveal your intentions regarding legal negotiations with them; or
- Australian law requires the denial of access.
In some circumstances, denying health record access requests will be necessary to protect the life or health of the person. However, before dismissing a request for this reason, you should consider whether access can be provided using a different method.
Continue reading this article below the formDifferent State and Territory Laws
Victoria (Vic), New South Wales (NSW) and the Australian Capital Territory (ACT) all have specific health record laws. While there are a lot of similarities between the laws, there are also many differences in essential areas.
Fees
Under these different laws, you can still charge an administrative fee for patients to access their health records. But, this fee must still be reasonable and should not discourage access.
Time to Complete Requests
A further difference between the different states and territories is the amount of time that you have to complete a request. In NSW and Vic, you must reply within 45 days from receiving the request.
Under the law of the ACT, you must provide access within 30 days from receiving the request. Or, if the patient must pay the fee for access, you must complete the request within one week of the fee being paid.
Reasons for Denial
Another difference between the states are the reasons that you can rely on to deny an access request.
Methods of Access
Different states and territories also require different methods for you to provide access to your patient’s health records.
Here, you must notify the patient that they have 21 days to nominate another health service provider to receive the health information from.
On receiving their nomination, you also have 21 days to carry out this request.
Key Takeaways
As a private medical service provider, you have obligations under the Privacy Act to respond to patient information access requests. You may only deny a request if it is allowed under the Privacy Act. The different laws between states and territorties will affect your obligations to provide patient information, so you need to be aware of which laws affect you. If you have any questions about how to handle health record requests from patients, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.