If you run a private medical service, you may receive data access requests from your patients. Under the Privacy Act, people have a right to access the personal information that a business holds about them. The medical record laws in different states and territories also set out rules for patient access to medical records. This article will explain what you need to know about these laws if a patient wants to access their health records. 

What Is the Law Around Access Requests?

If someone requests access to the personal information you hold about them, you have an obligation to give them access to that information. You should respond to an access request within 30 days of receiving it.

An access request can come in different forms.

For example, it may be a request:

  • for a summary of their personal information;
  • to see a full copy of their personal information;
  • to view what personal information you hold; or
  • for you to describe what personal information you hold about them.

If you wish, you can charge a fee that individuals must pay if they want to gain access to their information. However, there are limits on this. The fee must be reasonable and reflect the actual administrative costs of processing the request. You must also notify the person of the fee.

Can You Deny an Access Request?

In some circumstances, you will have the right to deny an access request. These situations include if:

  • you reasonably believe providing access would pose a serious threat to someone’s life or health and safety;
  • you reasonably believe providing access would have an unreasonable impact on the privacy of others;
  • the information relates to legal proceedings between you and them;
  • giving access would reveal your intentions regarding legal negotiations with them; or
  • Australian law requires the denial of access.

In some circumstances, denying health record access requests will be necessary to protect the life or health of the person. However, before dismissing a request for this reason, you should consider whether access can be provided using a different method. 

For example, psychology records could be given to a psychologist, who will explain those records to the patient.

Different State and Territory Laws

Victoria (Vic), New South Wales (NSW) and the Australian Capital Territory (ACT) all have specific health record laws. While there are a lot of similarities between the laws, there are also many differences in essential areas.

Fees

Under these different laws, you can still charge an administrative fee for patients to access their health records. But, this fee must still be reasonable and should not discourage access.

For example, in Victoria, the fees are set by regulation and updated each year.

Time to Complete Requests

A further difference between the different states and territories is the amount of time that you have to complete a request. In NSW and Vic, you must reply within 45 days from receiving the request.

Under the law of the ACT, you must provide access within 30 days from receiving the request. Or, if the patient must pay the fee for access, you must complete the request within one week of the fee being paid.

Reasons for Denial

Another difference between the states are the reasons that you can rely on to deny an access request. 

For example, in Victoria, you can refuse a request for access to health information if the information was given to you in confidence. This means someone has requested that the information not be communicated to the person that it relates to.

Methods of Access

Different states and territories also require different methods for you to provide access to your patient’s health records.

In NSW, for example, you can deny access to someone if this access could pose a threat. This may be if you are concerned with how the information will affect the mental health of the patient.

Here, you must notify the patient that they have 21 days to nominate another health service provider to receive the health information from.

For exmaple, they may be able to nominate receiving the information from a psychologist instead.

On receiving their nomination, you also have 21 days to carry out this request.

Key Takeaways

As a private medical service provider, you have obligations under the Privacy Act to respond to patient information access requests. You may only deny a request if it is allowed under the Privacy Act. The different laws between states and territorties will affect your obligations to provide patient information, so you need to be aware of which laws affect you. If you have any questions about how to handle health record requests from patients, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Jacqueline Gibson

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Our Awards

  •  Top 20 Startups in Australia - 2018 LinkedIn Startups List Top 20 Startups in Australia - 2018 LinkedIn Startups List
  • NewLaw Firm of the Year – 2019 Australian Law Awards NewLaw Firm of the Year – 2019 Australian Law Awards
  • Law Firm of the Year Finalist – 2018 Australasian Law Awards Law Firm of the Year Finalist – 2018 Australasian Law Awards
  • AFR Fast 100 List – 2018 Australian Financial Review AFR Fast 100 List – 2018 Australian Financial Review
  • NewLaw Firm of the Year – 2017 Australian Law Awards NewLaw Firm of the Year – 2017 Australian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer Most Innovative Law Firm - 2019 Australasian Lawyer

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy