Skip to content

I Run a Health Centre. How Long Do I Have To Store Patient Medical Records?

In Short

  • In NSW, VIC, and the ACT, patient medical records must be kept for a minimum of seven years or until a minor turns 25.
  • Secure storage and safe destruction of records are crucial to comply with legal obligations.
  • Use professional services for secure destruction and maintain a record of the process.

Tips for Businesses

Ensure your medical records are stored securely using encrypted software or locked facilities. Keep records for the legally required timeframe and always use a professional service for destruction, retaining proof of disposal. Following these best practices will help you comply with Australian privacy laws.


Table of Contents

Running a health centre comes with the responsibility of managing sensitive patient medical records. If you run a medical centre, you must comply with legal requirements for collecting, storing, and destroying such medical records. The requirements for storing and destroying medical records vary across Australia. It is crucial to know which requirements apply in your location and what is considered best practice. This article will explain:

  • how long you can store medical records;
  • measures to maintain secure storage of health data; and
  • proper procedures for destroying medical records;

The primary purpose of retaining health records is to facilitate ongoing patient care and treatment. Another key purpose is maintaining a record in case any legal issues arise regarding the care given. How long you need to keep these records depends on the time limits set by laws in your state or territory and any specific rules about keeping medical records. 

NSW, VIC and the ACT

If you work in New South Wales (NSW), Victoria (VIC) or the Australian Capital Territory (ACT) as a private medical service, there are legislative requirements for the retention of medical records that you will need to comply with. These laws include a minimum timeframe for keeping medical records.

For example, for adults, records must be kept for a minimum period of 7 years from the date of the last entry. Records must be retained for patients under 18 years of age until they reach 25 years of age.

These timeframes are minimums, and it is often prudent to keep medical records for longer periods of time. This is because these records may be subject to legal proceedings. If you think there is a chance of a legal case relating to any documents, you should hold on to that record until the risk of any legal proceedings has passed. If the risk continues, keep the records indefinitely or for seven years after the patient’s death.

Other States and Territories

Other states and territories in Australia do not have laws that apply specifically to the storage of medical records by private medical providers. Instead, if you hold health information, you must comply with Australia’s privacy laws under the Privacy Act.

Under the Privacy Act, you can only keep personal medical information as long as the purpose for which you collected it remains valid. 

Some exceptions to this are if:

  • you need the information to perform a related but different health service;
  • the person whose information you have has consented to using their information for a secondary purpose; or
  • you are legally authorised to use the information.

Once the treatment for your patient has ended, it may seem that the purpose of collection has ended, and you can get rid of the medical records. However, this is not advisable, these records may be needed again, so always hold on to them. While the Privacy Act does not set a minimum period, it is generally recommended to keep medical records for:

  • at least seven years from the last entry for adult patients; and
  • until any patients who were children reach 25 years of age unless the patient (or their legal guardian) has requested these records be transferred to a new provider.
Continue reading this article below the form
Loading form

How Should I Store Medical Records?

Medical records contain highly sensitive information. Maintaining robust security measures for both physical and digital records is crucial to safeguarding this sensitive patient data, protecting privacy, and mitigating potential breaches or legal liabilities. You must store medical records securely to comply with legal obligations.

Examples of secure storage options include:

  • For both paper and electronic records: holding them within secure premises with an alarm system;
  • For electronic records: using specialised software designed for storing medical information, encrypting the files to prevent unauthorised access, installing firewalls, anti-virus software, and other cybersecurity measures, and regularly backing up data to prevent loss;
  • For paper records: keeping them within a locked cabinet, with access restricted to authorised personnel only, never leaving them unattended or in plain sight, and implementing procedures for safe disposal of outdated or unnecessary records;
  • maintaining an access log to track when and by who users access the records; and
  • using strong, frequently updated passwords for electronic access.

Comprehensive security practices are essential for safeguarding the confidentiality and integrity of sensitive medical records.

How Should I Destroy Medical Records?

You must securely destroy the information if you no longer require medical records. You can only remove the parts that identify the person to destroy personal information. However, if you wish to retain de-identified records, you must ensure the de-identification process is thorough and effective, leaving a very low risk of the person being identifiable.

For example, simply blacking out details with a marker may not suffice, as the text could still be visible when held up to a light source. This will not be sufficient de-identification.

Proper de-identification can be a tedious and time-consuming process. Therefore, if you have no further purpose for the health information, it is often easier and safer to completely destroy the entire record.

To effectively destroy medical records, you should use a reputable commercial service provider experienced in the secure destruction of confidential information. Establish a contractual agreement with the provider, which will legally protect you if they fail to do their job correctly. Once the destruction is complete, keep a record or certificate confirming the successful destruction. You should hold on to this receipt of destruction for as long as possible.

Completely and permanently destroying medical records with personal details is essential to protect patient privacy, prevent data leaks, and comply with legal requirements.

When destroying any health records in NSW, VIC or the ACT, you must maintain a register containing the following information:

  1. The name of the individual to whom the medical record pertained.
  2. The time period covered by the health record (i.e., the date of the earliest entry to the date of the most recent entry).
  3. The date on which someone destroyed the record.

While not a legal requirement in other states and territories, we recommend maintaining a similar register when destroying health records, documenting the individual’s name, the time period covered by the record, and the destruction date.

Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Key Takeaways

If you run a private medical centre, you have a legal obligation to hold on to medical records for prescribed periods of time. You will also need to keep a record of any destruction of medical records with details of the record that you have destroyed. The Privacy Act sets out your obligations for storage and destruction across Australia, but it is best practice to follow the requirements of the laws in NSW, VIC and the ACT. 

If you are uncertain about any of your legal obligations surrounding your patient records, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

How long must I keep medical records in my health centre?

The minimum retention period varies by state/territory and patient age. In NSW, VIC, and ACT, healthcare providers must keep records for at least 7 years after the last entry for adults and until patients under 18 reach 25 years old. In other states/territories, authorities recommend that providers follow the same timeframes, though they are not legally required.

What should I do with medical records after the minimum retention period?

Even after the minimum period, keeping records longer is advisable if there’s a risk of legal proceedings. Only destroy records when the purpose for collection has ended, and there is no foreseeable legal need.

Register for our free webinars

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now
See more webinars >
Christy Koufos

Christy Koufos

Read all articles by Christy

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards