In Short
- In NSW, VIC, and the ACT, patient medical records must be kept for a minimum of seven years or until a minor turns 25.
- Secure storage and safe destruction of records are crucial to comply with legal obligations.
- Use professional services for secure destruction and maintain a record of the process.
Tips for Businesses
Ensure your medical records are stored securely using encrypted software or locked facilities. Keep records for the legally required timeframe and always use a professional service for destruction, retaining proof of disposal. Following these best practices will help you comply with Australian privacy laws.
Running a health centre comes with the responsibility of managing sensitive patient medical records. If you run a medical centre, you must comply with legal requirements for collecting, storing, and destroying such medical records. The requirements for storing and destroying medical records vary across Australia. It is crucial to know which requirements apply in your location and what is considered best practice. This article will explain:
- how long you can store medical records;
- measures to maintain secure storage of health data; and
- proper procedures for destroying medical records;
The primary purpose of retaining health records is to facilitate ongoing patient care and treatment. Another key purpose is maintaining a record in case any legal issues arise regarding the care given. How long you need to keep these records depends on the time limits set by laws in your state or territory and any specific rules about keeping medical records.
NSW, VIC and the ACT
If you work in New South Wales (NSW), Victoria (VIC) or the Australian Capital Territory (ACT) as a private medical service, there are legislative requirements for the retention of medical records that you will need to comply with. These laws include a minimum timeframe for keeping medical records.
These timeframes are minimums, and it is often prudent to keep medical records for longer periods of time. This is because these records may be subject to legal proceedings. If you think there is a chance of a legal case relating to any documents, you should hold on to that record until the risk of any legal proceedings has passed. If the risk continues, keep the records indefinitely or for seven years after the patient’s death.
Other States and Territories
Other states and territories in Australia do not have laws that apply specifically to the storage of medical records by private medical providers. Instead, if you hold health information, you must comply with Australia’s privacy laws under the Privacy Act.
Under the Privacy Act, you can only keep personal medical information as long as the purpose for which you collected it remains valid.
Some exceptions to this are if:
- you need the information to perform a related but different health service;
- the person whose information you have has consented to using their information for a secondary purpose; or
- you are legally authorised to use the information.
Once the treatment for your patient has ended, it may seem that the purpose of collection has ended, and you can get rid of the medical records. However, this is not advisable, these records may be needed again, so always hold on to them. While the Privacy Act does not set a minimum period, it is generally recommended to keep medical records for:
- at least seven years from the last entry for adult patients; and
- until any patients who were children reach 25 years of age unless the patient (or their legal guardian) has requested these records be transferred to a new provider.
How Should I Store Medical Records?
Medical records contain highly sensitive information. Maintaining robust security measures for both physical and digital records is crucial to safeguarding this sensitive patient data, protecting privacy, and mitigating potential breaches or legal liabilities. You must store medical records securely to comply with legal obligations.
Examples of secure storage options include:
- For both paper and electronic records: holding them within secure premises with an alarm system;
- For electronic records: using specialised software designed for storing medical information, encrypting the files to prevent unauthorised access, installing firewalls, anti-virus software, and other cybersecurity measures, and regularly backing up data to prevent loss;
- For paper records: keeping them within a locked cabinet, with access restricted to authorised personnel only, never leaving them unattended or in plain sight, and implementing procedures for safe disposal of outdated or unnecessary records;
- maintaining an access log to track when and by who users access the records; and
- using strong, frequently updated passwords for electronic access.
Comprehensive security practices are essential for safeguarding the confidentiality and integrity of sensitive medical records.
How Should I Destroy Medical Records?
You must securely destroy the information if you no longer require medical records. You can only remove the parts that identify the person to destroy personal information. However, if you wish to retain de-identified records, you must ensure the de-identification process is thorough and effective, leaving a very low risk of the person being identifiable.
Proper de-identification can be a tedious and time-consuming process. Therefore, if you have no further purpose for the health information, it is often easier and safer to completely destroy the entire record.
To effectively destroy medical records, you should use a reputable commercial service provider experienced in the secure destruction of confidential information. Establish a contractual agreement with the provider, which will legally protect you if they fail to do their job correctly. Once the destruction is complete, keep a record or certificate confirming the successful destruction. You should hold on to this receipt of destruction for as long as possible.
Completely and permanently destroying medical records with personal details is essential to protect patient privacy, prevent data leaks, and comply with legal requirements.
While not a legal requirement in other states and territories, we recommend maintaining a similar register when destroying health records, documenting the individual’s name, the time period covered by the record, and the destruction date.

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
If you run a private medical centre, you have a legal obligation to hold on to medical records for prescribed periods of time. You will also need to keep a record of any destruction of medical records with details of the record that you have destroyed. The Privacy Act sets out your obligations for storage and destruction across Australia, but it is best practice to follow the requirements of the laws in NSW, VIC and the ACT.
If you are uncertain about any of your legal obligations surrounding your patient records, our experienced IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
The minimum retention period varies by state/territory and patient age. In NSW, VIC, and ACT, healthcare providers must keep records for at least 7 years after the last entry for adults and until patients under 18 reach 25 years old. In other states/territories, authorities recommend that providers follow the same timeframes, though they are not legally required.
Even after the minimum period, keeping records longer is advisable if there’s a risk of legal proceedings. Only destroy records when the purpose for collection has ended, and there is no foreseeable legal need.
We appreciate your feedback – your submission has been successfully received.