I Run a Health Centre. How Long Do I Have To Store Patient Medical Records?

Summary

• Patient medical records are sensitive health information that healthcare providers must collect, store and manage in accordance with privacy laws.
• In many Australian states (e.g. NSW, VIC, ACT), records must be kept for at least seven years, or until a minor turns 25.
• Providers must ensure secure storage and proper destruction of records to protect patient privacy and meet legal obligations.
• This guide explains patient medical records for Australian healthcare providers, including retention, storage and destruction requirements.
• It is prepared by LegalVision’s business lawyers, a commercial law firm that specialises in advising clients on healthcare and privacy law.

Tips for Businesses

Store medical records securely using encrypted systems or locked facilities. Track retention periods carefully and avoid destroying records too early. Use professional destruction services and keep proof of disposal. Regularly review your data handling practices to ensure ongoing compliance with privacy laws.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• NSW, VIC and the ACT
• Other States and Territories
• How Should I Store Medical Records?
• How Should I Destroy Medical Records?
• Key Takeaways
• Frequently Asked Questions

Patient medical records are detailed records of a person’s medical history, treatment, and care, held by healthcare providers and containing sensitive personal and health information. Businesses and healthcare providers must handle these records in accordance with privacy laws, which give patients a right to access their information while imposing strict obligations to store, use, and disclose it securely and appropriately. This article explains what patient medical records are, who can access them, and the legal obligations that apply when handling them.

NSW, VIC and the ACT

If you work in New South Wales (NSW), Victoria (VIC) or the Australian Capital Territory (ACT) as a private medical service, there are legislative requirements for the retention of medical records that you will need to comply with. These laws include a minimum timeframe for keeping medical records.

These timeframes are minimums, and it is often prudent to keep medical records for longer periods of time. This is because these records may be subject to legal proceedings. If you think there is a chance of a legal case relating to any documents, you should hold on to that record until the risk of any legal proceedings has passed. If the risk continues, keep the records indefinitely or for seven years after the patient’s death.

Other States and Territories

Other states and territories in Australia do not have laws that apply specifically to the storage of medical records by private medical providers. Instead, if you hold health information, you must comply with Australia’s privacy laws under the Privacy Act.

Under the Privacy Act, you can only keep personal medical information as long as the purpose for which you collected it remains valid. 

Some exceptions to this are if:

• you need the information to perform a related but different health service;
• the person whose information you have has consented to using their information for a secondary purpose; or
• you are legally authorised to use the information.

Once the treatment for your patient has ended, it may seem that the purpose of collection has ended, and you can get rid of the medical records. However, this is not advisable, these records may be needed again, so always hold on to them. While the Privacy Act does not set a minimum period, it is generally recommended to keep medical records for:

• at least seven years from the last entry for adult patients; and
• until any patients who were children reach 25 years of age unless the patient (or their legal guardian) has requested these records be transferred to a new provider.

How Should I Store Medical Records?

Medical records contain highly sensitive information. Maintaining robust security measures for both physical and digital records is crucial to safeguarding this sensitive patient data, protecting privacy, and mitigating potential breaches or legal liabilities. You must store medical records securely to comply with legal obligations.

Examples of secure storage options include:

• For both paper and electronic records: holding them within secure premises with an alarm system;
• For electronic records: using specialised software designed for storing medical information, encrypting the files to prevent unauthorised access, installing firewalls, anti-virus software, and other cybersecurity measures, and regularly backing up data to prevent loss;
• For paper records: keeping them within a locked cabinet, with access restricted to authorised personnel only, never leaving them unattended or in plain sight, and implementing procedures for safe disposal of outdated or unnecessary records;
• maintaining an access log to track when and by who users access the records; and
• using strong, frequently updated passwords for electronic access.

Comprehensive security practices are essential for safeguarding the confidentiality and integrity of sensitive medical records.

How Should I Destroy Medical Records?

You must securely destroy the information if you no longer require medical records. You can only remove the parts that identify the person to destroy personal information. However, if you wish to retain de-identified records, you must ensure the de-identification process is thorough and effective, leaving a very low risk of the person being identifiable.

Proper de-identification can be a tedious and time-consuming process. Therefore, if you have no further purpose for the health information, it is often easier and safer to completely destroy the entire record.

To effectively destroy medical records, you should use a reputable commercial service provider experienced in the secure destruction of confidential information. Establish a contractual agreement with the provider, which will legally protect you if they fail to do their job correctly. Once the destruction is complete, keep a record or certificate confirming the successful destruction. You should hold on to this receipt of destruction for as long as possible.

Completely and permanently destroying medical records with personal details is essential to protect patient privacy, prevent data leaks, and comply with legal requirements.

While not a legal requirement in other states and territories, we recommend maintaining a similar register when destroying health records, documenting the individual’s name, the time period covered by the record, and the destruction date.

2025 Key Data and Privacy Developments

This factsheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now

Key Takeaways

If you run a private medical centre, you have a legal obligation to hold on to medical records for prescribed periods of time. You will also need to keep a record of any destruction of medical records with details of the record that you have destroyed. The Privacy Act sets out your obligations for storage and destruction across Australia, but it is best practice to follow the requirements of the laws in NSW, VIC and the ACT. 

If you are uncertain about any of your legal obligations surrounding your patient records, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions