Access to Personal Health Record
Generally, the health service provider who creates a medical record owns that record. This doesn't interfere with your right to access your record, because ownership and access rights are separate.
If your medical records are held by a private sector organisation, such as a doctor in private practice or by a private hospital, as a general rule, you have a right to gain access to all the information held about you.
You may exercise this right in a number of ways (depending on, for example, the sort of information you have asked for, the type of organisation and the way the organisation holds its records) for example:
- looking over the records
- taking a copy of those records with you
- having them explained to you.
In some cases you may need to reach an arrangement about access with the organisation holding the records. Where the information in your records is incorrect, you can ask the organisation to take reasonable steps to correct that information.
There are some limitations on your right of access. These may apply, for example, to:
- information held before 21 December 2001
- where giving access would pose a serious threat to the life and health of anyone
- where refusing access is required by law.
- If your medical records are held by a Commonwealth agency, generally you can have access to those records.
Can I access my health information at a public hospital?
Personal information held by state or territory public hospitals is not covered by the Privacy Act, but may be protected by relevant State and Territory laws.
Australian Privacy Principle (APP) 12 deals with access to personal information (including health information) held by APP entities, but it doesn't set out any requirements for the way a request for access should be made.
This means that individuals can exercise their right to see or to copy their medical records simply by asking the entity holding the records. If the request is a complex one, for example the information comes from a number of different sources, it may be necessary to put the request in writing. An entity may need to establish the identity of the individual making the request for access.
In some cases, an individual may need a representative to assist them in gaining access to their medical record. For instance, an individual may be unable to exercise their access rights because they lack the legal capacity to do so, but their guardian (if they have one) may seek access, if the guardian has the appropriate legal authority.
The Privacy Act doesn't set out any time limits for meeting a request for access to records held by an organisation.
An entity should respond to a request for access to medical records within an appropriate time. What is appropriate will depend on a number of factors which can include:
- the amount of information requested
- the complexity of the organisation's functions and activities; and
- the way the access is to be provided.
The OAIC recommends that a request for access should be processed in no more than thirty days.
Generally, health service providers are required to give a patient access to their health information. However, in some situations, health service providers may refuse to give access, for example, access can be denied when letting a patient see their records would pose a serious threat to the patient's life or health, or the life or health of someone else (such as a relative, the health service provider, staff or other patients).
The threat must be significant, for example where there is a serious risk the patient may cause self-harm or harm to another person if they saw the information.
The threat can be to physical or mental health, but does not need to be imminent — it can be a serious threat that would occur sometime after access is granted.
In some places (such as Victoria and the ACT), state laws may actually require a health service provider to deny access if there is a serious threat to life or health.
If a patient believes they have been unfairly denied access to their medical record, they can make a complaint.
From 21 December 2001 (when the amendments to the Privacy Act came into effect), individuals have a general right of access to information about them that is held by a health service provider.
An individual can also gain access, subject to certain limitations, to health information collected before that date, if the information is being used or disclosed by the provider. Access to such information may be withheld where:
- this would place an unreasonable administrative burden on the provider
- where it would cause unreasonable expense.