Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Access to health information by health service providers

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.39 MB

This business resource explains the requirements under Australian Privacy Principle (APP) 12 in the Privacy Act 1988 (Cth) (Privacy Act) to give patients access to their health information.[1] APP 12 requires you to give access on request, unless an exception applies. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

Processing and responding to access requests

Access requests could range from a request for a single document or piece of information to a request for a copy of the patient’s entire record.

When responding to an access request, you should try to provide access in a manner that is as prompt, easy and inexpensive as possible. You can decide how you will process access requests, however, any procedures must meet the minimum access requirements in APP 12, and should facilitate access.

APP 12 requires you to give a patient access to their personal information ‘on request’. The APPs do not require access requests to be made in writing. Your organisation’s APP 1 privacy policy[2] must state how patients can access their personal information. When you collect a patient’s health information[3], you must take reasonable steps to ensure they are aware of this (APP 5.2(g)).[4]

Responding to access requests

You must address access requests within a reasonable period.[5] What is reasonable depends on factors such as the scope and clarity of the request, whether the information can be readily located and assembled, and whether consultation with the patient or other parties is required.[6] However, in most cases a reasonable period will be 30 calendar days or less.

Identifying the individual

You must ensure the access request has been made by that patient or by someone who is authorised to request access on their behalf,[7] such as a legal guardian or another authorised person.[8]

Your organisation should implement robust identity verification procedures when giving access to health information. What steps are appropriate depends on the circumstances. For example if a patient who is well known to you requests access during a consultation, it will be unnecessary to further verify their identity. If you do not know the patient or there is any doubt as to their identity, you should verify it. See the APP guidelines ‘Verifying an individual’s identity’.

Giving access

Access to personal information can be provided in a variety of ways, such as:

  • providing a copy of the information as an electronic record or hard copy, such as an electronic copy of an x-ray or a photocopy of a paper record
  • letting the patient view the information and letting them take notes
  • giving the information over the phone, for example test results
  • giving the patient an accurate summary of the information, if this may be helpful[9]
  • allowing the patient to listen to or view the contents of an audio or video recording

Where a patient requests access in a particular form, you must provide access in the manner requested, if this is reasonable and practicable.[10] Whether a particular form of access is reasonable and practicable would depend on factors such as:

  • The volume of information requested: for example, if a patient wants access to a large report you could consider providing an electronic copy.
  • Any special needs of the patient: for example, it may be reasonable to give information in a form that can be accessed via assistive technology where the patient has a visual impairment. You should also consider the level of understanding, language or literacy skills of the patient when providing access.

If the patient’s preferred form of access is unreasonable or impracticable, you should consider other ways of giving access. See ‘Take reasonable steps to give access by other means’ below.

If a patient wants a copy of their entire record, for example if they are relocating, they may be happy for you to simply transfer the record to another provider. However if they prefer to receive a copy of the information directly, they have the right to access this, unless an exception under APP 12 applies.

Compliance tip

For providers in NSW, Victoria or the ACT, local legislation may contain specific requirements relating to the form of access. For example, ACT and Victorian legislation gives patients express rights to request to have the information explained, and, when moving to a new provider, to ask their former provider to give their new provider a copy or written summary of their health record. Contact the NSW Information and Privacy Commission, Office of the Health Services Commissioner Victoria, or ACT Health Services Commissioner to find out more about any additional requirements.

Access charges

You can charge patients a reasonable fee for providing access to their personal information. Access charges should not discourage patients from requesting access. At the same time, the cost of giving access should not create an unreasonable burden on your organisation. You can help minimise fees by implementing systems and processes to make access easy for both parties.

You are not required to charge for giving access, and you should consider waiving or reducing any charge. Consider offering cheaper ways of granting access, such as letting the patient view the information, providing an electronic copy or providing a summary (if this is a cheaper option).

Any fee must not be ‘excessive’, that is, it should simply recover reasonable costs, and you must not charge the patient for the making of the request (APP 12.8). What is an ‘excessive charge’ depends on the nature of your organisation, including its size, resources and functions, and the nature of the personal information requested. Examples of charges that may be considered excessive are:

  • a charge that exceeds the actual cost incurred by your organisation in giving access
  • a charge associated with obtaining legal or other advice regarding the patient’s request
  • a charge for consulting with the patient about how access is to be given
  • a charge that reflects shortcomings in your organisation’s information management systems
  • a charge that has not taken into account the patient’s circumstances (for example, not obtaining access will impact their on-going healthcare) and capacity to pay.

You may charge patients for reasonable costs incurred for giving access to their personal information. The fee could include costs of resources, time and labour, but should not exceed the actual costs. For example, you could charge for:

  • staff costs in searching for, locating and retrieving the requested personal information, and deciding what information to provide to the patient
  • staff costs in reproducing and sending the personal information
  • costs of postage or materials involved in giving access
  • professional costs, for example if it is necessary for you to review a file before releasing the information or costs involved in having you explain information to a patient
  • costs associated with using an intermediary.

When charging fees for time and labour, patients should be charged at a clerical rate for labour that clerical staff can perform (such as photocopying, printing, collating and posting documents). To the extent that a health professional needs to play a role, it may be reasonable to charge for time at their professional rate (or a proportion of it).

When providing access you should:

  • clearly explain any likely fees before access is given. The patient is not required to give reasons for requesting access. However, discussing the type of information the patient seeks and any likely charges with them can help to minimise costs and meet their needs. You should also invite the patient to discuss options for altering the request to minimise any charge.
  • not include any outstanding bills, such as consultation fees in the access charges.

Compliance tip

For providers in Victoria and the ACT, the Health Records Regulations 2012 (Vic) and Health Records (Privacy and Access) Act 1997 (ACT) prescribe maximum fees for providing access and for transferring information to another health service provider. Contact your state or territory regulator to find out more about any additional requirements.

Situations where access can be refused

Under APP 12, a patient has the right to access all the personal information you hold about them unless an exception applies. APP 12.3 lists ten exceptions where you can refuse to give access to personal information. Nevertheless, if one of these exceptions applies, you can still choose to provide access unless disclosure is prohibited. When relying on any of these exceptions you must take reasonable steps to give the patient access by other means and give them a written notice (see below).

A patient’s right to access their personal information applies regardless of who authored particular documents or who ‘owns’ the record (unless giving access to that information is unlawful, or one of the other exceptions below applies). This means that you are generally required to provide a patient with access, on request, to information about them that you receive from other health service providers, such as specialist reports.

Giving access would pose a serious threat to the life, health or safety of any individual or to public health or public safety (APP 12.3(a))

You can refuse to give a patient access to their personal information if you have reasonable grounds for believing that doing so would pose a serious threat to the life, health or safety of that patient or another person[11], or to public health or safety.[12]

What is a serious threat?

A ‘serious’ threat to life, health or safety is one that poses a significant danger to an individual, individuals or the public. It could involve harm to physical or mental health and safety, and could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness.

When deciding whether a threat is serious, you should consider both the likelihood of it occurring and the severity of the resulting harm if it eventuates. A threat that may have dire consequences but is highly unlikely to occur would not normally be a serious threat. However, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat.

Example: History of self-harm or violent behaviour

You may have reasonable grounds to believe that giving a patient access to their personal information would pose a serious threat to their safety or the safety of others, if the patient has a history of self-harm or violent behaviour, or where a diagnosed condition is known to have a higher probability of such behaviour, and accessing the information could be expected to provoke such a response.

Compliance tip

Where you are denying access on the basis of the serious threat exception, you may be able to provide access through the use of a mutually agreed intermediary if you decide this does not pose a similar threat (see ‘Using an intermediary’ below). If you practice in NSW, Victoria or the ACT, you may be required under local legislation to provide access through an intermediary if requested by a patient, or to allow an intermediary to consider whether access should be provided. Contact your state or territory regulator to find out more about any additional requirements.

What if access would threaten the therapeutic relationship?

Under APP 12.3(a) you could deny access that would threaten the therapeutic relationship, if you had reasonable grounds to believe that the relationship breakdown itself would pose a serious threat to someone’s life or health.

Example: Psychiatric care

A psychiatrist reasonably believes that a patient with severe mental illness would be so distressed if they saw the information in their record, that they would leave the psychiatrist’s care and discontinue treatment altogether. The withdrawal from treatment could seriously threaten the patient’s life, health or safety, and potentially that of their family.  The psychiatrist could therefore refuse to provide access under APP 12.3(a).

However the psychiatrist could not deny access if they were simply concerned that the patient may be somewhat distressed by or unhappy with the information, which could cause them to seek treatment elsewhere. Alternatively they may discontinue treatment but the psychiatrist has no or little reason to believe that this may pose a serious threat to anyone.

Giving access would have an unreasonable impact on the privacy of other individuals (APP 12.3(b))

You should not give a patient access to their personal information if the information contains personal information about another individual(s), and disclosing this information would have an unreasonable impact on the privacy of the other individual(s). This could include a record of the patient’s opinions or views. The following factors may be relevant:

  • the nature of the other individual’s personal information, for example if it is of a confidential nature
  • the other individual’s reasonable expectations about how their personal information will be handled. For example, if both individuals were present when the information was collected, there may be a reasonable expectation that each individual could later access it (however there may not be a reasonable expectation if you are aware that there is now conflict between those individuals)
  • the source of the personal information, for example if the patient requesting access gave you the information about the other individual.

If you deny access under APP 12.3(b), it is a good idea to take steps such as:

  • considering whether you can remove the personal information of the other individual so you can still give the patient access to the rest of their record. If you do so, take care to ensure the remaining context does not reveal the other person’s identity
  • asking the other individual whether they consent to some or all of the information being released. Their view may be relevant but not necessarily determinative. However, before consulting them, think about whether this in itself may impact on the privacy of the patient seeking access
  • considering whether you can provide access through an intermediary (see below).

The request for access is frivolous or vexatious (APP 12.3(c))

You can deny access if there is a clear basis for concluding that the request is frivolous or vexatious. Examples of requests that may be treated as frivolous or vexatious are:

  • repeated requests for access to personal information that has already been provided
  • a request that contains unreasonable or abusive language, or that does not appear to be a genuine request for personal information
  • a repeat request for personal information that your organisation has earlier explained to the patient it does not hold, has been destroyed, or cannot be located after a reasonable search
  • a request made for the apparent purpose of harassing or intimidating staff, or interfering unreasonably with your organisation’s operations.

Other situations where access can be refused

The other exceptions under APP 12 allow you to deny access where:

  • the information requested relates to an existing or anticipated legal proceedings (APP 12.3(d))
  • giving access would prejudice negotiations between the organisation and the individual (APP 12.3(e))
  • giving access would be unlawful (APP 12.3(f))
  • denying access is required or authorised by law or a court/tribunal order (APP 12.3(g))
  • giving access would likely prejudice the taking of appropriate action in relation to suspected unlawful activity or serious misconduct (APP 12.3(h))
  • access would be likely to prejudice an enforcement related activity conducted by, or on behalf of, an enforcement body (APP 12.3(i))
  • access would reveal evaluative information in connection with a commercially sensitive decision-making process (APP 12.3(j))

For information about when these exceptions may apply, see the APP guidelines, Chapter 12, Refusing to give access under APP 12 — organisations.

What to do where access is refused, or not given in the manner requested

If you refuse to give access for one of the permitted reasons listed above, or you refuse to give access in the manner requested, you must:

  • take reasonable steps to give access by other means and
  • give the patient a written notice.

Take reasonable steps to give access by other means

You should talk to the patient to try to work out another way of providing access that meets both parties’ needs and that provides them with as much information as possible. This should be done within 30 days where practicable. Other ways of providing access could include:

  • giving the patient access to some of the information, blocking out the information which may be refused under APP 12
  • giving the patient a summary of the information, excluding the information which may be refused under APP 12
  • letting the patient view the information and take notes
  • providing the information in an alternative format, such as electronic rather than hard copy
  • facilitating access through a mutually agreed intermediary (see below).

Using an intermediary

An intermediary facilitates access to personal information where access would otherwise be refused under APP 12. You could use an intermediary if, for example, you reasonably believed that direct access may lead the patient to self-harm but access through an intermediary may not pose a similar threat.

You should explain the process to the patient, the type of access that will be provided, the extent to which their personal information will be disclosed to the intermediary and any costs involved. You and your patient should agree on the process and the intermediary to be used. The intermediary would generally be another health service provider.

Give the patient a written notice

If you refuse to provide access or to provide access in the manner requested, you must give the patient a written notice (even if you provide access by other means with the patient’s agreement). The notice should set out the following:

1. The reasons why you are refusing to provide access, or access in the manner requested

The notice should explain why you are refusing to provide access or to provide access in the manner requested.[13]

Where applicable, the notice should also explain why it is not reasonable for you to take steps to give access by other means in the circumstances.

The notice could also set out any steps that may be taken by the patient that would mean that access would not be refused, for example, by re-framing or narrowing the scope of the request.

You do not have to provide reasons to the extent that this would be unreasonable given the grounds for refusal. However this would only apply in justifiable circumstances. This could apply if giving reasons would pose a serious threat to a person’s life, health or safety or if this would have an unreasonable impact on the privacy of others.

2. Tell the patient how they can make a complaint

You should tell the patient about the internal and external complaint options, and the steps that should be followed. The notice should advise the patient:

  • about your organisation’s complaint procedures
  • that the organisation should be given a reasonable time (usually 30 days) to address the complaint
  • that they can make a complaint to the Office of the Australian Information Commissioner.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] For further information about your obligations see the APP guidelines, Chapter 12: APP 12 — Access to personal information.

[2] For further information see Chapter 1: APP 1 — Open and transparent management of personal information

[3] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[4] For further information see Chapter 5: APP 5 — Notification of the collection of personal information

[5] APP 12.4(a)(ii)

[6] For example, if you need to clarify the scope of the request with the individual, or you need to seek legal and other third-party advice.

[7] In such cases you must verify that the patient has authorised this person to act on their behalf.

[8] If the information is disclosed to another party this disclosure may not be permitted under APP 6. Under APP 11.1 organisations must take reasonable steps to protect their records of personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. For more information see APP guidelines, Chapter 11: APP 11 — Security of personal information.

[9] This could be offered in addition to or instead of a copy of the complete record, if the patient wants to receive the information in this way. However you are not obliged to re-format or summarise the material in response to an access request.

[10] APP 12.4(b)

[11] Such as the treating practitioner, relatives, staff or other patients

[12] Such as a threat to harm randomly

[13] APP 12.10 states that if you are relying on the commercially sensitive decision exception in APP 12.3(j), the written notice may provide an explanation for the commercially sensitive decision. See ‘Giving access would reveal evaluative information in connection with a commercially sensitive decision-making process (APP 12.3(j))’ above.