Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Correction of health information by health service providers

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.4 MB

This business resource explains the requirements under Australian Privacy Principle (APP) 13 in the Privacy Act 1988 (Cth) (Privacy Act) to correct a patient’s health information.[1] This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts for health service providers, while other terms are explained in the Australian Privacy Principles Guidelines.

When to correct personal information

APP 13 requires you to take reasonable steps to correct personal information you hold about a patient if it is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held.

This requirement applies where:

  • you are satisfied the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, independent of any request from a patient, or
  • a patient requests you to correct the information.

APP 13 requirements complement the requirements in other APPs, including APP 10. APP 10 requires you to take reasonable steps to ensure the quality of the personal information you collect, use or disclose. Taking reasonable steps to comply with APP 10 reduces the likelihood that personal information needs correction under APP 13. Similarly, correcting information under APP 13 assists your compliance with APP 10. See APP guidelines Chapter 10: APP 10 — Quality of personal information.

When is information ‘incorrect’?

You must correct the personal information you hold when it is inaccurate, out-of-date, incomplete, irrelevant or misleading (‘incorrect’). As the explanations below indicate, there is considerable overlap in the meaning of these terms. Whether personal information is incorrect depends on the context and the purpose for which the information is held. For example, information held for multiple purposes may be incorrect with regard to one purpose, but not another.

When making corrections, it may be appropriate to keep the original incorrect records and details that reflect the record prior to the time of corrections, as evidence that the change was made and when it was made. However, it should be made clear to those inspecting the patient file or database that these records are incorrect.

Inaccurate

Personal information is inaccurate if it contains an error or defect. Examples are incorrect personal details about a patient, or recording the wrong condition due to transcription error.

A record of your opinion or a third party’s opinion about a patient is not inaccurate simply because a patient disagrees with it. The opinion may be ‘accurate’ if it is presented as an opinion and not objective fact, accurately records the view, and takes into account competing information and views.

Out-of-date

Personal information is out-of-date if it contains facts, opinions or other information that is no longer current.

Personal information about a past event may have been accurate at the time it was recorded, but has been overtaken by a later development. Whether that information is out-of-date depends on the purpose for which it is held. If current information is required for the particular purpose, the information is to that extent out-of-date. For example, where a patient was previously prescribed a medication that they no longer take, a list of the patient’s current medications that still includes that medication would be out-of-date.

By contrast, if information from a past point in time is still required for a particular purpose, the information may not be out-of-date for that purpose. For example, you may be required to retain the old information for a patient’s ongoing healthcare, or under legal or professional obligations. In this case the old information should be recorded in such a way that makes it clear it is out-of-date.

However if you hold personal information that is no longer needed for any purpose, this may need to be destroyed or de-identified under APP 11.2.[2]

Incomplete

Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture, having regard to the purpose for which the information is held. For example a patient visits a physiotherapist for treatment for shoulder pain. During the consultation the patient advises the physiotherapist that they had had dislocated their shoulder a year ago, however, the physiotherapist does not note this information in the patient’s record, so the record is incomplete.

Irrelevant

Personal information is irrelevant if it does not have a bearing on or connection to the purpose for which it is held.

Misleading

Personal information is misleading if it conveys a meaning that is untrue or inaccurate or could lead a user, receiver or reader of the information into error. An example of misleading information might be where a record states that a patient has coeliac disease, however no formal diagnosis has been made and this information is simply the practitioner’s opinion of the likely diagnosis based on the patient’s symptoms and family history.

If a patient challenges an opinion or diagnosis in their record, you may amend the information if it is misleading. However, there may be important medical and legal reasons for retaining a complete record. In this case, it may be appropriate to attach comments to the record noting the correct information, rather than permanently erasing the original details. It is a good idea to explain this to the patient and to try to find a way of recording the information that meets the needs of both parties. In exceptional circumstances it may be appropriate to delete the information, if there are greater risks in leaving it on the record, but you should consider the potential legal or medical implications of doing so.

Correcting information on your own initiative

You are required to take reasonable steps to correct personal information you hold if you are satisfied, having regard to a purpose for which the personal information is held, that it is incorrect.

You are not required to check personal information you hold continually, however, you should be alert to the possibility that it may be incorrect and require correction. You may become aware information is incorrect in a variety of ways, for example where there is an inconsistency with other information; you are informed by another party that it is incorrect; or through practices, procedures or systems implemented in compliance with APP 1.2 that detect incorrect information.[3]

Correcting information at the patient’s request

If a patient asks you to correct personal information you hold about them, you must decide if you are satisfied that the information is incorrect, and if so, take reasonable steps to correct it.

Your organisation’s APP privacy policy[4] must state how a patient can make a correction request. When you collect their personal information, you must take reasonable steps to ensure they are aware of this (APP 5.2(g)).[5] You can decide how you will process requests, however, any procedures should facilitate the correction of personal information.

You must ensure that any correction request is made by that patient or someone who is authorised to make it on their behalf, such as a legal guardian or another authorised person. See the APP guidelines ‘Verifying an individual’s identity’.

You must respond to the patient’s request within a reasonable period (APP 13.5(a)), generally within 30 calendar days. You must respond by either correcting the information or notifying the patient of your refusal to do so.

You cannot charge the patient for requesting their information be corrected, for correcting the information, or for associating a statement with the information (APP 13.5(b) — see below).

Reasonable steps to correct personal information

The obligation under APP 13 is to take ‘reasonable steps’ to correct the personal information that you hold if you are ‘satisfied’ that it is incorrect. In some cases the need for correction will be clear without having to take further action. However in some cases you may need to take steps to verify that the information is incorrect, for example by seeking further information from the patient or checking your own records and other readily available sources. Where personal information is held for multiple purposes, you need only be satisfied that the personal information requires correction for one, not all of those purposes. For details see the APP guidelines, Chapter 13, Being satisfied.

Reasonable steps to correct personal information could include making appropriate additions, deletions or alterations to information, or not correcting the information if it would be unreasonable to do so. In some cases, it may be appropriate to destroy or de-identify the information (see information that is ‘Out-of-date’ above).

More rigorous steps may be required for correcting health information.[6] What constitutes ‘reasonable steps’ depends on other factors such as the risk of adversity to the patient if correction is not made; the practicability of correcting the information; the purpose for which the information is held; and any legal record-keeping requirements. For more details see the APP guidelines, Chapter 13, Reasonable steps to correct.

Compliance tip

For practitioners in NSW, Victoria and the ACT, local legislation may contain more specific requirements for the correction of personal information. Practitioners in other states and territories may wish to also adopt these practices as a matter of best practice. For example:

  • If you are a practitioner in Victoria or the ACT and consider that leaving incorrect information on a patient’s record could result in harm, you may be required to place the incorrect information on a separate record. This record should not be generally available to other persons providing health services to the patient.
  • Practitioners in Victoria may be required under local legislation to record the name of the person who made a correction to personal information, and the date it was made.
  • Practitioners in Victoria, where they are legally permitted to delete incorrect health information, may be required under local legislation to make a written record of the name of the individual to whom the health information related, the period covered and the date the information was deleted.

Contact the Office of the Health Services Commissioner Victoria, the ACT Health Services Commissioner or NSW Information and Privacy Commission to find out more about any additional requirements.

Notifying third parties of the correction

If you correct health information that you have previously disclosed to a third party,[7] and the patient asks you to notify that third party of the correction, you must take reasonable steps to do so, unless this is impracticable or unlawful (APP 13.2). When you correct information, you should inform the patient that they can ask you to notify third parties.

What are ‘reasonable steps’ also depends on other factors such as:

  • the risk of adversity to the patient, for example if the information is clinically significant
  • the nature of the correction, for example if the incorrect information is likely to impact on treatment by a third party
  • the length of time since the information was disclosed, for example if the information is very old a third party may be less likely to rely on the information
  • the likelihood of it being used or disclosed again by a third party
  • the practicability of notifying a particular third party.

For further information see the APP guidelines, Chapter 13, Taking reasonable steps to notify another APP entity.

What to do when refusing to correct information

If a patient asks you to correct their personal information and you refuse (for example, because you are satisfied the information is correct), you must give them a written notice and, if the patient requests it, associate a statement with their record.

Give the patient a written notice

Under APP 13.3 the written notice must set out:

  • the reasons why you are refusing to correct the information (unless it is unreasonable to do so)
  • how the patient can make a complaint.

For further information see the APP guidelines, Chapter 13, Giving written notice where correction is refused.

Take reasonable steps to attach a correction statement to the information

The patient can also ask you to associate a statement with the information stating that they believe the information is inaccurate, out-of-date, incomplete, irrelevant or misleading and you must take reasonable steps to do so (APP 13.4). What are reasonable steps depends on factors such as whether the information is stored in hard copy or electronic form; the practicability of associating a statement; and whether the content may be irrelevant, defamatory, offensive, abusive or breach another individual’s privacy.

You should advise the patient that they have the right to request a correction statement. If the patient asks you to attach a statement, you must do so in a way that makes it apparent to users of the information and associate it with all records containing the disputed information. For further information see the APP guidelines, Chapter 13, Taking reasonable steps to associate a statement.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Footnotes

[1] For further information about your obligations see the APP guidelines, Chapter 13: APP 13 — Correction of personal information.

[2] See the APP guidelines, Chapter 11, Taking reasonable steps to destroy or de-identify personal information.

[3] For further information see the APP guidelines Chapter 1: APP 1 — Open and transparent management of personal information, ‘Implementing practices, procedures and systems to ensure APP compliance’

[4] For further information see the APP guidelines Chapter 1: APP 1 — Open and transparent management of personal information

[5] For further information see the APP guidelines Chapter 5: APP 5 — Notification of the collection of personal information

[6] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[7] This applies to third parties covered by the APPs. This includes all private sector health service providers and Australian government agencies. However it would be best practice to inform other third parties. For further information see the APP guidelines, Who is covered by the APPs?