Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Access to health information in the private health sector

Who owns my medical records?

Generally, the health service provider who creates a medical record owns that record. This doesn't interfere with your right to access your record, because ownership and access rights are separate.

Back to Contents

Can I get access to my medical records?

If your medical records are held by a private sector organisation, such as a doctor in private practice or by a private hospital, as a general rule, you have a right to gain access to all the information held about you.

You may exercise this right in a number of ways (depending on, for example, the sort of information you have asked for, the type of organisation and the way the organisation holds its records) for example:

  • looking over the records
  • taking a copy of those records with you
  • having them explained to you.

In some cases you may need to reach an arrangement about access with the organisation holding the records. Where the information in your records is incorrect, you can ask the organisation to take reasonable steps to correct that information.

There are some limitations on your right of access. These may apply, for example, to:

  • where giving access would pose a serious threat to the life and health of anyone
  • where refusing access is required by law.

If your medical records are held by a Commonwealth agency, you also have a right to access those records, unless the agency is required or authorised to refuse access to that information under the Freedom of Information Act 1982 or another Commonwealth law.


If you believe you have been unfairly denied access to your medical record, you can make a complaint.

Can I access my health information at a public hospital?

Personal information held by state or territory public hospitals is not covered by the Privacy Act, but may be protected by relevant State and Territory laws.

Back to Contents

How can I make a request for access to my medical records?

Australian Privacy Principle (APP) 12 in the Privacy Act deals with access to personal information (including health information). However, it doesn't set out any requirements for the way you should make an access request.

This means you can request access to your medical records simply by asking the health service provider holding the records. If the request is a complex one, for example the information comes from a number of different sources, it may be necessary to put the request in writing. Your health service provider may need to establish your identity before providing you with access.

Back to Contents

Can my health service provider give my representative access to my medical records?

In some cases, an individual may need a representative to assist them in gaining access to their medical record. For instance, an individual may be unable to exercise their access rights because they lack the legal capacity to do so, but their guardian (if they have one) may seek access, if the guardian has the appropriate legal authority.

Back to Contents

How much time can an organisation take to meet my request for my medical records?

The Privacy Act doesn't set out any time limits for meeting a request for access to records held by an organisation.

Health service providers should respond to a request for access to medical records within an appropriate time. What is appropriate will depend on a number of factors which can include:

  • the amount of information requested
  • the complexity of the organisation's functions and activities; and
  • the way the access is to be provided.

The OAIC recommends that a request for access should be processed in no more than thirty days.

Back to Contents

Can a health service provider refuse to give me access to my medical records because it would pose a threat to either my, or somebody else's, life or health?

Generally, health service providers are required to give you access to your health information. However, in some situations, health service providers may refuse to give access. For example, health service providers can deny access if they reasonably believe letting a patient see their records would pose a serious threat to the patient's life, health or safety, or the life, health or safety of someone else (such as a relative, the health service provider, staff or other patients).

The threat must be significant, for example where there is a serious risk the patient may cause self-harm or harm to another person if they saw the information.

The threat can be to physical or mental health or safety, but does not need to be imminent — it can be a serious threat that could occur sometime after access is granted.

In some places (such as Victoria and the ACT), state laws may actually require a health service provider to deny access if there is a serious threat to life or health.

Back to Contents

Further information

For further information for individuals on health information, including right of access to medical records, see Resources on health for individuals

Back to Contents