Version 1.0, September 2019

Download the print version [254.7KB]

Key points

  • Patients have a right to access information you hold about them, unless an exception applies.
  • Generally, you must respond to a patient’s access request within 30 calendar days.
  • You must give access in the manner requested, unless it is unreasonable or impracticable.
  • If you refuse to give access, or refuse to give access in the manner requested, you must:
    • take reasonable steps to give access in a way that meets both your own and the patient’s needs
    • give the patient a written notice setting out the refusal grounds and complaint mechanisms.

Overview of access requirements

The flow chart below sets out the key steps to help you respond to a patient’s access request. Further explanation of each step is included in the text following the chart.

Receiving a request for access

Patients’ access requests can range from a request to access a single document or piece of information, to a request for a copy of an entire record. When responding to a request, you should try to give access in a manner that is as prompt, easy and as inexpensive as possible.

There are no formal requirements for a patient who is making an access request. You can ask a patient to follow a particular procedure (such as filling out a form), but you cannot require this (and in some cases a formal procedure is unnecessary, such as where a patient asks for a copy of pathology results during a consultation). However, developing a simple process may assist both you and your patients when dealing with access requests. Additionally, your privacy policy and privacy notice should set out how patients may access their health information.

You must respond to an access request within a reasonable period. In most cases, a reasonable period will not exceed 30 calendar days from when the patient makes the request.

Verifying the patient’s identity, or a third party’s authorisation

Verifying the patient’s identity

You must ensure that the access request is made by the patient concerned, or by another person who is authorised to make the request on the patient’s behalf (such as a legal guardian).

You should ask the patient for any evidence you may reasonably need to confirm identity. You should not disclose health information if you are not sure of the patient’s identity.

What steps you need to take to verify identity depends on the circumstances. For example, if a regular patient requests access during a consultation, it is unnecessary to verify identity further. However, if you do not know the patient or have any doubt as to identity (for example, where access is requested via telephone), you should take steps to verify identity. It is preferable to simply sight identity documents, rather than make and retain copies.

A child’s parent or legal guardian might seek to access their child’s records.

When considering such requests, you need to consider whether the parent is acting as a representative for the child, or whether the child has the capacity[1] to make the access request on his or her own behalf. If the child does have the capacity, then you should advise the parent or legal guardian that you believe the child has capacity and needs to make the request.

If the child does not have capacity, then you may be able to give access to the parent or legal guardian. However, you need to consider whether giving access to the particular representative is appropriate. You should consider who has care and responsibility for the child, whether there are court orders in place in relation to the care of the child, and whether a parent is unduly influencing a child. You should also consider whether the personal information of other individuals is contained within the records.

Access requests from other representatives

An adult patient who lacks capacity may need a representative (who has legal authority to act on the patient’s behalf) to assist in accessing health information. Alternatively, a patient may simply authorise someone else, such as a partner, family member, carer or close friend, by providing a signed authority. If the representative is authorised to request access on the patient’s behalf, you must give access (unless a refusal ground is available). However, you should first check the identity of the representative and verify that that individual has authority to act on the patient’s behalf.

You should not give access if you are not satisfied the representative has proper authority. However, you could consider whether you can disclose the information under the use and disclosure provisions. For example, you may be permitted to disclose the information where the patient is unable to consent and where the disclosure is necessary for the patient’s healthcare or for compassionate reasons.[2]

Access requests from a third party organisation on a patient’s behalf

A patient may ask you to give a third party organisation access to health information, or you may receive a request for access to a patient’s information from a third party (such as an insurance company or solicitor) on the patient’s behalf, with the patient’s consent.

If the patient asks you to give this information to a third party, you must do so unless there are grounds on which to refuse access.

If you receive the request from a third party, you must only give access to the information if you have the patient’s consent. You must verify the patient’s consent to ensure the access request is being made with the patient’s authority. This includes considering:

  • the nature and scope of the consent:
    • what exactly has the patient consented to?
    • does the scope of the third party’s request match the patient’s consent?
    • is the consent worded in a specific enough manner to allow you to understand what the patient has consented to?
  • whether the consent is current: has the patient recently given consent, or is the third party relying on an undated or prior consent that may no longer reflect the patient’s wishes?
  • whether the patient has said or done anything to indicate consent may have been withdrawn, or that this consent may not have been given.

If you have any doubt about the validity of the consent, you should confirm the patient’s understanding of what consent is being given. In addition, you should carefully consider what the third party is asking you to provide. If they are asking for documents relating to a particular condition, then you should only give access to those documents, not to a broader range of documents or the patient’s entire file. If it is unclear what you are being asked to provide, you could contact the third party to seek clarification.

If you give access when the patient’s consent is not valid, or give access to documents other than those sought, it will be an unauthorised disclosure (unless the disclosure principles allow it).

Locate the requested health information in your records

You are required to give access to health information that you ’hold’.

You ‘hold’ health information if you have possession or control of a record that contains the health information. This includes information that a third party stores on your behalf but you retain the right to deal with the information.

When responding to an access request, you should search the records that you possess and control, including hard copy records and electronic databases including emails, calendars etc. You should also make enquiries of relevant staff or contractors.

Information received from other providers

Patients are entitled to access the health information you hold about them regardless of who authored particular documents, or who ‘owns’ the record. This means that, unless an exception applies, you must give a patient access to information you hold that you received from other health service providers, such as specialist reports.

Grounds for refusing access

The Privacy Act 1988 (Privacy Act) contains ten grounds on which you can refuse to give access. These are:

  • you reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
  • giving access would have an unreasonable impact on the privacy of other individuals
  • the request for access is frivolous or vexatious
  • the information relates to existing or anticipated legal proceedings between you and the patient, and would not be accessible by the process of discovery in those proceedings
  • giving access would reveal your intentions in relation to negotiations with the patient in such a way as to prejudice those negotiations
  • giving access would be unlawful
  • denying access is required or authorised by or under an Australian law or a court/tribunal order
  • you have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to your functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body
  • giving access would reveal evaluative information generated within your organisation in connection with a commercially sensitive decision-making process.

The two grounds most likely to arise for healthcare providers are discussed below. For information on the other grounds, see the Australian Privacy Principles (APP) Guidelines Chapter 12; refusing to give access.

If you decide not to give access based on one of the grounds listed above, you are required to take reasonable steps (if any) to give access in a way that meets your needs and the needs of the patient (see Giving access by other means below).

Serious threat

You can refuse to give a patient access to health information if you have reasonable grounds for believing it would pose a serious threat to the life, health or safety of the patient or another person, or to public health or safety.

Example: Refusing access due to serious threat

A psychiatrist treated a patient twice a week over a 10-year period for depression and severe bipolar. After her treatment with the psychiatrist ended, the patient made an access request to the psychiatrist seeking a copy of material that the psychiatrist had provided to the regulator in response to a complaint from the patient.[3]

The psychiatrist is concerned that giving access would cause significant distress to the patient and deterioration of her mental condition such that she would pose a threat to life, health and safety. This concern is based upon the psychiatrist’s intimate knowledge of, and experience with, the patient’s mental health condition, acquired during ten years of treatment.

While the patient has not sought treatment in a year, the patient has had the condition for several decades and, in the psychiatrist’s opinion, it is lifelong and requires ongoing treatment. The illness has previously resulted in serious attempts on her life and multiple hospital admissions. The psychiatrist has observed that the patient’s condition can become serious very quickly in response to trigger events.

Given these concerns and knowledge, the psychiatrist has a reasonable belief that giving access poses a serious threat to the patient. On this basis, the psychiatrist refuses to give access.

Helpful hint: assess the current risk

When considering serious threats, you must assess the risk at the time you are making the decision. On its own, the fact a patient has a history of serious mental illness is not a sufficient basis on which to refuse access. If you no longer treat the patient, or the patient has no recent threats of self-harm, it may not be reasonable to conclude that giving access poses a serious threat.

In the example above, while the psychiatrist was not currently treating the patient, it was reasonable to conclude that a serious threat existed at the time the access decision was being made. This was due to the length of the psychiatrist’s treating relationship with the patient, and the knowledge and conclusions this allowed the psychiatrist to form about the patient’s current state.

Helpful hint: be mindful of access rights when making clinical notes

When you make a clinical record of your interaction with a patient, you should be aware that, if the patient requests it, generally you would need to give the patient access to the notes. Being mindful of this possibility may influence the language you use and the approach you take to recording observations and clinical details. This may be a particularly relevant consideration in the areas of psychiatric and psychological care, but applies to all health service providers.

In some instances, an exception such as the serious threat exception may be genuinely available for you to rely upon to refuse access. However, feeling embarrassed or apprehensive about the patient reading your notes is not a legitimate ground for refusing access.

What if access would threaten the continuation of treatment?

If you believe that giving access would threaten your therapeutic relationship with the patient, and you have reasonable grounds for believing that the relationship breakdown itself would pose a serious threat to someone’s life or health, you could deny access.

Example: Psychiatric care

A psychiatrist reasonably believes that a patient with severe mental illness would be so distressed if she saw the information in her record, that she would leave the psychiatrist’s care and discontinue treatment altogether. The withdrawal from treatment could seriously threaten the patient’s life, health or safety, and potentially that of her family. The psychiatrist could therefore refuse to give access.

However, the psychiatrist could not refuse access if he was only concerned that the patient may be unhappy with the information and might seek treatment elsewhere, or may discontinue treatment but the psychiatrist has no or little reason to believe that this may pose a serious threat.

Unreasonable impact on the privacy of other individuals

You should not give a patient access to health information if it contains another individual’s personal information, and disclosing the information would have an unreasonable impact on that individual’s privacy.

The following factors may be relevant in deciding whether the impact is unreasonable:

  • the nature of the personal information – is it of a confidential nature?
  • the other individual’s reasonable expectations about how the personal information will be handled. For example, if both individuals were present when the information was collected, there may be a reasonable expectation that each individual could later access it
  • the source of the personal information – for example, did the patient requesting access give you the information about the other individual when providing a family history.

If you plan to refuse access on this ground, you should:

  • consider whether you can remove the personal information of the other individual so you can still give the patient access to the rest of the record (though you should take care to ensure the remaining context does not reveal the other person’s identity)
  • ask the other individual whether consent is given to some or all of the information being released. The individual’s view may be relevant but not necessarily determinative. However, before consulting the individual, think about whether this in itself may impact on the privacy of the patient seeking access
  • consider whether you can give access through an intermediary.

Giving access in the manner requested by the patient

Access to health information can be given in a variety of ways, such as:

  • giving an electronic or hard copy of the information
  • letting the patient view the information and take notes
  • giving the information over the phone, such as test results
  • giving the patient an accurate summary of the information
  • allowing the patient to listen to or view the contents of an audio or video recording.

Where a patient requests access in a particular form, you must give access in the manner requested, unless it is unreasonable or impracticable for you to do so.

Whether a particular form of access is reasonable and practicable would depend on factors such as:

  • the volume of information requested: for example, it may be impracticable to give a large amount of health information over the phone, but giving an electronic copy may be viable
  • any special needs of the patient: for example, it may be reasonable to give information in a form that can be accessed via assistive technology where the patient has a vision impairment. You should also consider the level of understanding, language or literacy skills of the patient.

Helpful hint

For providers in NSW, Victoria or the ACT, local legislation may contain specific requirements relating to the form of access. For example, ACT and Victorian legislation gives patients express rights to request to have the information explained, and, when moving to a new provider, to ask their former provider to give their new provider a copy or written summary of their health record. Contact the Information and Privacy Commission NSW, Health Complaints Commissioner (Victoria) or ACT Health Services Commissioner to find out more about any additional requirements.

If a patient’s preferred form of access is unreasonable or impracticable, you must consider other ways of giving access.

Giving access by other means

If you refuse to give access under one of the grounds listed above, or refuse to give access in the manner requested by the patient, you must take reasonable steps to give access in a way that meets your needs and the needs of the requesting patient.

You should talk to the patient to try to agree on a way to satisfy the request.

Some alternatives you could consider are:

  • giving a summary of the information to the patient
  • giving the patient the option of inspecting hard copy records and permitting the patient to take notes
  • giving the information in an alternative format, such as electronically rather than physically
  • facilitating access to the requested information through a mutually agreed intermediary
  • blacking out any health information which you are entitled to refuse access to (such as information that unreasonably impacts on another individual’s privacy) before giving access to the patient.

Using an intermediary

One option for giving access in another way is to use another health service provider as an intermediary. For example, giving a patient access to information through an intermediary might avoid a serious threat that you believe might arise if you give the patient direct access.

You should explain to the patient the role the intermediary will play, what information you will disclose to the intermediary and any costs involved. You and your patient should agree on the process and the intermediary to be used.

Example: considering alternative ways of giving access

After refusing to give access in the example above, the psychiatrist is now required to take reasonable steps (if any) in the circumstances to give access in an alternative way that meets both his own needs and the needs of the patient.

In some circumstances, there may be no reasonable steps that can be taken to meet both parties’ needs. However, even if this is the conclusion, the psychiatrist must at least be able to demonstrate that he has considered whether any reasonable alternatives exist.

In this example, having considered alternative ways of giving access, the psychiatrist decides that the risk of the material posing a serious threat to the patient’s life, health and safety can be managed by giving the patient access through a mutually agreed intermediary.

Helpful hint: intermediaries

Where you refuse access on the basis of the serious threat exception, you may be required under local legislation in NSW, Victoria or the ACT to give access through an intermediary if requested by a patient, or to allow an intermediary to consider whether access should be given. Contact your State or Territory regulator to find out more about any additional requirements.

Will you charge the patient?

You may charge a patient for giving access, provided the charge is not excessive in the circumstances.

Items for which you may charge include staff costs in searching for the requested health information, staff costs in reproducing and sending the health information, costs of postage or materials in giving access, and costs associated with using an intermediary to give access.

When charging fees for time and labour, patients should only be charged at a clerical rate for labour that clerical staff can perform (such as photocopying, printing, collating and posting documents). To the extent that professionals need to play a role, such as reviewing a file before giving access or creating a summary of clinical information, it may be reasonable to charge for time at their professional rate (or a proportion of it).

You could also consider offering cheaper ways of giving access if the patient prefers this, such as letting the patient view the information or giving an electronic copy.

The charge must not be excessive and you must not charge the patient for making the request. How much to charge, and whether a charge is excessive, needs to be considered in each case. This means that flat fees are generally not appropriate. In particular, in determining a charge, you need to consider characteristics of the requester, such as:

  • your relationship with the patient
  • known financial hardship factors affecting the patient
  • known adverse consequences for the patient if access to the information is not gained.

A fee that may be appropriate for a patient who works full time may be excessive if imposed on a patient who receives a pension. In such cases, you should consider reducing or waiving any charge.

Whether a charge is excessive also depends on the nature of your practice, including its size, resources and functions, and the nature of the health information held.

Further examples of excessive charges include:

  • a charge that exceeds the actual cost incurred by you in giving access
  • a charge associated with getting legal or other advice in deciding how to respond to a request
  • a charge for consulting with the patient about how access is to be given.

You must not impose a charge to discourage a patient from requesting access to their health information. You should clearly communicate and explain to the patient any charge you plan to impose, before access is given. You should invite the patient to discuss options for altering the request to minimise any charge. This may include options for giving access in another manner that meets both your and the patient’s needs.

Example: imposing a charge

In the above example, the psychiatrist has incurred costs in giving the patient access. These costs include engaging another psychiatrist as an intermediary, and copying and sending the material to that psychiatrist.

The psychiatrist is aware that the patient has had difficulty maintaining employment due to her mental health condition, and receives a pension. Given the patient’s personal circumstances, it would be excessive to charge the patient the full cost of giving access.

The psychiatrist therefore discusses with the patient options for altering the request to minimise costs. The patient decides she does not need access to the second opinion reports that were included in the material, and this alteration reduces the cost of copying and sending the material. While the psychiatrist still decides to impose a fee, the psychiatrist decides to waive the remaining copying and postage costs, and to share the cost of engaging the intermediary.

Helpful hint

Providers in Victoria and the ACT should be aware that the Health Records Regulations 2012 (Vic) and Health Records (Privacy and Access) Act 1997 (ACT) limit the charges that can be imposed for giving access and for transferring information to another health service provider. Contact your State or Territory regulator to find out more about any additional requirements.

Giving written notice

If you refuse to give access, or refuse to give access in the manner requested by the patient, and you cannot agree on an alternative form of access, you must give the patient a written notice setting out:

  • the reasons why you have refused access, or refused to give access in the manner requested (except to the extent it would be unreasonable to do so)
  • how the patient may make a complaint about your decision, how you will deal with the complaint and any information about external complaint avenues (such as the OAIC).

If you are refusing to give access in the manner requested by the patient, and you have not reached agreement on an alternative form of access, it can be useful for your written notice to set out the other ways in which you are willing to give access.

Example: Giving written notice

In the above example, if:

  • the psychiatrist had continued to refuse to give access (having taken reasonable steps to consider alternative ways of giving access), or
  • the patient had not agreed to receive access through an intermediary,

the psychiatrist would be required to give the patient a written notice.

The notice must set out the reasons why the psychiatrist is refusing access (except to the extent it would be unreasonable to do so), and how the patient can complain about the refusal (including how they can complain to the provider, and the subsequent external complaint options including to the OAIC).

In some instances, explaining the reason for refusal could be unreasonable, such as where even indicating that access poses a serious threat might in itself create a serious threat. However, in most situations, it would likely be possible to give some explanation of the reasons for refusal because the patient would normally have a general awareness of the content of the documents they are seeking to access, even if care needs to be taken in how that explanation is phrased.

Long text descriptions

Flowchart: Access request received

1Access request received. Can you verify the individual's identity?

  • No: Do not disclose personal information. End.
  • Yes: Continue to 2.

2 Can you locate the requested personal information?

  • No: Provide written notice to individual. End.
  • Yes: Continue to 3.

3 Is there a reason to deny access?

  • No: Continue to 4.
  • Yes: Continue to 5.

4 Can access be provided in the manner requested?

  • No: Continue to 5.
  • Yes: Continue to 6.

5 Can access be given by other means?

  • No: Provide written notice to individual. End.
  • Yes: Continue to 6.

6 Decide if you will charge for access. Provide access. End.

Back to Flowchart


[1] For information about assessing a child’s capacity, see Chapter 7.

[2] For more information, see Chapter 7.

[3] This case study is adapted from a determination made by the Australian Privacy Commissioner in June 2017 (‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60).