Version 1.0, September 2019
- You must take reasonable steps to make sure the health information you hold is correct (given the purpose for which you hold it).
- This requirement applies where:
- the patient requests that you correct the information
- you otherwise become aware that health information you hold is incorrect.
- Generally, you must respond to a patient’s correction request within 30 days.
- If you refuse to correct information, you must give notice to the individual.
When do you need to correct health information?
You must take reasonable steps to correct health information you hold about a patient if:
- you are satisfied the information is incorrect, or
- a patient asks you to correct the information.
Health information is ‘incorrect’ if, given the purpose for which you hold it, it is:
Inaccurate: Health information is inaccurate if it contains an error. An example is incorrect personal details held about a patient.
Your medical opinion is not inaccurate just because a patient disagrees with it. Your opinion may be ‘accurate’ provided you present it as an opinion, it accurately records your view, and takes into account competing information and views.
Out-of-date: Health information is out-of-date if it is no longer current.
Health information may be out-of-date for some purposes but not others. For example, the fact your patient previously took a medication is out-of-date for the purposes of a current medications list. However, that same fact may not be out-of-date for the purposes of maintaining the patient’s medical record in accordance with your professional obligations.
Incomplete: Health information is incomplete if it presents a partial or misleading picture, rather than a true or full picture. For example, a physiotherapist’s record for a patient seeking treatment for should pain is incomplete if it fails to note that the patient suffered a prior shoulder dislocation.
Irrelevant: Health information is irrelevant if it does not have a bearing on or connection to the purpose for which it is held.
Misleading: Health information is misleading if it conveys a meaning that is untrue or inaccurate.
Overlap with other privacy obligations
In addition to correction obligations, the Privacy Act 1988 (Privacy Act) also requires you to take reasonable steps to ensure the quality of the health information you collect, use or disclose. ‘Quality’ of information refers to its accuracy, completeness, relevance, and whether it is current. Taking reasonable steps to ensure the quality of health information reduces the likelihood of information needing correction. Similarly, by taking reasonable steps to correct health information, you are helping to meet your obligations to ensure the quality of the health information you hold.
An example of a step you can take to help ensure the quality of the information you hold is to periodically ask patients to confirm their details and emergency contact information.
Correcting information on your own initiative
You are required to take reasonable steps to correct the health information you hold if you are satisfied that it is incorrect.
This requirement means that you should be alert to the possibility that health information you hold may be incorrect and require correction. Examples of when you may become aware that information you hold is incorrect include where you notice inconsistent information, where you are told by another party, and where practices, procedures or systems implemented in compliance with Australian Privacy Principle (APP) 1.2 that detect incorrect information.
Dealing with a patient’s correction request
The flow chart below sets out the key steps to help you respond to a request from a patient for correction of health information. Each step is explained further below the chart.
Receiving a correction request
You must respond to the patient’s correction request (either by correcting the information or notifying the patient of your refusal to do so) within a reasonable period after the request is made. In most cases, a reasonable period will not exceed 30 calendar days.
You cannot charge a patient for making a correction request, for correcting the health information, or for associating a statement with the health information.
Verifying the patient’s identity
You should ensure that a correction request is made by the patient concerned, or by another person who is authorised to make a request on the patient’s behalf (such as a legal guardian).
In some cases, you may be confident of the patient’s identity, such as where a regular patient asks you to correct information during a consultation. However, where it is less clear, you should ask the patient for any evidence you may reasonably need to confirm identity. It is preferable just to sight identity documents, rather than to make and retain copies.
If you are not sure of the requesting patient’s identity, you should not correct the information.
Locating the patient’s health information
Review your records to determine whether you hold the health information that needs correcting.
Are you satisfied the information is incorrect?
You must correct the health information if you are satisfied that, given the purpose for which you hold it, it is incorrect. You may ask the patient for further information or explanation if you are not satisfied that the health information is incorrect.
Taking reasonable steps to correct the health information
What are reasonable steps to take will depend on the circumstances. Reasonable steps include making appropriate additions, deletions or alterations to a record, or declining to correct health information if it would be unreasonable to take such steps.
Given the sensitivity of health information and the potential impact of it being incorrect, more rigorous steps are likely to be considered ‘reasonable’ than might be the case for other personal information.
For practitioners in NSW, Victoria and the ACT, local legislation on correcting health information may contain more specific requirements. For example:
If you are a Victorian or ACT practitioner and consider that leaving incorrect information on a patient’s record could result in harm, you may be required to place the incorrect information on a separate record. This record should not be generally available to other persons providing health services to the patient.
Victorian practitioners may be required under local legislation to record the name of the person who made a correction to health information, and the date it was made.
Where the deletion of incorrect health information is legally permitted, local legislation may require Victorian practitioners to make a written record of the name of the individual to whom the health information related, the period covered and the date the information was deleted.
Taking reasonable steps to notify another entity
If the patient asks you to, you must take reasonable steps to notify a third party of corrections made to health information where you previously provided that information to that party. You are not required to do this if it would be impracticable or unlawful.
When you correct information, you should tell the patient you can be asked to notify third parties.
What are ‘reasonable steps’ depends on factors such as:
- the risk of adversity to the patient, for example if the information is clinically significant
- the nature of the correction, for example if the incorrect information is likely to impact on treatment by a third party
- the length of time since the information was disclosed, for example if the information is very old a third party may be less likely to rely on it
- the likelihood of it being used or disclosed again by a third party
- the practicability of notifying a particular third party.
Providing written notice
If you refuse to correct health information, you must give the patient written notice setting out:
- the reasons for your refusal (except where it would be unreasonable to do so)
- that the individual may request a statement be associated with the health information noting that the patient believes the information to be incorrect
- how the individual may make a complaint about your decision, how you will deal with the complaint and include information about external complaint avenues such as the OAIC.
If you do correct a patient’s information, it would also be good practice to notify the patient of the correction and of the identity of any third parties you have notified about the change.
Associating a statement with the health information
If you refuse to correct health information, you should tell the patient that you can be asked to associate a statement with the information noting that the patient believes the health information to be incorrect.
If the patient asks you to associate a statement, you must take reasonable steps to associate it in a way that will make it apparent to other users of the health information. For electronic information, this may involve placing a flag on the information with a link to alert users where the statement is.
The content and length of any statement will depend on the circumstances, but generally, a statement would not be more than one page.
Long text descriptions
Flowchart: Correction request received
1 Correction request received. Can you verify the individual's identity?
- No: Notify individual that you can’t correct the personal information. End.
- Yes: Continue to 2.
2 Can you locate the requested personal information?
- No: Notify individual that you can’t locate the personal information. End.
- Yes: Continue to 3.
3 Are you satisfied the personal information is incorrect?
- No: Continue to 5.
- Yes: Continue to 4.
4 Can you correct the personal information?
- No: Continue to 5.
- Yes: Continue to 6.
5 Associate a statement to the personal information, if possible. Notify individual that you can’t correct personal information and why, but that you have associated a statement. End.
6 Correct the personal information. Notify any third parties if necessary. Notify the individual that you have corrected the information. End.
 For further information see the APP guidelines Chapter 1: APP 1 — Open and transparent management of personal information, ’Implementing practices, procedures and systems to ensure APP compliance’
 This applies to third parties covered by the Privacy Act (including all private sector health service providers and Australian government agencies). However, it would be best practice to inform other third parties.