Managing third party and patient requests for a patient’s medical record

Page last updated 2 October 2025

 

General practitioners (GPs) often receive requests from third parties for a patient’s medical record. Patients also make requests when transferring to a different practice.

This resource provides advice on which data elements from a patient’s medical record should be extracted to form an appropriate record for sharing.
 
 

Not all requests for patient information will be appropriate or require provision of a comprehensive medical record.

Before responding to requests from third parties a GP should consider whether they should seek legal advice (for example from their medical defence organisation (MDO)),  determine if the request needs to be redirected (for example to the practice owner/s or another entity that is the holder of the records), and if patient consent has been obtained/is necessary.

The response to any request must also be appropriate for the scope and nature of the request. For example, while a third party may request a patient’s complete medical record, the whole record may not be needed for the stated purpose.  

It is important to note that the printed version of electronic records will differ from how they appear in the electronic record as not all elements of the software can be produced on paper (examples include metadata, audit trails, alerts and recalls). It is also important to note that any extraction of a comprehensive medical record is as it appears in its current state; it cannot be produced retrospectively. 

 

The preparation of medical reports falls outside the scope of Medicare. It is therefore up to the GP or practice and the relevant third party to agree on an appropriate fee. Further information on setting fees in relation to preparing a medical report or transfer of patient information is available in the RACGP’s A guide to writing medical reports. 

 

GPs may receive requests for medical records as part of legal proceedings. A subpoena, court order or summons has the authority to compel production of medical records. Failure to do so may result in a penalty, fine or legal action. These orders are exceptions to the principles of patient confidentiality and privacy. If a doctor is unsure about compliance with the subpoena, they should consult with their medical defense organisation (MDO) or seek independent legal advice.  

It is important that a subpoena, court order or summons is addressed to the holder of the patient’s medical record – in most cases this will be the general practice but may be the individual GP in some circumstances. If it is addressed to an individual GP who is not the formal holder of the record, the GP should contact the third party who issued it, and request the addressee be amended.

Table 1 suggests a dataset to form a comprehensive medical record. This dataset should not be considered the only recommended dataset. Some GP clinical record systems have functionality to help generate datasets that may also be suitable. 

Table 1. Recommended comprehensive medical record dataset
Demographic information Name
Date of birth
Current address
Name as shown on Medicare card
Contact details
Ethnicity (if captured in the system)
Language spoken at home
Interpreter needed (only if captured in the system)
Aboriginal and/or Torres Strait Islander status
Sex at birth
Gender
Employment status
Occupation
All patient identifiers (except individual healthcare identifiers [IHI])
Health summary Allergies and adverse reactions
Current medicines list
Medical history (current and past active and inactive) as recorded
Family history as recorded
Social history as recorded
Health risk factors
  • Smoking status
  • Weight (overweight/obesity)
  • Alcohol intake
  • Physical activity
As per  the RACGP smoking, nutrition, alcohol and physical activity (SNAP) guide
Immunisations as recorded
Progress notes (including action notes) All entries including ‘non-visit’ entries dated, timed and author identified
Data entered in other sections of notes, such as obstetrics, acupuncture
All actions entered in a transaction
All prescribing information including quantity and repeats, old scripts
All documents generated by the provider including pathology and diagnostic imaging results (care plans, management plans, electrocardiograms, spirometry and photos)
Letters and reports Sent and received (include all scanned material), all test results and documents from third parties regardless of requests from the author not to be released


Additional administrative and clinical data may be useful in some cases, and may sometimes be covered by the scope of the legal request, including: 

  • sign-off audit trail for letters, scanned material, requests and results
  • appointment history, including cancelled/moved appointments
  • claims and payments history
  • tracking and tracing logs
  • clinical support material viewed (such as travel immunisation information – if not already recorded in the progress notes)
  • alerts, recalls and reminders.

Figure 1. Flow chart: Request for medical record under a legislative requirement such as a subpoena

Flow chart for Request for medical record
 

GPs will receive requests from third parties such as workers compensation schemes or insurance groups. Before providing patient information to a third party, patient consent must be obtained which should include the scope of information to be provided. In most cases consent will be provided by the patient via the insurer. The insurer must provide evidence of the signed consent when requesting the patient record.

Under the Financial Service’s Councils Standard No. 26: Consent for accessing health information, insurers must seek patient consent using standardised consent wording, called an Authority. There are two Authorities:

  • Authority 1 – to release any of my health information except the consultation notes held by my General Practitioner/Practice
  • Authority 2 – to release a copy of the full record, including consultation notes, held by my General Practitioner/Practice in specified circumstances.

While both authorities will be sought at the same time, insurers can only request a full record   under Authority 2 in certain, limited conditions. Targeted medical reports, as opposed to complete medical records, should be provided in most circumstances.

Only information which the patient has provided consent for release, and which relates to the matter at hand, should be provided. This is to prevent the sharing of patient information which is not relevant to a third-party request.

For example, if the request is related to a workplace injury, only information that is relevant to that injury or event should be provided. It would be prudent to clarify with the patient and consider information that should be excluded due to its sensitivity.

Further information on consent and release of health information can be found on the RACGP website.

Figure 2 demonstrates the steps to consider.

Figure 2. Flow chart: Request from a third party

-"Request


* There may be occasions where informing the patient or guardian is not appropriate, for example where a child's record is requested by a relevant child protection authority and informing the parent/guardian could pose a risk to the child in question

** For example, giving access would pose a serious threat to the life, health or safety of any individual

***This includes documents such as specialist letters

 

When patients move to a new practice, either the new GP or the patient may request to have their existing records transferred. A succinct dataset of relevant information should be provided at a minimum. There will be some situations where – given the complexity or nature of the patient’s medical conditions or history – it is best for the new GP or practice to have a complete copy of their previous records.

Table 2 suggests a dataset that may be provided as part of transferring care.

Table 2. Transfer of care medical record dataset
Demographic information Name
Date of birth
Name as shown Medicare card
Ethnicity (if captured in the system)
Language spoken at home
Interpreter needed (only if captured in the system)
Aboriginal and/or Torres Strait Islander status
Sex at birth
Gender
Employment status
Occupation
All patient identifiers (except individual healthcare identifiers [IHI])
Health summary Allergies and adverse reactions
  • record of allergies and adverse events
  • known substance (drug and non-drug), reaction and date of occurrence.
  • review of allergy and adverse reaction at the point of prescribing any new medications or at periodic health review (for example referrals) is recommended
Current medicines list
Medical history (current and past active and inactive) as recorded
Family history as recorded
Social history as recorded
Health risk factors
  • smoking status
  • Weight (overweight/obesity)
  • Alcohol intake
  • Physical activity

H health risk factors as outlined in the RACGP smoking, nutrition, alcohol and physical activity (SNAP) guide
Immunisations as recorded


Figure 3. Flowchart: Request for transfer of care between practices

Request for transfer of care


*The request for transfer of records does not necessarily need to be written or signed. For example, you could receive a verbal request, confirm all the details with the patient and document this in the patient’s records.

 

This document does not constitute legal advice. When considering if, and how to manage third-party or patient requests for a patient’s medical record, GPs and practices should seek independent legal advice. The RACGP takes no responsibility for any loss of any description by a practice or person as a result of relying on this document.

Advertising

Advertising