We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Privacy and managing health information in general practice

Information management for general practice business information

Medical records

Last revised: 24 May 2023

Medical records


Medical records

  • Your practice must ensure the health information it collects, uses or discloses is relevant, accurate, up-to-date and complete.
  • Your practice must ensure health information that is no longer practically or legally needed is destroyed or de-identified.
  • Medical records are usually owned by the practice, not the patient.

Maintaining accurate and complete medical records

It is important medical records are accurate, up-to-date, comprehensive and legible. GPs must take reasonable steps to ensure the health information and consultation notes they hold are well organised. Medical records should always be sufficiently detailed and accessible to allow another GP to continue management of the patient. Your practice should use a follow-up system (subject to patient consent) to ensure patients are regularly seen and medical records are maintained accurately with current information.


Patients own the information in their medical record but do not own the medical record itself. Ownership might vary as follows:

  • Sole practitioners retain full ownership over their medical records.
  • Contract and employee GPs are likely to be creating medical records for their principal or employer and unlikely to own these themselves.
  • GPs operating in a partnership might have a claim to a shared partnership interest over some, or all, of the medical records.
  • GPs who own an incorporated practice own its assets and this usually includes the medical records. In the absence of any agreement specifying otherwise, multiple owners own the medical records jointly.

It is recommended the ownership of medical records is clarified and documented before GPs commence at a new practice. This will assist in preventing future disagreements when a departing GP intends to take records with them. It is recommended that advice is sought before entering into an agreement.

Despite the above, GPs are required under the Medical Board of Australia’s Good medical practice: A code of conduct for doctors in Australia to promptly facilitate the transfer of health information when requested by a patient.5

Retention and destruction of medical records

Your practice should retain health information as required and in accordance with the applicable laws.

The Privacy Act requires health information to be destroyed or permanently de-identified once it is no longer needed for any authorised use or disclosure.

However, the ACT, NSW and Victoria require medical records to be retained until a young person turns 25, and for adults, for seven years from the date of the provision of the last health service. This overrides the Privacy Act.

Under some state and territory legislation, the destruction of any medical record is prevented when the record is likely to be involved in legal proceedings. It is recommended to seek advice on the current limitation periods that apply to your practice.

GPs must appropriately destroy or permanently de-identify health information following the expiry of these periods.

Retention and destruction of records

  • General practices should keep health records for the length of time specified in state or territory legislation.
  • Once this time has expired, the APPs require you to appropriately destroy or permanently de-identify health information.
  • APP 11 requires that reasonable steps are taken to destroy or de-identify personal information that is no longer needed. The reasonable steps will be dependent on whether the personal information is held in paper or electronic format.


Your practice might choose to permanently de-identify health information rather than destroy it. Care should be taken to ensure there is no prospect of the patient being identified from the remaining information.

The de-identification of health information is more than simply removing the patient’s name. Any identifying information contained in the medical record must be deleted or destroyed to ensure confidentiality.

Whenever the information is in the form of individual data sets, there is a risk the data set could be linked to a particular individual based on details of age, postcode and medical condition. The more information included in the data set, the greater the risk of re-identification.

Even where data is combined, care is needed to ensure the number of people in each ‘cohort’ or sub-group is sufficient to ensure the privacy of the individuals is not breached. For example, the relevant NHMRC guidelines specify a minimum of five sets of individual’s data in each cohort.11

  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].