Patient access to medical records
Patient access to medical records
- Patients may access all their personal information held by your practice, subject to a few exceptions.
- Your practice must respond to requests for access within a reasonable period (generally 30 days).
- It is essential to verify the identity of the requesting person.
- Practices are not required to provide access if they reasonably believe:
- it would unreasonably impact the privacy of another person
- it might threaten the life, health or safety of another person or the public
- other exceptions to providing access might also apply.
- Refusal to grant access must be communicated in writing with reasons and the process for lodging a complaint.
Scope of access
The scope of a patient’s access rights is broad and includes all of a patient’s personal information. A patient’s medical record contains all information created by their treating GP(s) or received from other practitioners, and usually exists in both electronic and hard copy documents. Therefore, these requests will involve information held on the practice’s administrative system as well as in the medical record.
Identifying records containing other patient data
Your practice must be able to identify those records containing another patient’s personal information or have the capacity to search relevant medical records where necessary. This commonly occurs in the family setting.
Managing access
Some states require access requests to be made in writing. Where there is no requirement for requests to be in writing it is considered best practice to ask patients to put their request in writing. This provides clarity on the information being sought as some requests might involve collating a significant amount of information. A written request also provides a record of the request.
Where a patient is provided with access to their medical record, it might be appropriate for their usual treating GP to be available to clarify its contents and to discuss any concerns with the patient.
Alternatively, it might be appropriate to refer the patient to the original author of a record (such as when health information is received from a specialist).
In some cases, GPs might discharge their obligation to provide access to health information by arranging for the patient to obtain the information from an intermediary, such as a referring doctor. For example, this might be the preferred option for a pathologist who has had no direct contact with the patient. However, in all cases the intermediary must be mutually agreed on.
Some states only allow the use of intermediaries where there is a serious threat to the life or health of the requesting patient.
Type of access
It is advised that practices do not release the original paper file
Requests will usually be for access to a patient’s entire medical record. However, requests for specific information might be received by email, telephone or in person.
A practice might not be comfortable in providing entire medical records. However, merely being uncomfortable or asserting proprietary rights is not a valid ground for refusal. The privacy laws require access as requested, where reasonable and practical, or in a mutually agreed way.
It is recommended practices consider these exemptions carefully in response to a request for a full medical record. Although the obligation is to provide the information in the manner requested by the patient, in the general practice setting it might be unreasonable to hand over an entire medical record. In this instance:
- it is advised that practices do not release the original paper file
- practices are entitled to make this assessment and should consider acceptable alternatives
- in providing alternatives, the needs of the practice and the patient should be considered and might include:
- an up-to-date summary containing all relevant material
- provide access to a patient’s medical files in a room at the practice.
Refusing access
It is recommended your practice is familiar with the reasons it might refuse to provide access.
Your practice should consider the risk of distress to other patients. For example, practices might consider refusing access when:
- it would lead to significant distress or self-harm or harm to another person4
- there is health information of another patient within the medical record
- the requesting patient’s information was disclosed by another patient in confidence
- there is a possibility of domestic abuse or child abuse.
If a GP is considering refusing access, they should obtain professional legal advice.
Access fees
Your practice can charge a fee for providing a patient access to their personal information, but not for merely requesting access. You should therefore only consider imposing fees (if at all) after the request is made.
Case study: Medical record access through an intermediary
Mary has requested her medical file. In assessing her request, the practice manager notes Mary had moved away from the practice. Satisfying the request would mean sending a copy of the medical record by courier. The practice determines the costs of doing so would be quite high.
In addition, Mary’s treating GP does not want to send the full medical record. She is concerned Mary would not understand some of the information and the inevitable internet searching that would follow to clarify unknown medical terms would only cause further stress.
In consultations with the GP, the practice manager determines it would not be reasonable or practical to send the medical file to Mary. However, they contact Mary to inquire whether sending the record to a closer GP would assist her. Mary agrees and is able to discuss the contents of the record with her local GP in an informed environment.
A practice might request fees to cover the cost of:
- administration for file searching, collating, etc
- copying or printing records
- postage or courier delivery
- facilitating access with intermediaries.
Your practice might want to consider the patient’s individual circumstances and their capacity to pay prior to determining and/or waiving access fees.
Practices might consider alternatively aligning a patient’s access request with a consultation.
Create a policy: Patient record access
It is recommended your practice develops and implements a policy covering patient record access. This policy should outline:
- how and to who requests for access should be made
- the process for identity verification
- how access will be granted
- recommended response times
- whether access fees will apply and in what circumstances (if any) these charges will be waived.
This information might be incorporated into your practice’s privacy policy (refer to section on Privacy policies).