We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Privacy and managing health information in general practice

Use and disclosure of health information

Patient access to medical records

Last revised: 24 May 2023

Patient access to medical records

Patient access to medical records

  • Patients may access all their personal information held by your practice, subject to a few exceptions.
  • Your practice must respond to requests for access within a reasonable period (generally 30 days).
  • It is essential to verify the identity of the requesting person.
  • Practices are not required to provide access if they reasonably believe:
    • it would unreasonably impact the privacy of another person
    • it might threaten the life, health or safety of another person or the public
    • other exceptions to providing access might also apply.
  • Refusal to grant access must be communicated in writing with reasons and the process for lodging a complaint.

Scope of access

The scope of a patient’s access rights is broad and includes all of a patient’s personal information. A patient’s medical record contains all information created by their treating GP(s) or received from other practitioners, and usually exists in both electronic and hard copy documents. Therefore, these requests will involve information held on the practice’s administrative system as well as in the medical record.

Identifying records containing other patient data

Your practice must be able to identify those records containing another patient’s personal information or have the capacity to search relevant medical records where necessary. This commonly occurs in the family setting.

Managing access

Some states require access requests to be made in writing. Where there is no requirement for requests to be in writing it is considered best practice to ask patients to put their request in writing. This provides clarity on the information being sought as some requests might involve collating a significant amount of information. A written request also provides a record of the request.

Where a patient is provided with access to their medical record, it might be appropriate for their usual treating GP to be available to clarify its contents and to discuss any concerns with the patient.

Alternatively, it might be appropriate to refer the patient to the original author of a record (such as when health information is received from a specialist).

In some cases, GPs might discharge their obligation to provide access to health information by arranging for the patient to obtain the information from an intermediary, such as a referring doctor. For example, this might be the preferred option for a pathologist who has had no direct contact with the patient. However, in all cases the intermediary must be mutually agreed on.

Some states only allow the use of intermediaries where there is a serious threat to the life or health of the requesting patient.

Type of access

It is advised that practices do not release the original paper file

Requests will usually be for access to a patient’s entire medical record. However, requests for specific information might be received by email, telephone or in person.

A practice might not be comfortable in providing entire medical records. However, merely being uncomfortable or asserting proprietary rights is not a valid ground for refusal. The privacy laws require access as requested, where reasonable and practical, or in a mutually agreed way.

It is recommended practices consider these exemptions carefully in response to a request for a full medical record. Although the obligation is to provide the information in the manner requested by the patient, in the general practice setting it might be unreasonable to hand over an entire medical record. In this instance:

  • it is advised that practices do not release the original paper file
  • practices are entitled to make this assessment and should consider acceptable alternatives
  • in providing alternatives, the needs of the practice and the patient should be considered and might include:
    • an up-to-date summary containing all relevant material
    • provide access to a patient’s medical files in a room at the practice.

Refusing access

It is recommended your practice is familiar with the reasons it might refuse to provide access.

Your practice should consider the risk of distress to other patients. For example, practices might consider refusing access when:

  • it would lead to significant distress or self-harm or harm to another person4
  • there is health information of another patient within the medical record
  • the requesting patient’s information was disclosed by another patient in confidence
  • there is a possibility of domestic abuse or child abuse.

If a GP is considering refusing access, they should obtain professional legal advice.

Access fees

Your practice can charge a fee for providing a patient access to their personal information, but not for merely requesting access. You should therefore only consider imposing fees (if at all) after the request is made.

Case study: Medical record access through an intermediary

Mary has requested her medical file. In assessing her request, the practice manager notes Mary had moved away from the practice. Satisfying the request would mean sending a copy of the medical record by courier. The practice determines the costs of doing so would be quite high.

In addition, Mary’s treating GP does not want to send the full medical record. She is concerned Mary would not understand some of the information and the inevitable internet searching that would follow to clarify unknown medical terms would only cause further stress.

In consultations with the GP, the practice manager determines it would not be reasonable or practical to send the medical file to Mary. However, they contact Mary to inquire whether sending the record to a closer GP would assist her. Mary agrees and is able to discuss the contents of the record with her local GP in an informed environment.

A practice might request fees to cover the cost of:

  • administration for file searching, collating, etc
  • copying or printing records
  • postage or courier delivery
  • facilitating access with intermediaries.

Your practice might want to consider the patient’s individual circumstances and their capacity to pay prior to determining and/or waiving access fees.

Practices might consider alternatively aligning a patient’s access request with a consultation.

Create a policy: Patient record access

It is recommended your practice develops and implements a policy covering patient record access. This policy should outline:

  • how and to who requests for access should be made
  • the process for identity verification
  • how access will be granted
  • recommended response times
  • whether access fees will apply and in what circumstances (if any) these charges will be waived.

This information might be incorporated into your practice’s privacy policy (refer to section on Privacy policies).


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].