Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Standards for health services in Australian prisons

Criterion 4.2.3 Transfer of patient health information

On request by a patient, our health service transfers a summary or a copy of the patient’s health record to the patient, another medical practitioner, health service provider or health service as applicable.


A. Our staff can describe the procedures for transferring patient health information to another health service provider or health service (interview).

B. Our health service notes in the relevant patient health record any request by a patient or other authorised party to transfer patient health information. This note includes details of when and where the information was sent and who authorised the transfer (health records review).

C. When we collect identifiable patient health information for continuing professional development activities, we only transfer it to a third party if the patient has provided consent (document review).

D. Our electronic data transmission of patient health information over a public network is encrypted (document review).


The personal health information of people held in prisons is regulated and protected by Federal and state or territory legislation. Health services need to ensure that patients develop a shared expectation about the use of their patient health information including the access that individual health service staff may have for the purpose of continuous and comprehensive care and the likelihood that such information will be used during quality improvement activities within the health service. The transfer of a prisoner’s personal health information outside the prison system should not take place without a patient’s consent unless there are exceptional circumstances (see Criterion 4.2.1: Confidentiality and privacy of health information).

Before any transfer of health information, the health service needs to consider whether other confidential information (eg. staff rosters) may be embedded in the health information and how this should be managed to avoid a security risk for members of the health service team.

For a quality improvement activity undertaken within a health service, where the primary purpose is to monitor, evaluate or improve the quality of healthcare delivered by the health service, ethics approval is not required.

Clinical audits using a tool such as CAT® (see Criterion 3.1.1: Quality improvement activities) or ‘plan, do, study, act’ cycles undertaken within a health service as part of a quality improvement activity do not require ethics approval. For example, a practice wishing to determine how many of its patients are given advice on smoking cessation, or how many patients with heart failure are prescribed angiotensin-converting enzyme inhibitors and beta-blockers, may complete an audit on their service data.

In general, a health service’s quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would be considered a directly related secondary purpose for information use or disclosure. In other words, in general, the health service would not need to seek specific consent for this use of patient health information.

To ensure patients understand and have reasonable expectations of quality improvement activities, practices are encouraged to include information about quality improvement activities and clinical audits in the practice policy on managing health information.

Patient health information that is transmitted electronically over a public network (eg. the internet) can pose significant privacy risks. It is technically possible for a third party to intercept and read emails, or for emails to be inadvertently sent to the wrong person. Encryption allows for the ‘scrambling’ of a message so that it can only be read by the intended person who verifies their identity using a unique identifying code (or key). The RACGP Computer security guidelines57 provide further information about security procedures including encryption such as public key infrastructure (PKI). Health services should not transfer patient health information via email unless it is encrypted.

For patients in prisons, it is important that the health service arranges the timely transfer of care to another healthcare practitioner or service when a patient is released from the facility or transferred to another prison. Prisoners can be frequently and rapidly moved to alternative prisons. In such instances, health service staff need to ensure that comprehensive transfer of patient health information is facilitated in a timely manner.

Where a prisoner is being released into the community, health services should be proactive in ensuring the patient’s health information is provided to the health professional or service that will continue the patient’s care outside the prison. Subject to the patient’s consent, a comprehensive health summary needs to be provided to the health professional who will be coordinating the care of the patient outside the prison or to the patient themself (if no health professional has been identified). It is useful for the transfer of care to be managed by the person within the health service who has led the care of that individual within the prison (see Criterion 1.5.2: Continuity of the therapeutic relationship).

Standardsprisons cover