New South Wales privacy law provides a general right to access health information. This fact sheet has been designed to assist Health Care Providers in understanding their obligations and responsibilities under New South Wales privacy laws.
What are my health information access obligations?
The NSW Health Record and Information Privacy Act 2002 (HRIP Act) creates the right of individuals to access their health information from NSW health service providers, public sector agencies and private sector organisations that hold health information.
Access can be provided in several ways, such as providing:
- a copy of the record in electronic or paper format (or, in the case of extensive medical records, a summary of the key information in the record), or
- a reasonable opportunity to view the record and take notes.
Who can request access?
Individuals can request access to their own health information, or to another individual's health information if they present evidence of written consent from that individual.
Individuals can also request access to information about children they have parental responsibility or guardianship for; or other individuals for whom they hold power of attorney.
As a provider, you must ensure that the person requesting access to the health information has the right to do so. You may request proof of a person's identity and, where relevant, evidence of parental authority, guardianship and power of attorney.
If you are uncertain about whether to agree to a request for access, the IPC has a checklist for the private sector to provide guidance. This can be found here. The checklist for the public sector can be found here.
When will access not be granted?
There are a limited set of situations where access may not be granted.
These include situations where:
- Providing access would pose a serious threat to the individual’s health, or the health of others;
- Providing access would have an unreasonable impact on the privacy of others;
- The information requested relates to existing or anticipated legal proceedings between the individual and the provider;
- Providing access would reveal the intentions in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the provider unreasonably to disadvantage;
- Providing access is unlawful;
- Denying access is required or authorised by or under law;
- Providing access would likely prejudice an investigation;
- Providing access would likely prejudice a law enforcement function;
- A law enforcement agency performing a lawful security function asks a private sector person not to provide access on the basis that the access would cause damage to the security of Australia;
- The request has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again;
- There have been repeated, unreasonable requests for information to which access has already been given.
Law enforcement agencies or court orders may also prevent you from providing access.
Valid requests should be granted access in all other situations.
What should a request for access look like?
A request for access to health information should be:
- In writing
- Include the name and address of the person making the request
- Identify the health information that is requested
- State the form in which the information is requested
How should I handle a situation where it is appropriate to refuse access?
You are required to send a response even when it is appropriate not to grant access. The response should include a clear explanation of why access can't be granted, with reference to the specific reason as contained in the HRIP Act.
It may be that access can be provided for parts of the information requested. In these cases, you should explain clearly why only partial access has been provided.
In sensitive cases, it may be beneficial for the response to be carefully worded and for the relevant clinicians to review it before it is sent to the individual.
How should I provide access?
Access should be provided in the format requested by the individual. This will likely be as a document in a commonly-used format, such as a spreadsheet or PDF. You do not have to grant individuals direct access to your systems. You should consider the privacy impacts of providing information and the requested format. You should never grant access to or provide the health information of any individual other than the one who is the subject of the request, except to an authorised representative with a signed consent.
Depending on the size of the record, it may be appropriate to provide a summary, rather than the full medical record.
One of my patients is moving to a new practice. Do I need to give the new GP access to the patient's record?
Records should be made available to ensure continuity of care for the patient, if the patient has provided consent for this transfer to occur. If the patient's record is extensive it is acceptable to provide a summary of relevant information. The Royal Australian College of General Practitioners (RACGP) has published a guideline about the information that should be included in the transfer of care document, which can be found on the RACGP website.
You should keep a record of the person and practice the information has been provided to and the date this occurred.
What is a reasonable timeframe to provide access?
The public sector is required to send a response within a reasonable timeframe. The IPC recommends a response should be provided within 28 calendar days of first receiving the request.
The HRIP Act requires that a response to a request for access must be given within 45 calendar days. This response must either be the granting of access to the requested information or a refusal to grant this access; any other communication about the request is not a response under the terms of the Act. If a response is not given within 45 calendar days it will be treated as if the request has been refused.
However, all access requests should be processed as quickly as possible.
What fees can I charge?
Under the HRIP Act access should be provided without excessive expense. Fees can be charged to cover the cost of providing access to a medical record, such as administration, photocopying and printing. This fee must not be excessive, and should consider the individual circumstances of the patient so it does not act as a barrier for the patient to access their record or to the continuity of health care. It is recommended that health providers be transparent with individuals about the fees involved with granting access and the way those fees have been calculated.
Once the requester has been notified that a fee is being charged and that access won't be granted until that fee is paid, a private organisation can wait until 7 days after the fee has been paid to provide access, provided that this 7 days does not exceed 45 calendar days from when the request was received.
In circumstances where the individual has indicated that they would have difficulty in paying the fee, you may consider alternative pricing models, or else suggest providing access to a summary of the health information, which may carry a lower fee.
Information about the charges for providing access to health records within the NSW public health system can be found at: http://www1.health.nsw.gov.au/pds/ActivePDSDocuments/IB2017_035.pdf Please note information on charges in the public health system is regularly updated.
Section 9.5 of The RACGP Handbook for the Management of Health Information in General Practice, 3rd edition provides advice on charging for providing access to health information for GPs. This can be found here.
What should I do if I receive a request for access to a medical record as part of a legal proceeding?
If a health care provider receives a subpoena or court order to produce medical records they are generally required to comply. Failure to produce the record may result in penalties or legal action. The RACGP has prepared advice on the information that should be provided to meet the requirement of a comprehensive medical record, which can be accessed on the RACGP website. Medical Defence Organisations can provide advice on compliance with subpoenas or court orders if you have concerns about compliance.
Should I provide medical records if requested by an insurer?
You must obtain the consent of the patient before releasing any information to a third party, including insurers or Insurance and Care NSW (icare).
Do parents always have a right to access their child's records?
In most cases a parent who holds parental responsibility or guardianship may be able to access their child's records.
You may ask the parent /guardian to provide evidence or authority of that arrangement before providing access.
However, between the ages of 14-16, young people may seek treatment without the knowledge of a parent or guardian, subject to the health care provider's assessment of the young person's capacity to understand the consequences of any proposed treatment. A similar assessment should be made in determining whether information can be disclosed to parents/guardians in situations where the young person has capacity to make independent decisions about their health care.
As stated above, you may request evidence of parental authority, or guardianship.
Can I provide information about a deceased patient to a family member?
Privacy laws continue to apply to the records of patients for 30 years after the date of death. However, access can be provided if consent is given by the executor of the estate for compassionate or other grounds. A decision to provide access should also consider any wishes expressed by the individual prior to their death (for example, through an Advanced Care Directive, or documented in the health record). You should keep a record of who requested access to the medical record, the grounds for allowing access, the information that was provided and the date this occurred.
What am I required to do with my records if I close my Practice?
If you are closing your Practice you (or your representative) should make arrangements for records to be stored for the required statutory period, or transferred to another provider nominated by the patient. Patient consent must be obtained before records are transferred to any other provider. If records are to be stored, reasonable steps must be taken to inform patients how they can locate and access their records, and to protect records from unauthorised access, modification or disclosure.
Advice on how to manage changes in Practice circumstances can be found at: https://www.oaic.gov.au/engage-with-us/consultations/health-privacy-guidance/business-resource-change-of-business-circumstances-or-closure-of-a-health-service
Privacy and record keeping requirements: http://www.medicalboard.gov.au/Codes-Guidelines-Policies/Code-of-conduct.aspx
Patient access to health information: Section 9, http://library.racgp.org.au/amlibweb/images/Handbook%20for%20the%20management%20of%20health%20information%20in%20general%20practice3rd.pdf
Fees and charging for access to health information: http://www1.health.nsw.gov.au/pds/ActivePDSDocuments/IB2017_035.pdf
Guidelines on managing requests from third parties: https://www.racgp.org.au/download/Documents/e-health/managing-external-requests-for-patient-information.pdf
IPC checklist for providers (Responding to a request for Patient Access): https://www.ipc.nsw.gov.au/sites/default/files/file_manager/Private_Sector_Checklist_ACC.pdf
For more information
Contact the Information and Privacy Commission NSW (IPC):