Fact Sheet - Access to Health Information for Health Care Consumers

Read the document below or download it here Fact Sheet - Access to health information for health care consumers, updated February 2021

NSW privacy law[1] gives you a general right to access your health information. This fact sheet has been designed to assist individuals with when and how you can access your health information[2] under NSW privacy laws.

Who owns my health record?

The health provider who created your medical record owns the record. However, you have rights to access your health record.

This right may be exercised in various ways, including:

  • viewing the record at the health service
  • having it explained to you by the provider
  • being provided with a copy of it in paper or electronic format (or in the case of extensive medical records, a summary of the key information in the medical record).
What are my health information access rights?

The NSW Health Record and Information Privacy Act 2002 (HRIP Act) ensures your right to access your health information from:

  • NSW health service providers
  • public sector agencies
  • some private sector organisations that hold health information.

Private sector providers, such as GPs, must also comply with the Federal Privacy Act 1988. Like the HRIP Act, the Privacy Act gives you rights to gain access to the information held about you. For further information on the federal privacy laws and your rights please contact to the Office of the Australian Information Commissioner on 1300 363 992 or at www.oaic.gov.au. 

Can I access the health information of someone I care for?

You can access health information about another individual provided you have written consent that shows that the other individual has authorised you to access their records. This consent must be in writing and must explicitly name the individual who is authorised to have access to the information.

Some health providers may specify requirements for consent or authority[3] including that it:

  • was made within a time period, for example the consent was signed less than three months before the access request was made
  • is on a particular form or in a particular format
  • whether the consent is acceptable in electronic format where the other person is interstate or overseas.
What if the individual is incapable of making the request or providing authority?

Under the HRIP Act, an individual is considered to be incapable[4] of making a request if, due to age, injury, illness, physical or mental impairment, they are incapable of understanding the general nature and effect of the HRIP Act, or of communicating their intentions with respect to the HRIP Act.

In these circumstances, an authorised representative of the individual may make a request on their behalf.

‘Authorised representative’[5] means:

  • an attorney for the individual under an enduring power of attorney
  • a guardian within the meaning of the Guardianship Act 1987, or a person responsible within the meaning of Part 5 of that Act
  • a person having parental responsibility for the individual, if the individual is a child
  • a person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual.

A person is not an authorised representative of an individual to the extent that acting as an authorised representative of the individual is inconsistent with an order made by a court or tribunal.

How can I request access?

If you want to access your own health or personal information[6], you should contact the holder of the information first and ask them how you can do this.

At a large organisation, such as a hospital, this may be the Privacy Officer at the organisation concerned. Their details should be on the organisation’s website. Information is also included in the hospital’s privacy management plan which should also be available on their website.

In a NSW public hospital, requests to access health information should be sent to the Medical Records Department.

The request should be:

  • In writing
  • Include your name, address and date of birth
  • Identify the health information that is requested
  • State the form in which the information is requested.

If you are requesting information on behalf of another person, you should also provide that person’s name, address, date of birth and the written documentation from them that authorises you to access their information.

What fees and charges should I expect?

Access to health information should be made available at the lowest reasonable cost and without excessive delay. This means that providers are entitled to charge a fee to cover their administrative costs, such as time taken, photocopying, printing, or going through the record with you. 

The fees charged are to cover the costs of providing you access, and therefore shouldn’t be excessive. You should be provided with information about the cost at the time you make the request, or shortly after. Different providers may have different ways the fee is charged – some may have a flat rate, others may charge a fee per page.

The legislation does not prescribe how the fee should be structured and the particular fees involved will be specific to the health provider you are seeking access from.

If you are worried about the amount of the fee, contact the health provider directly and let them know about your circumstances.

You may be informed you must pay the fee before access is given. If this is the case, you should be given access within 7 days of paying the fee.

Information about the charges for providing access to health records within the NSW public health system can be found here. Please note the information bulletin on charges in the public health system is regularly updated, and you should always refer to the active bulletin by checking the NSW Ministry of Health Website (https://www.health.nsw.gov.au/phb/Pages/default.aspx).

Section 9.5 of The RACGP Handbook for the Management of Health Information in General Practice, 3rd edition provides information on charging for providing access to health information for GPs. This can be found here.

How long should it take to get my records?

Private health care providers are required to respond to your request within 45 calendar days of receiving your request. The legislation does not prescribe a timeframe for access by a public sector health organisation. The IPC expects that a response should be provided within 28 calendar days.  

If you wish to enquire about the processing status of a request you should contact the health provider directly.

When will access not be granted?

Once you have made a valid request, the HRIP Act[7] grants you the right to access your information in almost all cases. However, it is important to note that for public sector agencies, the HRIP Act [8]does not affect the operation of the Government Information (Public Access) Act 2009 (GIPA Act) and nor does the HRIP Act operate to lessen any obligations under the GIPA Act. This means that the provisions of the GIPA Act and the Privacy and Personal Information Protection Act 1998 that imposes conditions or limitations with respect to the information held, access or amendment of health information are not affected by the HRIP Act and they continue to apply as if they were provisions of the HRIP Act.[9]

In the case of private health sector persons there is however a limited set of situations where access may be refused. This includes situations where:

(a) Providing access would pose a serious threat to your health, or the health of others;

(b) Providing access would have an unreasonable impact on the privacy of others;

(c) The information requested relates to existing or anticipated legal proceedings between you and the provider;

(d) Providing access would reveal the intentions in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the provider unreasonably to disadvantage;

(e) Providing access is unlawful;

(f) Denying access is required or authorised by or under law;

(g) Providing access would likely prejudice an investigation;

(h) Providing access would likely prejudice a law enforcement function;

(i) A law enforcement agency performing a lawful security function asks a private sector person not to provide access on the basis that the access would cause damage to the security of Australia;

(j) The request has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again;

(k) There have been repeated, unreasonable requests for information to which access has already been given.

If you have been refused access to health information by a private sector person because it may pose a serious threat to your health or the health of others, you can request that access instead be given to a registered medical practitioner of your choice. This request must be made to the information holder within 21 calendar days after receiving the original refusal of access[10].

What do I do if I haven’t received a response to my request?

You should be sent a response to your request – either granting you access or, if legitimate reasons exist, refusing you access – within a reasonable timeframe. The exact response requirements depend on whether you are requesting the information from a public sector agency, such as a public hospital, or government-run community health service, or whether it is from a private sector organisation, such as a private hospital, general practitioner, or other private practice.

  • Public Sector - If you are requesting information from a public sector agency or government-run service, a response should be sent to you within a reasonable timeframe – the IPC expects around 28 calendar days.
  • Private Sector - If you are requesting access from a private sector individual or organisation, the response should be sent to you within 45 calendar days.

Any communication from the information holder that isn’t either granting you access or refusing you access is not considered a formal response to your request and does not reset the timeframes mentioned above.

In the case of a public sector agency if you have not received a response to your request you are encouraged to make contact with the agency about the progress of your request.

If you haven’t received a formal response from the private sector person within 45 calendar days, after the request was made, the request is treated as if it has been refused[11].

What do I do if I suspect access has been wrongfully refused?

If you believe a NSW public sector agency or private organisation has wrongfully refused you access to your health information or the health information of someone who has given you consent, then steps to seek recourse and access are available to you. Your first action should always be to contact the health provider directly and communicate your concerns. Clarify with them that they are aware of your right to access your own heath information and confirm that their refusal is based on one of the clearly defined access exemptions in the HRIP Act.

If necessary, you may take further steps to get the decision to refuse you access reviewed. The steps involved are different depending on whether you are seeking the information from a public or private sector organisation. The Health Care Complaints Commission, the Information and Privacy Commission and the Medical Council of NSW can all assist with resolving issues relating to access to information.

  • Public Sector - If it’s a NSW public sector agency, you may be able to ask for an internal review under the Privacy and Personal Information Protection Act 1998.

The organisation may have its own review request form or, if not, you can use the IPC’s standard form and send it the organisation. This can be found on the IPC website (https://www.ipc.nsw.gov.au/form-privacy-complaint).

You should be informed of the progress of the internal review on an ongoing basis and the review should be completed within 60 calendar days. The NSW Privacy Commissioner will also be informed of the review. Once the review is complete the agency will give you a response, which may result in access to the health information being granted.

More information about the internal review process can be found on the IPC’s website (https://www.ipc.nsw.gov.au/privacy-complaints-your-review-rights).

If you are not happy with the result, or if you have not received a result within 60 calendar days, you have 28 calendar days to apply to the NSW Civil and Administrative Tribunal (NCAT) for a review of the decision. You can find more information about that process on NCAT’s website (https://www.ncat.nsw.gov.au/ncat/how-ncat-works/how-to-apply.html).

  • Private Sector - If it is a private sector organisation or individual health service provider, you can complain directly to the NSW Privacy Commissioner.

You can do this by writing to the NSW Privacy Commissioner at ipcinfo@ipc.nsw.gov.au. Your complaint should include the details of what information you requested, where you requested it from and a copy of all your correspondence with the health provider.

The NSW Privacy Commissioner will endeavour to resolve the issue within a reasonable period of time and will keep you updated on the progress of the complaint. The NSW Privacy Commissioner may, at the conclusion of the investigation, provide a report on the findings of the complaint.

If you are not happy with the result and, if the Privacy Commissioner has written a report, you have 28 calendar days to apply to NCAT for a review of the decision, unless the Privacy Commissioner’s report states otherwise. You can find more information about that process on NCAT’s website (https://www.ncat.nsw.gov.au/ncat/how-ncat-works/how-to-apply.html).

Can an insurer get access to my health information?

Health care providers cannot release any information to a third party, including insurers or Insurance and Care NSW (icare) unless they have your written consent to do so. This consent may have been provided as part of an insurance claim such as your workers compensation claim, motor vehicle or other insurance matters.

What do I do if my health care provider has retired or closed down and I want to access my record?

Providers who are retiring or closing their practice have a responsibility to provide continuity of care for their patients.

A provider who is planning on retiring should provide you with notice of their intention to close their practice by sending you a letter or posting signs in the practice.

Providers should contact you so that you can nominate an alternative provider to whom you would like your records to be transferred or give you information about how you can access the records after the practice closes.

If you are unable to access your health information because the doctor is deceased, retired or unable to be located, unfortunately we are unable to assist you.

Do I always have a right to access my child’s records?

In most cases you may be able to access your child’s records. In circumstances where you hold parental responsibility or guardianship for a child, you may be asked to provide evidence of that arrangement.

However, between the ages of 14-16, young people may seek treatment without the knowledge of a parent or guardian, subject to the health care provider’s assessment of the young person’s capacity to understand the consequences of any proposed treatment. Health care providers will make a similar assessment in determining whether information can be disclosed to parents/guardians in situations where the young person has capacity to make independent decisions about their health care.

Can I obtain information about a deceased family member?

Please refer to the IPC Fact Sheet on Access to a deceased person’s health information.

How do I access my information through My Health Record?

My Health Record is a secure online summary of an individual’s health information, and is available to all Australians.[12] My Health Record does not replace existing health records. Rather, it supplements these with a high-value, shared source of patient information that can improve care planning and decision making. 

A My Health Record will be created for all Australians unless they choose not to have one and opt out of the system.

My Health Record gives you access to view summaries of your health information and manage your health information online. If you are a representative for another person, you will also be able to access their information.  To access your record, you need a MyGov account that you have linked to your My Health Record.

You can do this at https://my.gov.au/LoginServices/main/login?execution=e1s1. You can also set up access controls in My Health Record to control which providers have access to your health information.

Access under the Federal Privacy Act 1988

If the health information you are requesting is held by a private sector person, you may also have a right of access under the Federal Privacy Act 1988 which is overseen by the Federal Privacy Commissioner within the Office of the Australian Information Commissioner (OAIC). Further information can be found on the OAIC’s website: www.oaic.gov.au.

See also the IPC’s Fact Sheet: IPC Privacy Statement of Jurisdiction available here: https://www.ipc.nsw.gov.au/fact-sheet-ipc-privacy-statement-jurisdiction.

Useful resources

Information and Privacy Commission, Accessing your health information in NSW: https://www.ipc.nsw.gov.au/fact-sheet-accessing-your-health-information-nsw

Office of the Australian Information Commissioner, Accessing and correcting your health information: https://www.oaic.gov.au/privacy/health-information/

Health Care Complaints Commission, Your health information: http://www.hccc.nsw.gov.au/Information/Information-For-Health-Consumers/Your-Health-Information-/default.aspx

My Health Record: https://www.myhealthrecord.gov.au/for-you-your-family/howtos/register-for-my-health-record

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:              ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au

Next review date: February 2022

NOTE: The information in this Fact Sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.

[1] Health Records and Information Privacy Act 2002; Health Privacy Principle 7

[2]Health information’ is defined at section 6, HRIP Act.

[3] Section 31, HRIP Act

[4] Section 7, HRIP Act

[5] Section 8, HRIP Act

[6]Personal information’ is defined at section 5, HRIP Act

[7] Section 29 HRIP Act

[8] Section 22 HRIP Act

[9] Section 22(3) HRIP Act

[10] Section 30(5) HRIP Act

[11] Section 27(6) HRIP Act

How easy did you find it to understand this resource?
Have you used the information in this resource to assist you?