Fact Sheet - A guide to retention and storage of health information in NSW for private health service providers
Read the Fact Sheet below or download a copy here Fact Sheet - A guide to retention and storage of health information in NSW for private health service providers November 2022
This fact sheet has been designed to assist private health care providers and citizens to understand the obligations and responsibilities in retaining and storing health information in accordance with New South Wales privacy laws. Please note that this fact sheet is only applicable to private health providers and not public sector agencies.
How long must a private health service provider retain a patient's health information?
The required length of time depends on whether the patient’s health information was collected when the patient was under the age of 18 years or an adult.
If the patient was an adult (over the age of 18) when the health information was collected
A health service provider must retain a patient's health information for 7 years from the last occasion when a health service was provided.
For example, if a health service provider collected information from an individual aged 25 years and the individual last attended a consultation at the health service provider on 31 June 2015 at which a health service was provided, the health service provider must retain the health information for 7 years from this date. In this scenario, the health service provider must retain the health information until 31 June 2022.
If the patient was under the age of 18 when the health information was collected
If a patient’s health information was collected when they were under the age of 18, the health service provider must retain the patient’s health information until the patient is 25 years old.
For example, if a health service provider collected information from an individual who last attended a consultation with the health service provider in 2012 and was 15 years old at the time. In this scenario the health service provider must retain the patient’s health information until the patient is 25 years old in 2022. It is important to note the retention period will be dependent on the age of the individual and when they were last provided with a health service.
What steps must be undertaken to ensure health information is secured?
Privacy Principles prescribe that health service providers must have security safeguards which are reasonable in the circumstances to protect against unauthorised access and other misuse of the health information they hold. The appropriate level of security required will depend on various factors including the nature of the information and the medium in which it is stored. A discussion of some relevant measures can be found in the Office of the Australian Information Commissioner’s “Guide to securing personal information”.
The Privacy Commissioner encourages Health Service Providers to adopt the principles of Privacy by design in their approach to record-keeping, including consideration of appropriate security measures throughout the ‘lifecycle’ of the health information involved.
What happens after health information is deleted?
A health service provider must dispose of the health information securely and in accordance with any requirements for retention and disposal. The health service provider must also keep a record noting the:
- name of the individual whose health information has been deleted
- period covered
- date the health information was deleted or disposed of.
If records are transferred to a new health service provider, what steps must the original provider take?
If you have transferred a patient’s records to another health service provider, you must retain a record of the name and address of the other health service provider. You should also keep a record of the patient’s name and the date the transfer occurred. Further information about providing access to health information can be found here.
Are health records allowed to be retained electronically?
Health records are allowed to be kept in an electronic form, but only if it is possible to print the electronic copy on paper. If health records are retained electronically, health service providers must ensure that health information is secured, in accordance with Health Privacy Principle (HPP) 5.
What if a patient wants to obtain their medical records after their health service provider retires or has passed away?
The IPC is unable to locate retired medical providers in order to obtain access to medical records. As such, a patient will need to be able to identify the health service provider and have made a request for access to their medical records before seeking assistance from the IPC.
Are there other record keeping requirements that apply to private health providers?
Private health service providers are encouraged to consider additional obligations regarding retention and secure storage that may be applicable. For example, private health providers may have additional retention and storage obligations under the My Health Records system that is administered by the Australian Digital Health Agency.
For further information about privacy obligations under the My Health Records Act 2012 (Cth), you can contact the Office of the Australian Information Commissioner.
Other useful resources
Other resources that may be useful on this topic include:
- Providing access to health information – guidance for health care providers
- OAIC Guide to Health Privacy www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy
For more information
Contact the Information and Privacy Commission NSW (IPC):
Document review date: November 2024
NOTE: The information in this Fact Sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.
 Health Records and Information Privacy Act 2002.
 Section 25(1) of the HRIP Act
 Section 25(1)(a) of the HRIP Act
 Section 25(1)(b) of the HRIP Act
 Schedule 1 clause 5(1)(c) of the HRIP Act (HPP 5)
 EIG v North Sydney Council  NSWCATAD 66
 Section 25(2) of the HRIP Act
 Section 25(3) of the HRIP Act
 Section 25(4) of the HRIP Act