Health records are made up of health information collected by both health service providers and non-health service providers. Health information may include details about an individual's
- physical, mental or psychological health
- use and future use of health services
- wishes regarding specific health services or treatments
- personal information collected in relation to the provision of health services
- genetic information.
Examples of health records include: hospital admission forms, medical histories, test results, sick leave certificates, medication lists and more.
Under the Health Records Act 2001 (Vic) you are obliged to collect and handle personal health information in accordance with the 11 Health Privacy Principles (HPPs). These can be summarised as:
HPP 1. Collection
Health information may only be collected if it is necessary for the provider’s functions and if the individual has given consent. Some exceptions to consent do exist. Health information must be collected lawfully, fairly, reasonably and preferably, directly from the individual.
HPP 2. Use and disclosure of health information
Organisations may only use or disclose health information about an individual for the primary purpose for which the information was collected or for a directly related and reasonably expected secondary purpose. Some exceptions exist.
HPP 3. Data quality
Organisations must take reasonable steps to ensure the health information held is accurate, complete, up-to-date and relevant to the organisation's functions or activities.
HPP 4. Data security and data retention
Organisations must protect health information from unauthorised access, modification or disclosure. Health service providers must retain health information for the period of time set out in HPP 4.2. All other holders of health information must destroy or permanently de-identify health information if it is no longer needed.
HPP 5. Openness
HPP 6. Access and correction
Individuals have a right to access and correct any health information held about them. The organisation may, in some circumstances, refuse to provide access to health information or to correct it. If so, the organisation must provide written reasons for the refusal. Some exceptions exist.
HPP 7. Unique identifiers
Organisations may only assign identifiers, such as patient identification numbers, to individuals if this step is reasonably necessary for the organisation to function efficiently.
HPP 8. Anonymity
As far as it is lawful and practicable, individuals should have the opportunity to maintain their anonymity.
HPP 9. Transborder data flows
When health information travels outside Victoria, the holder has a responsibility to ensure that the privacy of the information is safeguarded.
HPP 10. Transfer or closure of the practice of a health service provider
If a health service provider is sold, transferred or closed down, and the provider is no longer there, it must notify its current or former clients via a public notice. A notice in the practice and letters to current clients are also required. Statutory regulations apply.
HPP 11. Making information available to another health service provider
Upon request from an individual, a health service provider must make information about that individual available to another health service provider.
Victorians have the right to access or correct health information your organisation holds about them.
If an individual requests this information in person or over the phone, you can ask for it in writing. Proof of identity may also be requested. Requests made on behalf of another person must be made in writing, and must include with evidence of their authority to act on behalf of the other person.
When should I respond?
You should respond as quickly as possible to any request, and no later than 45 days after it is received.
Requests to access records
If you hold a person's health records, they can ask to see them. This can mean letting them inspect the information, sending them a copy or a summary of the information or allowing them to view the information with an accompanying explanation from a health service provider.
If the person's information was collected before 1 July 2002, and you have not seen them since, an accurate summary of the information is all you are obliged to provide.
Can I charge fees to access health records?
Yes, but any fees you charge to cover the cost of preparing and copying the information for people are capped under the Health Records Regulations 2012.
Can I refuse a request?
In some cases, you can deny access – but you must provide a written explanation for doing so. Legislation only allows you to refuse access if:
- providing access would, in your opinion:
- have an unreasonable impact on the privacy of other people
- reveal the intentions of your organisation in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the organisation unreasonably to disadvantage
- be unlawful
- be likely to prejudice an investigation of possible unlawful activity
- be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency
- the information:
- relates to existing legal proceedings between the individual and your organisation and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege
- denying access is required or authorised by law
- a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would likely damage Australia's security
- the individual has already unsuccessfully made a request for the information at least once before and there are no reasonable grounds for making the request again
- they've already been provided with access to the health information and are making an unreasonable, repeated request for access to the same information in the same way.
In addition, the law requires that the holder of health information must not grant access when:
- you believe on reasonable grounds that giving access would pose a serious threat to the individual's life or health or the life or health of any other person and
- the health information has been provided in confidence by a person other than the individual or another health service provider (such as a relative or friend) on the understanding that the information would not be revealed to them.
Can those denied access on the grounds that it would pose a serious threat to their life or health get a second opinion?
Yes, they can nominate another health service provider to review the decision. In most cases, organisations accept these nominations. If you don’t accept a nomination, the individual may choose another one. After viewing the information and discussing it with you, the nominated person will decide whether the information should be made available.
Requests to correct health records
If you hold a person's health records and they believe the information you hold is incorrect, they can ask to correct it.
You can either:
- agree to correct the information, and
- take reasonable steps to make the information accurate, complete and up-to-date, or,
- if there are reasons why the information cannot be altered, ensure the incorrect information is not available to future health service providers or
- not agree to correct the information if you believe the information is correct, complete and up-to-date. In this case, the individual can provide you with a written statement detailing the items they want corrected, and you must keep this statement with their records.
If you correct the information, you are obliged to notify any other health service provider you disclosed the original information to, so they can correct their information also.
Even if the individual requests it, you are not allowed to delete the information, unless:
- in the case of a health service provider, it is at least seven years since the individual was last provided with a health service, or if they were last treated when they were under 18 years of age and have since reached 25 years of age
- in the case of a non-health service provider, you no longer need the information for the purpose you collected it.
Can I charge fees for correcting health information?
Consent means permission. Consent is only valid when:
- the individual has capacity to give consent
- it is voluntary
- it is informed
- it is specific to the circumstances
- it is current.
You should refer to the full text of the relevant guidelines and legislation to understand your obligations. These include:
- Health Records Act 2001 (Vic)
- Health Records Regulations 2012 (Annual increase in fees for access to health information)
Other legislation is listed here.
Online training about the Health Records Act and health privacy principles can be taken any time.
This free introductory course will benefit staff at Victorian private sector organisations who deal with the collection, handling or disclosure of health information.
Start now: Health Records Act training portal
(This course is provided by e3 Learning Solutions. Any questions about using this training portal should be directed to them.)
We also hold face-to-face training sessions in health records management, complaint handling and more. See our events page for upcoming sesions.