Who holds my health information?

Health service providers such as hospitals and dentists, and organisations such as schools, gyms, insurers, employers and government agencies, all collect and hold personal and health information as health records. Health service providers and organisations may hold your medical histories, test results, sick leave certificates, medication lists and more.

What can providers do with my health records?

Health information should be collected with your consent and used or disclosed for the primary purpose it was collected, or for a directly related and reasonable secondary purpose. Health information can only be used or disclosed for a non-related purpose in some circumstances, such as when there's a serious risk to someone or the information is needed to evaluate the service you received.

Any service provider collecting your information must ensure the information is up-to-date and relevant to their work. They must also store, transfer and dispose of health information securely to protect your privacy. If a health service provider moves premises or closes down, they must post a public notice about what will happen with their records and how you can access your health records. 

Further information about these obligations is available at Health Records: Providers

The Health Privacy Principles are contained in Schedule 1 of the Health Records Act 2001.

Accessing or correcting health records

You have the right to view or get a copy of your health information and to have your records amended if they're incorrect. You can also ask to have your records sent to another health service provider.

If you want to access your health information held by the Victorian Government or another public sector organisation, you will need to follow the processes under the Freedom of Information Act 1982.

Health records held by the Victorian Government or by public sector organisations such as public hospitals, WorkSafe, maternal and child health services or public schools are subject to the Freedom of Information Act 1982.

If you want to amend or get a copy of health information held by a public sector organisation, you can make a Freedom of Information (FOI) request to the relevant organisation's FOI Officer. The FOI Officer can explain this process to you.

The Office of the Victorian Information Commissioner (OVIC) in November 2022 released the following practice note:

'Individuals seeking access to their own health records is the most common request for information made under the Freedom of Information Act 1982 (Vic) (FOI Act). However, the FOI Act is not the only way in which individuals can access health records held by Victorian public sector agencies. Mechanisms for informal release exist under both the Health Services Act 1988 (Vic) (Health Services Act), and Health Records Act 2001 (Vic) (Health Records Act).

Victorian public sector agencies (agencies) holding health records include public hospitals, denominational hospitals, region based health services, local councils, and departments.

Often the most efficient method for releasing an individual’s health records will be to do so informally, under the provisions of either the Health Services Act or Health Records Act. Noting this, it is appropriate and sometimes necessary to process requests for health records under the FOI Act.

This practice note details the circumstances in which agencies are permitted to informally release health records under the Health Services Act or Health Records Act, as well as some practical considerations.

It also details how to maximise disclosure and efficiencies when releasing health records under the FOI Act. References in this practice note to a request by an individual for their health records means a request by an individual for their health records, or by their representative or next of kin'. You can read the full practice note below, or obtain further information from the OVIC website

Complaints about the handling of FOI requests

Complaints about the handling of FOI requests should be directed to the Victorian Information Commissioner.

For health records held by private sector organisations such as private hospitals, GPs, psychologists, employers and insurers you can request access or correction to your health records under the Health Records Act 2001. If you are unable to resolve your request directly with the provider, you can lodge a complaint with us. We are here to help all parties understand their rights and obligations regarding personal health information.

Making a health record access or correction request

Your request should include:

  • Your full name, address and date of birth.
  • For access requests: a description of the information you're requesting and whether you require a summary, a full copy or if you want to view your records in person.
  • For correction requests: a description of the information you want to correct, the correct information and proof the existing information is inaccurate, incomplete, misleading or out-of-date.

If you make your request over the phone or in person, you may be asked to put your request in writing. You may also be asked to provide proof of your identity. If you are making a request on behalf of another person, your request must be made in writing, and must include evidence of your authority to act on the other person's behalf.

When can I expect a response?

The organisation should respond to all requests without unreasonable delay. They have a maximum of 45 days to respond to access requests, or 30 days for correction requests.

What form of access to records is available?

If a private sector organisation holds your health records, you can ask to see them. You have the option of inspecting the information, receiving a copy or summary of it or having it explained by a health service provider. Different fees apply depending on the form of access.

Will I have to pay to access my records?

Organisations may charge a fee to give you access to your information, but the amount they can charge is limited by health records regulations. Refer to Fees to access health information.

Can they refuse my request?

In some cases, your request may be refused. However, the organisation must provide an explanation for the refusal in writing. You may be refused access to the records if access would impact on someone else's privacy, or giving access would pose a serious threat to any person or for other reasons under the Act.

If you’ve already been given access to the information, or tried and failed before, you will need to justify making the same request again.

Organisations holding the health information about you must not give you access when:

  • they believe it would pose a serious threat to someone's life or health
  • the information has been provided in confidence on the understanding it would not be revealed to you.

More detail on the reasons for refusing a request can be found under Health Privacy Principle 6 of the Health Records Act 2001.

If I’m denied access on the grounds it would endanger my life or health, can I get a second opinion?

Yes. You can nominate another health service provider to review the decision. In most cases, the organisation will accept your nomination. If they don’t, you may need to choose another one. After viewing the information and discussing it with the organisation, your nominated health provider will decide if you should have access or not.

What if I'm denied full access to my health records?

You can complain to us. Complete the online form or phone 1300 582 113 between 9:30am and 3:30pm, Monday to Friday, to discuss your options.

Requests to correct health records

If a private sector organisation holds your health records, but you believe the information is not accurate, complete or up-to-date, you can ask to correct the information. You must make clear what the accurate information is. The organisation cannot erase the incorrect information.

Where an organisation corrects your information, the organisation must also notify any other provider it shared the information with so they can update their information, too.

If the organisation agrees to correct your information but for some reason, the information cannot be changed, they must ensure the incorrect information is not available to future health service providers.

If the organisation refuses your request, they must store the written statement about what you wanted corrected with their existing information.

A private health service provider cannot delete your information until seven years have passed since they last provided you a health service, or if they last treated you when you were under 18 years old and you've since reached 25. Non-health service providers must delete your health information if it is no longer needed for the purpose they collected it.

Will I have to pay to correct my records?

No.

What if they refuse to correct my records?

You can complain to us. Complete the online form or phone 1300 582 113 between 9:30am and 3:30pm, Monday to Friday, to discuss your options.

The maximum fees an organisation can charge people to access their health information under the Health Records Act 2001 are capped by the Health Records Regulations 2023. The ‘fee units’ increase each year in line with general cost increases. For this period one fee unit is worth $15.90.

For an organisation to...
The maximum fee is..
Supervise inspection of records (under schedule 1, items 1 and 2). $19.10 (1.2 fee units) per half hour. This can also be charged in quarter-hour increments.
Use equipment they don't have, for inspection or viewing of health records (under schedule 1, item 1, c)  Reasonable costs to obtain the equipment.
Provide a copy of health records to the person (under schedule 1, item 3, a and b). 20 cents per page for A4 black and white. Reasonable costs otherwise, including for electronic copies.
Assess and collate health records to provide the person a copy (under schedule 1, item 3c). $39.70 (2.5 fee units).
Transport items held off site (under schedule 1, item 3d). $19.10 (1.2 fee units).
Post records (under schedule 1, item 3e). Actual postage cost.
Provide an accurate summary of records to the person (if a summary does not already exist) (schedule 1, item 4). The usual consultation fee (if a health service provider), or $46.10 (2.9 fee units) per quarter hour up to $149.50 (9.4 fee units), whichever is more.
Provide a copy of health records to another health service provider (under schedule 2, item 1). 20 cents per page for A4 black and white, if at least 20 pages. Reasonable costs otherwise, including for electronic copies.
Provide a summary of health records to another health service provider (if a summary does not already exist) (under schedule 2, item 2). The usual consultation fee (if a health service provider), or $46.10 (2.9 fee units) per quarter hour up to $149.50 (9.4 fee units), whichever is greater. Only applies if time taken to prepare is at least 15 minutes.
Function as a nominated health service provider under section 42 of the Health Records Act 2001 (under regulation 7). Reasonable costs not exceeding $74.70 (4.7 fee units) per quarter hour, up to $375.20 (23.6 fee units).

 

The maximum fees an organisation can charge people to access their health information under the Health Records Act 2001 are capped by the Health Records Regulations 2012. The ‘fee units’ increase each year in line with general cost increases. For this period one fee unit is worth $15.29

For an organisation to...
The maximum fee is..
Supervise inspection of records (under schedule 1, items 1 and 2). $18.30 (1.2 fee units) per half hour. This can also be charged in quarter-hour increments.
Use equipment they don't have, to provide access to health records. Reasonable costs to obtain the equipment.
Provide a copy of the health records to the person (under schedule 1, item 3a and b). 20 cents per page for A4 black and white. Reasonable costs otherwise, including for electronic copies.
Assess and collate health records to provide the person a copy (under schedule 1, item 3c). $38.20 (2.5 fee units).
Transport items held off site (under schedule 1, item 3d). $18.30 (1.2 fee units).
Post records (under schedule 1, item 3e). Actual postage cost.
Provide an accurate summary of records to the person (schedule 1, item 4). The usual consultation fee (if a health service provider), or $44.30 (2.9 fee units) per quarter hour up to $143.70 (9.4 fee units), whichever is more.
Provide a copy of health records to another health service provider (under schedule 2, item 1). 20 cents per page for A4 black and white, if at least 20 pages. Reasonable costs otherwise, including for electronic copies.
Provide a summary of health records to another health service provider (under schedule 2, item 2). The usual consultation fee (if a health service provider), or $44.30 (2.9 fee units) per quarter hour up to $141.30 (9.4 fee units), whichever is greater. Only applies if time taken to prepare is at least 15 minutes.
Function as a nominated health service provider under section 42 of the Health Records Act 2001 (under regulation 7). Reasonable costs not exceeding $71.90 (4.7 fee units) per quarter hour, up to $360.80 (23.6 fee units).

 

A legal representative of a deceased person has a right of access to the health information of the deceased person that is held by a Victorian private sector organisation, and can make decisions about what happens to the health information.

A legal representative is defined under the Health Records Act 2001 as someone who is:
(a) the executor of the will of the deceased person where probate of the will has been granted; or
(b) holding office as administrator of the estate of the deceased person.

The fees for access as set by the Health Records Regulations 2023 can be charged. An organisation who receives an access request involving deceased records is able to rely on the exemptions to access in Health Privacy Principle 6, section 26 and section 27 (see below) if it seeks to refuse access to the health information. The Act requires that an organisation must not give an individual access to the health information it holds about them (including about a deceased person) if:

  • the organisation believes on reasonable grounds that giving access would pose a serious threat to the individual’s life or health or the life or health of any other person (Section 26), or
  • the health information has been provided in confidence by a person other than the individual or a health service provider (such as a relative, friend or employer) with a request that the information not be communicated to the individual (Section 27).

Note: this is different to the situation under the Freedom of Information Act 1982, which recognises a deceased person’s next of kin as having rights.