Health Records

Who holds my health information?

Health service providers such as hospitals and dentists, and organisations such as schools, gyms, insurers, employers and government agencies, all collect and hold personal and health information as health records. Health service providers and organisations may hold your medical histories, test results, sick leave certificates, medication lists and more.

What can providers do with my health records?

Health information should be collected with your consent and used or disclosed for the primary purpose it was collected, or for a directly related and reasonable secondary purpose. Health information can only be used or disclosed for a non-related purpose in some circumstances, such as when there's a serious risk to someone or the information is needed to evaluate the service you received.

Any service provider collecting your information must ensure the information is up-to-date and relevant to their work. They must also store, transfer and dispose of health information securely to protect your privacy. If a health service provider moves premises or closes down, they must post a public notice about what will happen with their records and how you can access your health records.

Details of these obligations are listed under the Health Privacy Principles in Schedule 1 of the Health Records Act 2001.

Accessing or correcting health records

You have the right to view or get a copy of your health information and to have your records amended if they're incorrect. You can also ask to have your records sent to another health service provider.

If you want to access your health information held by the Victorian Government or another public sector organisation, you will need to follow the processes under the Freedom of Information Act 1982.

Health records held by the Victorian Government or by public sector organisations such as public hospitals, WorkSafe, maternal and child health services or public schools are subject to the Freedom of Information Act 1982.

If you want to amend or get a copy of amend health information held by a public sector organisation, you can make a Freedom of Information (FOI) request to the relevant organisation's FOI Officer. The FOI Officer can explain this process to you.

Complaints about the handling of FOI requests should be directed to the FOI Commissioner.

For health records held by private sector organisations such as private hospitals, GPs, psychologists, employers and insurers you can request access or correction to your health records under the Health Records Act 2001. If you are unable to resolve your request directly with the provider, you can lodge a complaint with us. We are here to help all parties understand their rights and obligations regarding personal health information.

Making a health record access or correction request

Your request should include:

  • Your full name, address and date of birth.
  • For access requests: a description of the information you're requesting and whether you require a summary, a full copy or if you want to view your records in person.
  • For correction requests: a description of the information you want to correct, the correct information and proof the existing information is inaccurate, incomplete, misleading or out-of-date.

If you make your request over the phone or in person, you may be asked to put your request in writing. You may also be asked to provide proof of your identity. If you are making a request on behalf of another person, your request must be made in writing, and must include evidence of your authority to act on the other person's behalf.

When can I expect a response?

The organisation should respond quickly. Organisations have 45 days to respond once they have received a request.

What form of access to records is available?

If a private sector organisation holds your health records, you can ask to see them. You have the option of inspecting the information, receiving a copy or summary of it or having it explained by a health service provider. Different fees apply depending on the form of access.

Will I have to pay to access my records?

Organisations may charge a fee to give you access to your information, but the amount they can charge is limited under the Health Records Regulations.

Can they refuse my request?

In some cases, your request may be refused. However, the organisation must provide an explanation for the refusal in writing. You may be refused access to the records if access would impact on someone else's privacy, or giving access would pose a serious threat to any person or for other reasons under the Act.

If you’ve already been given access to the information, or tried and failed before, you will need to justify making the same request again.

Organisations holding the health information about you must not give you access when:

  • they believe it would pose a serious threat to someone's life or health
  • the information has been provided in confidence on the understanding it would not be revealed to you.

More detail on the reasons for refusing a request can be found under Health Privacy Principle 6 of the Health Records Act 2001.

If I’m denied access on the grounds it would endanger my life or health, can I get a second opinion?

Yes. You can nominate another health service provider to review the decision. In most cases, the organisation will accept your nomination. If they don’t, you may need to choose another one. After viewing the information and discussing it with the organisation, your nominated health provider will decide if you should have access or not.

What if I'm denied full access to my health records?

You can complain to us. Complete the online form or phone 1300 582 113 between 9am and 5pm, Monday to Friday, to discuss your options.

Requests to correct health records

If a private sector organisation holds your health records, but you believe the information is not accurate, complete or up-to-date, you can ask to correct the information. You must make clear what the accurate information is. The organisation cannot erase the incorrect information.

Where an organisation corrects your information, the organisation must also notify any other provider it shared the information with so they can update their information, too.

If the organisation agrees to correct your information but for some reason, the information cannot be changed, they must ensure the incorrect information is not available to future health service providers.

If the organisation refuses your request, they must store the written statement about what you wanted corrected with their existing information.

A private health service provider cannot delete your information until seven years have passed since they last provided you a health service, or if they last treated you when you were under 18 years old and you've since reached 25. Non-health service providers must delete your health information if it is no longer needed for the purpose they collected it.

Will I have to pay to correct my records?


What if they refuse to correct my records?

You can complain to us. Complete the online form or phone 1300 582 113 between 9am and 5pm, Monday to Friday, to discuss your options.