Patient access to medical records: a guide for health service providers

Introduction

To coincide with the recent Privacy Awareness Week (PAW) this article is a timely reminder for health service providers to consider their obligations when they receive a request from a patient to access their medical records.

Legislative overview

The Federal Privacy Act 1988 (Act) provides a patient with the right to access their own medical records from private and public health service providers in all States and Territories. The Act applies to organisations that provide health services and hold health information regardless of the size of their business.

Tasmania does not have specific privacy legislation for the private health sector, however the Personal Information Protection Act 2004 together with the Right to Information Act 2009 may allow a patient to access their medical record held by a Tasmanian or Commonwealth public institution or government agency, for example, a public hospital.

What can a patient access?

The scope of a patient’s access rights is quite broad and encompasses a patient’s personal information. For the purposes of the Act, “personal information” is information about a living individual who can be identified, or whose identity could be reasonably ascertained, from the information. “Health information” is a subset of personal information and includes information collected whilst providing a health service.

What to do when a request for access is received?

A health service provider, such as a private hospital, must provide a patient with access to health information held by the provider on request except to the extent that:

• providing access to the information would pose a serious threat to the life or health of any individual;
• providing access would have an unreasonable impact on the privacy of other individuals;
• the request for access is frivolous or vexatious;
• providing access would be unlawful; or
• denying access is required or authorised by or under law – for example, a court order providing that a health service provider is not required to provide the information.

Other grounds for refusal set out in the Australian Privacy Principles (APPs) within the Act may apply.

Before relying on any one of the grounds provided for in the APPs, the provider should consider whether redacting some information would enable access to be provided, for example, redacting personal information about another person. It would be unwise to apply a standard practice of redacting all third-party information such as staff names who provided the patient treatment in medical records prior to providing access. Providers should ensure that prior to providing information, they establish that the patient is in fact requesting the information. Ideally, a three-point verification should be established. Any request for access should be considered by the health service provider on a case-by-case basis.

What is the way to provide access?

The patient’s intended use of the information contained within the medical records should not guide the response to a request for access. A patient may request access to investigate the care provided and determine the identity of a health practitioner. While health service providers may not be comfortable with providing medical records in these circumstances, it is not valid grounds for refusal.

Requesting the patient or its legal practitioner to give an undertaking that requested information would not be used in litigation against the health service provider in return for its release more quickly and free from redactions would not be an appropriate approach to a release.

It is not unusual for a patient to request their entire medical record. Again, while a health service provider may not be comfortable providing entire medical records it is not valid grounds for refusal. Notwithstanding this, the health service provider is entitled to assess the practical implications in providing access to the entire medical record and consider acceptable alternatives. One alternative is to provide access to a patient’s medical files in a room at the organisation.

While the APPs give the health service provider flexibility to tailor the handling of personal information to suit their business, they should also consider the diverse needs of the patient requesting access. The personal information of staff of a health service provider which relates to the performance of their regular duties (for example their name, position information or work contact details which may otherwise be information publicly available) is generally not a reason to refuse access unless one of the grounds for refusal applies.

Key takeaways

• Patients may access all their personal information held by the health service provider, subject to limited exceptions.
• A health service provider is not required to provide access if they reasonably believe:
  • it would unreasonably impact the privacy of another individual; or
  • it may threaten the life, health or safety of another or the public.

  Other exceptions to providing access may apply.

• Whether a patient has a right to access files containing health information involves an assessment of the facts. However, it would be unwise to seek an undertaking from a patient or their legal representative not to pursue possible litigation in return for release or to apply a blanket policy of redacting all third-party information in the records.
• Make sure it is the patient to whom you are releasing the information.

As a result of the major reforms to the Act 10 years ago, most health service providers have a dedicated team or person for managing patient requests to access. However, if a health service provider is unsure whether they are covered by the Act or what they should do when they receive a request for medical records and whether a ground for refusal applies, they should contact their insurer or speak to one of our lawyers at Page Seager for professional advice.