Medical record keeping and privacy obligations for private practices

Medical record keeping and privacy obligations for private practices

All registered medical practitioners have legal and professional obligations to make and maintain medical records. Good medical records are also essential for the provision of good patient care.

All health information regarding a patient, including correspondence from other health professionals, forms part of a patient’s medical record. 

Medical practitioners must take all reasonable steps to protect the security of medical records. 

A medical record should be sufficiently detailed to enable another medical practitioner to step in and take over the patient’s care without the need to speak with the medical practitioner who created the entries in the medical record.

Medical Record Content 

The following are the record keeping requirements registered medical practitioners are required to meet:

• Making and keeping records that are accurate, up to date and legible. 
• Reporting relevant details of clinical history, findings, investigations, diagnosis, information given to patients, medication, referrals, and other management in a way that can be understood by other health practitioners.
• Ensuring that your medical records are held securely and are protected against unauthorised access.
• Ensuring that your medical records show respect for your patients and do not include demeaning or derogatory remarks.
• Ensuring that the records are sufficient to facilitate continuity of patient care.
• Making records at the time of the events, or as soon as possible.
• Dating any changes and additions to medical records, including when the record is electronic.
• Recognising patient’s right to access information contained in their medical records and facilitating that access.
• Promptly facilitating the transfer of health information when requested by the patient or third party with requisite authority.
• Retaining records for the period required by law and ensuring they are destroyed securely when they are no longer required.

Retention of Medical Records

The minimum period of time for keeping medical records are as follows:

• For an adult – seven years from the date of the last entry in the medical record.
• For a patient under the age of 18 – until the patient attains or would have attained 25 years of age.

Destruction of Medical Records

Once the time for keeping medical records has expired, medical records may be destroyed. They must be destroyed in a manner that preserves the confidentiality of the information contained therein. For example, for physical medical records, practices should consider the use of a secure document destruction service, to securely dispose of the information and protect patient confidentiality. For electronic records, we recommend seeking specialist IT advice to ensure this requirement is met. 

A register for the destruction of medical records should be maintained. 

Requests for Medical Records 

A legal and professional duty to uphold patient confidentiality and privacy exists for registered medical practitioners and practices. 

Medical practitioners may be asked to provide medical records to patients or third parties. Records should only be released if:

• A valid authority is provided by a patient
  A patient has a general right to access a copy of their records held by a doctor in private practice under Privacy Laws or may authorise disclosure to a third party.
• There is a legal obligation to do so
  This will usually be sought by way of a subpoena or summons. There may also be other situations where there is a specific legislative requirement to produce records, such as during an audit by Medicare Australia or as a part of an investigation by the Police. Patient consent is not required before releasing records when doing so as required by law.
• There is a public interest exception that favours release
  This typically involves a situation where there is a serious risk to an individual’s life, health, or safety, or to public health, or safety.

If access to the medical records is given, we recommend keeping a written note of this request, which is dated and signed by the patient.

There are limited circumstances when a request for access may be refused. For example, where disclosure would cause a serious threat to the health or safety of a patient or third party. If access to the records is denied, we recommend advising the patient of this decision in writing and keeping this in the patient’s file. It may be appropriate to facilitate access through a third party.

Fees

Practices have the discretion to request a fee which covers the cost of fulfilling a request for access to medical records, but this fee should not be excessive to discourage patients from their right to accessing their records. 

Timing

The Office of the Australian Information Commissioner (OAIC) recommends that the total time for processing a patient request for access request should not exceed 30 days.

Amendment of medical records

Under Privacy Laws patients have a right to request the correction of information contained in a medical record. 

If a request is made to amend information in an entry made in a medical record, the information must not be deleted, but instead make an entry noting the request made by the patient. 

If you have any queries about your medical record keeping requirements, please contact the Workplace Relations Team workplace@amansw.com.au or (02) 9439 8822.  

Contributed by Dominique Egan and Sarah Morian