Health records – releasing and withholding

It is common for practitioners and practices to receive requests for health records of their patients. 
Often it is the patient requesting a copy of their records.  However, requests can also come from:
  • Someone responsible for a patient, such as a parent, other family member or guardian
  • Another practitioner taking over the patient’s care
  • Family members of a patient after the patient has died
  • Government bodies, such as those involved in child protection or social services
  • Insurers or lawyers in the context of insurance or other legal matters
MIGA’s resource “Providing health records to others – subpoenas and other requests” deals with the issues to consider when providing records to someone other than the patient or those responsible for them.
Requests for access
Patient requests for access to information can come in a variety of forms. 
Requests require a response within a reasonable timeframe, usually 30 days.  A longer period may be justified if records need to be accessed from a remote location or require other significant work to access them. 
Access should be provided, where possible, in the form in which the patient requested.  Usually, this is through provision of the health records themselves. 
A reasonable fee can be charged for providing access.  Usually, this would include the cost of copying records and / or time taken by the relevant practitioner or staff member in meeting the request.  Whether a charge is excessive can depend on a variety of factors, including volume of information and practice resources.  It is not usually appropriate to charge a fee for significant time spent in reviewing the records. 
Withholding health records
Issues can arise about whether to withhold health records. 
There are various grounds for refusing access to some or all information, including:
  • a reasonable belief access would pose a serious threat to the life, health or safety of the patient, another person or public generally – an example could be where a patient may be extremely distressed by what is in their records, and its discovery could pose a risk of serious harm to them
  • where access would unreasonably impact upon another individual’s privacy – for example, it may include information in a clinical record from a family member, which is of a particularly sensitive nature
  • under law or court/tribunal order – for example, this could arise in a family law case if a court has made orders around confidentiality
Even if it is appropriate to refuse a request for access, practitioners are required to consider whether a form of access could be provided.  This might include a summary of information, providing it to another agreed person, or discussing the information with the patient in consultation.
If you believe there may be grounds for refusing a request for health records by a patient in whole or in part, you should contact MIGA Claims and Legal Services Team before making a decision on whether to withhold or release records. 
If access is refused in full or in part, a written notice must be given to the patient, setting out the reasons for the refusal and complaints mechanisms available.  As detailing reasons may escalate a risk of harm to a patient, it would normally be appropriate to simply refer to the grounds for refusal, not the facts behind it. 
Families / guardians requesting records
Issues can arise where records are being requested by a parent, family member or guardian. 
The key question is whether the requesting person has the appropriate authority. 
Normally, parents and guardians are considered to have sufficient authority to access records for children and others who they are responsible for. 
If a child is a ‘mature minor’ or ‘Gillick competent’ sufficient to have capacity to decide whether another should access their health records, their views should be sought and usually followed.  MIGA’s resource Consent for minors provides more information on this issue.
In situations involving separated or divorced parents, it is important know the terms of any court orders, including if they deal with responsibility for health care decisions or who can access information.  It may be appropriate to liaise individually with both parents about a request by one of them.  There may also be issues of whether information can be provided if there are risks of harm to the child in question, or others. 
Privacy and confidentiality obligations to a patient continue after their death.  Usually an executor or administrator of a patient’s estate will have authority to access their health records.  However, there can be circumstances in which it may be appropriate to disclose records to family members, such as for compassionate reasons, but this can depend on where you are in Australia.  It is important to be cautious about releasing information where there may be disputes between family members. 
If you are uncertain about whether the person responsible for a patient has appropriate authority to access their health records, contact MIGA Claims and Legal Services Team. 
Releasing records
When providing a copy of health records to a patient or another person or body, it is important to maintain a record of where, to whom and when the records were transferred.
Ideally documents sent via email should be encrypted to ensure the safe exchange of confidential information.
Alternatively, transfer records by securely copying password protected records onto a disc or USB device.
Regular mail is generally a reliable and appropriate method of transfer for parts of health records including referrals and test results.  However, there may be some circumstances where a more ‘secure’ method of transfer is appropriate, such as provision of complete health records. 
Further information

Insurance policies are issued by Medical Insurance Australia Pty Ltd.  MIGA has not taken into account your personal objectives or situation.  Before you make any decisions about our policies, please review the relevant Product Disclosure Statement (which can be found here) and consider your own needs.