Access to patient health records
‘Access’ relates to an individual’s right to see their own health information; ‘privacy’ relates to the right of an individual to prevent or limit access to health information or other private information to other parties.
In Australia, the Australian Privacy Principles (APP) set out the requirements for access to and management of personal information. The APP are legally binding and appear at Schedule 1 to the Privacy Act 1988 (Cth).
In Aotearoa New Zealand, the requirements for managing the privacy of health records is set out in the Privacy Act 1993, the Official Information Act 1982, and the Health and the Disability Commissioner Code of Rights.
Patient access to health records
Right of access includes specialists’ reports and letters, regardless of whether the specialist’s letter states that it is not to be released to a third party without the permission of the author. Subject to any limitations set out in the legislation, patients are legally entitled to:
- access to their health records
- obtain a copy of their record and/or
- an explanation of the contents
- request correction or amendment.
Management of a request to access patient health records
When a psychiatrist’s patient requests access to their own health record the psychiatrist should:
- Ask for the request to be provided in writing and accompanied by a signed authority, where possible.
- Keep a record of all requests and correspondence about access.
- Manage the request in accordance with the relevant jurisdictional privacy and health records legislation.
- Be aware that health records legislation may vary between jurisdictions.
- Consider whether it is appropriate or necessary to refuse the request, or restrict access to part of the record only.
- Contact their MDO if they believe access should be denied (even if only in part).
- Respond in writing to the request for access within an appropriate* timeframe (30 days), irrespective of whether access has been granted or denied. An indication of any costs should be included.
*What is appropriate will depend on a number of factors, for example: the amount of information requested, the complexity of the organisation's functions and activities; and the way the access is to be provided.
A fee may be charged to cover the cost of providing access to the medical records (e.g. photocopying, printing and administrative costs) and should not be excessive such that it discourages a patient from accessing their records. Some jurisdictions have legislated maximum fees for which a medical practitioner can charge for the provision of access to medical records.
In deeming a patient’s request to access their health information reasonable, the access, wherever possible, should be provided in the forum in which the patient requested. A psychiatrist has the option of sitting with the patient while the patient reads the documentation and, if necessary, discuss what has been written. Alternatively, a psychiatrist may provide the patient with a summary or a copy of the health record. The details of the extent of the access, when, and to whom access was provided, should be recorded in the patient’s record.
Refusal of right of access
A patient can be denied right of access to their health information. Circumstances in which it would be appropriate to refuse or restrict access are when:
- access would pose a serious and imminent threat to the physical and/or mental health of either the patient or any other individual(s)
- the patient has impaired decision-making capacity
- access would have an unreasonable impact on privacy of other individuals
- the request for access is frivolous or vexatious
- denial of access is authorised or required by law
- legal proceedings, in which legal privilege applies, is anticipated and access
- access would prejudice an investigation of possible unlawful activity or prejudice the investigation by an enforcement body.
When access is denied, the patient should be advised of why the request was declined. The reasons for refusing access should also be noted in the patient’s records.
Legal representative’s right of access to patient health records
Requests by a legal representative to access the health record of the patient for whom they responsible may be permissible under certain conditions. These include that the request:
- Has been authorised. The authorising party will be the patient if they have competency. When the patient does not have competency a psychiatrist should refer to the legislated authority in their relevant jurisdiction to receive authorisation.
- Is reasonably necessary.
- Relates to the provision of health services for the patient.
Psychiatrists should seek advice from their MDO, as necessary.
Access to a deceased person’s medical records
Right of access to access a deceased patient’s medical records varies between jurisdictions. Usually, when consent for access is provided, it is done so by the executor or administrator. When a psychiatrist receives such a request they should contact their MDO for advice.
When access is provided to a deceased patient’s health record, a note should be made in the record indicating who was given access, the grounds for allowing access, and the extend of the information that was supplied.
Management of subpoenas
Psychiatrists may receive subpoenas/requests for patient health records in a wide range of circumstances including: civil proceedings, criminal proceedings, family court proceedings, freedom of information requests, Medicare audits, third party insurers, and professional standards reviews. When a patient’s health records are subpoenaed a psychiatrist should manage the request in the first instance by:
- seeking advice from their MDO
- informing the patient of the request.
Any legal correspondence about patient complaints or claims should be kept in a separate file and not in the relevant patient health record. This includes correspondence to or from a MDO in respect of a patient. Such correspondence may be protected by legal professional privilege and, accordingly, should not be disclosed to the patient.
Transfer of patient health records
When the transfer of patient health record or a summary of records is required, it is important for medical practitioners to maintain evidence of where or to whom the record was transferred. A note should be placed in the patient’s record that includes the recipient’s name, address, organisation they are representing, and the date of transfer.
Ideally, secure systems should be in place for the transfer of documents to ensure the safe exchange of confidential information. Documents sent via email should be encrypted; those transferred via use of a device (e.g. USB, should be password protected).
If hard copies of documents are being transferred in person, they should be marked as confidential and carried in a locked case/bag. The postal service is generally a reliable and appropriate method to transfer of hard copies of documents although there may be some circumstances where a method of transfer that provides greater security would be more suitable. Mail should have a ‘return to sender’ address.
When patient information is being sent outside of Australia, regardless of the purpose, informed authorisation from the individual must be obtained to disclose the information to a country that may not have the same privacy protections as Australia.
For enquiries about this page, contact firstname.lastname@example.org
This information is intended to provide general guide to practitioners, and should not be relied on as a substitute for proper assessment with respect to the merits of each case and the needs of the patient. The RANZCP endeavours to ensure that information is accurate and current at the time of preparation, but takes no responsibility for matters arising from changed circumstances or information or material that may have become subsequently available.