Improve Your Practice

Good medical record keeping is a very important aspect of managing a practice and part of your job as a practice manager is to put systems in place to ensure quality patient care and to keep their personal health information secure and confidential.

What is a medical record?

A 'medical record' is a general term for all of the information collated about a patient for the purpose of treating that patient, including:

  • progress notes – handwritten or computerized
  • specialists’ letters and other correspondence
  • test results
  • x-rays and scans
  • photographs
  • digital recordings
  • patient demographics (name, date of birth, contact details, allergies, etc)
  • appointment books and patient accounts.

Medical records should include the following information:

  • patient identification (including Individual Health Identifier – IHI)
  • consent to recall and reminder system, receiving electronic messages or reminders
  • information relevant to diagnosis or treatment
  • treatment plan
  • medication and dosage levels
  • information and advice given, consent discussions
  • details of any medical or surgical procedure (date, nature, who performed procedure, type of anaesthetic, tissues sent to pathology, results or findings, written consent)
  • health summary that is easily accessible, including significant history, medications, allergies.

Medical records should also comply with any relevant legislation for record keeping.

Who owns the medical record?

In a private medical practice, the ownership of the medical records depends on the structure of the practice in which the doctor works. It is advisable for doctors to clarify ownership of the medical records at the beginning of a contract to avoid any disputes when the doctor leaves the practice as to whether copies of the medical records can be taken with the doctor.

Subpoenas or summonses seeking production of medical records for legal proceedings should be addressed to the owner of the records.

How should medical records be stored?

Medical records may be kept in electronic or paper format, or a combination of both. Where a ‘hybrid’ of paper and electronic records is used, a system is required to cross reference the records for each patient. Electronic records need to be kept in a form that allows them to be printed out as required. You should also ensure that appropriate secure back-up of electronic records are maintained.

How long should medical records be kept?

Medical records should be retained for as long as required by relevant Australian, state or territory government legislation. Generally, this means that inactive individual patient medical records should be kept until the patient has reached the age of 25 years or for a minimum of seven years from the time of last contact – whichever is the longer.

Disposal of paper-based medical records

Disposing of paper copies of notes that have been transferred or scanned into the electronic records is allowed as long as the disposal is done in a manner which preserves confidentiality and complies with legislative requirements. In New South Wales, a register of all records that have been destroyed should be kept. Whilst this is not a requirement in other states, it would be considered good practice to keep a record in other states as well.

Keeping medical records secure

Organisations that hold health information must take reasonable steps to protect the information from loss and unauthorised use or disclosure.

To ensure that electronic records are kept safe from damage, loss or theft, complete back-up of the computer record should be performed on a regular basis. Back-up may be automated to a remote data storage facility or by using external hard drives that are used on a rotating system. If using external hard drives ensure the back-up discs stored off-site. Computers should be password protected and the passwords changed on a regular basis.

Seek advice from an IT specialist regarding protection against unauthorised access, amendment of records, computer viruses, firewalls and quality of resolution of scanned documents.

See: RACGP Computer and information security standards(CISS)

Access to medical records

At common law, a patient does not have a right of access to his or her medical records. However, under privacy legislation, patients have a right to request access to their records. Access must be provided subject to any limitations and procedures set out in the legislation. Access around medical records is covered under legislation in Victoria (Victorian Health Records Act 2001) and New South Wales (NSW Health Records and Information Privacy Act )

Patients must make a written request for access to their records or to request a transfer of their records. A copy of the request should be kept in the patient’s medical record.

If a patient wishes to transfer to another doctor, the new practitioner is entitled to a treatment summary or a copy of the records. The transfer date and location of transferred records should be maintained in a register, and the transfer date added to record. Files may be transferred using paper, CD or secure electronic means.

A reasonable cost can be charged for providing copies of medical records.

eHealth records

Since July 2012, Australians have had the option of registering for a personally controlled electronic health record (PCEHR). This patient-controlled record is kept completely separate from the patient’s electronic medical record.The fact that a patient may have a PCEHR does not alter the doctor’s obligation to maintain a medical record for the patient.

Note: Remember the PCEHR is a summary document and does not replace the full electronic medical record (EMR) held at the medical practice.

Access to, and disclosure of, information in the PCEHR is subject to the PCEHR Act 2012 (Commonwealth) and associated rules and regulations. Organisations registered with the PCEHR system should be aware of their obligations under the legislation.

The Office of the Australian Information Commissioner (OAIC) regulates the handling of information under the PCEHR system. It recommends that health care providers should:

Develop processes for handling e-health records and ensure staff are adequately trained to follow them.

Tellyour patients about what information you intend to add to and access from their e-health records and explain what you will do with the information.

Ensure that you do not collect more information from an e-health records than is necessary.

Collect, use and disclose information in a patient’s e-health record only for the limited and authorised purpose allowed under the e-health records system.

Know how the e-health record system can be used in an emergency situation.

Improve your practice

Please use the Medical Record checklist as a starting point.

  • Doctors and medical staff owe a stringent ethical and legal duty to keep information given by their patients strictly confidential. These duties survive a patient’s death.
  • Medical records should be kept secure. They should be stored out of public view and access at all times. Staff should not disclose their contents to anyone other than authorised personnel.
  • Information from medical records should not be disclosed without a patient’s consent unless permitted as a matter of law. You should seek advice from Avant if in doubt about the disclosure of any health information.
  • Staff should be discreet in the type and nature of information they obtain from the patient in a public space.
  • Entries in the medical record should be legible and include a health summary with all relevant clinical information for that patient, e.g. current health problems, allergies/sensitivities, risk factors, medication, relevant social and family history and past problems. This information should be documented in a consistent location. The patient’s contact details and who to contact in an emergency should also be recorded and updated regularly.
  • Each medical record should contain accurate information about each consultation, including date, reason for consultation, management plan, prescribed medication, preventative care undertaken, written and/or verbal instructions given to the patient, referral to other healthcare providers and identification of who conducted the consultation.
  • The information documented should be as factual and objective as possible and not derogatory, prejudicial or irrelevant as this may lead to inaccurate interpretation by other healthcare professionals and medico-legal implications.
  • Pathology results, diagnostic imaging reports and clinical correspondence should be reviewed by a doctor prior to filing.
  • The follow-up and recall of patients with abnormal results should be managed in collaboration with the referring treating doctor.
  • Identification, culling, storing and retrieving inactive medical records should be done annually, e.g. in January each year.
  • Access to medical records and financial/accounts information by the patient/relative, legal representative or other medical practitioners should comply with privacy legislation.
  • All relevant conversations pertaining to patients should be recorded in the patient’s file. This may be in relation to accounts, appointments and other non-clinical issues.
  • In order to improve performance of your clinical and management software, you should archive “inactive” patient files on a regular basis (monthly). The RACGP defines active patients as those patients who have been seen at least three times in the preceding two years.


RACGP Electronic health records

RACGP Computer and information security standards

Privacy obligations of medical practitioners in regard to patients’ records and health information:
Nationally, the Privacy Act 1988 and the National Privacy Principles 2014
Australian Privacy Principles and National Privacy Principles – Comparison Guide

Next page

  • What is telehealth?
  • Medicare requirements
  • Documentation
  • Avant’s Practitioner Indemnity Insurance Policy

This publication is proudly brought to you by Avant Mutual Group. The content was authored by Brett McPherson, reviewed by Colleen Sullivan and Avant Mutual Group.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practice proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2014.

IMPORTANT: Professional indemnity insurance products and Avant’s Practice Medical Indemnity Policy are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. The information provided here is general advice only. You should consider the appropriateness of the advice having regard to your own objectives, financial situation and needs before deciding to purchase or continuing to hold a policy with us. For full details including the terms, conditions, and exclusions that apply, please read and consider the policy wording and PDS, which is available at or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation and you should contact your insurance broker for more information. Cover is subject to the terms, conditions and exclusions of the policy. Any advice here does not take into account your objectives, financial situation or needs. You should consider whether the product is appropriate for you before deciding to purchase or continuing to hold a policy with us.