Medical record management

A 'medical record' is a general term for all of the information collated about a patient for the purpose of treating that patient, including:

• progress notes – handwritten or computerized
• specialists’ letters and other correspondence
• test results
• x-rays and scans
• photographs
• digital recordings
• patient demographics (name, date of birth, contact details, allergies, etc)
• appointment books and patient accounts.

Medical records should include the following information:

• patient identification (including Individual Health Identifier – IHI)
• consent to recall and reminder system, receiving electronic messages or reminders
• information relevant to diagnosis or treatment
• treatment plan
• medication and dosage levels
• information and advice given, consent discussions
• details of any medical or surgical procedure (date, nature, who performed procedure, type of anaesthetic, tissues sent to pathology, results or findings, written consent)
• health summary that is easily accessible, including significant history, medications, allergies.

Medical records should also comply with any relevant legislation for record keeping.

In a private medical practice, the ownership of the medical records depends on the structure of the practice in which the doctor works. It is advisable for doctors to clarify ownership of the medical records at the beginning of a contract to avoid any disputes when the doctor leaves the practice as to whether copies of the medical records can be taken with the doctor.

Subpoenas or summonses seeking production of medical records for legal proceedings should be addressed to the owner of the records.

Medical records may be kept in electronic or paper format, or a combination of both. Where a ‘hybrid’ of paper and electronic records is used, a system is required to cross reference the records for each patient. Electronic records need to be kept in a form that allows them to be printed out as required. You should also ensure that appropriate secure back-up of electronic records are maintained.

Medical records should be retained for as long as required by relevant Australian, state or territory government legislation. Generally, this means that inactive individual patient medical records should be kept until the patient has reached the age of 25 years or for a minimum of seven years from the time of last contact – whichever is the longer.

Disposing of paper copies of notes that have been transferred or scanned into the electronic records is allowed as long as the disposal is done in a manner which preserves confidentiality and complies with legislative requirements. In New South Wales, a register of all records that have been destroyed should be kept. Whilst this is not a requirement in other states, it would be considered good practice to keep a record in other states as well.

Organisations that hold health information must take reasonable steps to protect the information from loss and unauthorised use or disclosure.

To ensure that electronic records are kept safe from damage, loss or theft, complete back-up of the computer record should be performed on a regular basis. Back-up may be automated to a remote data storage facility or by using external hard drives that are used on a rotating system. If using external hard drives ensure the back-up discs stored off-site. Computers should be password protected and the passwords changed on a regular basis.

Seek advice from an IT specialist regarding protection against unauthorised access, amendment of records, computer viruses, firewalls and quality of resolution of scanned documents.

See: RACGP Computer and information security standards(CISS)

At common law, a patient does not have a right of access to his or her medical records. However, under privacy legislation, patients have a right to request access to their records. Access must be provided subject to any limitations and procedures set out in the legislation. Access around medical records is covered under legislation in Victoria (Victorian Health Records Act 2001) and New South Wales (NSW Health Records and Information Privacy Act )

Patients must make a written request for access to their records or to request a transfer of their records. A copy of the request should be kept in the patient’s medical record.

If a patient wishes to transfer to another doctor, the new practitioner is entitled to a treatment summary or a copy of the records. The transfer date and location of transferred records should be maintained in a register, and the transfer date added to record. Files may be transferred using paper, CD or secure electronic means.

A reasonable cost can be charged for providing copies of medical records.

Since July 2012, Australians have had the option of registering for a personally controlled electronic health record (PCEHR). This patient-controlled record is kept completely separate from the patient’s electronic medical record.The fact that a patient may have a PCEHR does not alter the doctor’s obligation to maintain a medical record for the patient.

Note: Remember the PCEHR is a summary document and does not replace the full electronic medical record (EMR) held at the medical practice.

Access to, and disclosure of, information in the PCEHR is subject to the PCEHR Act 2012 (Commonwealth) and associated rules and regulations. Organisations registered with the PCEHR system should be aware of their obligations under the legislation.

The Office of the Australian Information Commissioner (OAIC) regulates the handling of information under the PCEHR system. It recommends that health care providers should:

Develop processes for handling e-health records and ensure staff are adequately trained to follow them.

Tellyour patients about what information you intend to add to and access from their e-health records and explain what you will do with the information.

Ensure that you do not collect more information from an e-health records than is necessary.

Collect, use and disclose information in a patient’s e-health record only for the limited and authorised purpose allowed under the e-health records system.

Know how the e-health record system can be used in an emergency situation.

Please use the Medical Record checklist as a starting point.

• Doctors and medical staff owe a stringent ethical and legal duty to keep information given by their patients strictly confidential. These duties survive a patient’s death.
• Medical records should be kept secure. They should be stored out of public view and access at all times. Staff should not disclose their contents to anyone other than authorised personnel.
• Information from medical records should not be disclosed without a patient’s consent unless permitted as a matter of law. You should seek advice from Avant if in doubt about the disclosure of any health information.
• Staff should be discreet in the type and nature of information they obtain from the patient in a public space.
• Entries in the medical record should be legible and include a health summary with all relevant clinical information for that patient, e.g. current health problems, allergies/sensitivities, risk factors, medication, relevant social and family history and past problems. This information should be documented in a consistent location. The patient’s contact details and who to contact in an emergency should also be recorded and updated regularly.
• Each medical record should contain accurate information about each consultation, including date, reason for consultation, management plan, prescribed medication, preventative care undertaken, written and/or verbal instructions given to the patient, referral to other healthcare providers and identification of who conducted the consultation.
• The information documented should be as factual and objective as possible and not derogatory, prejudicial or irrelevant as this may lead to inaccurate interpretation by other healthcare professionals and medico-legal implications.
• Pathology results, diagnostic imaging reports and clinical correspondence should be reviewed by a doctor prior to filing.
• The follow-up and recall of patients with abnormal results should be managed in collaboration with the referring treating doctor.
• Identification, culling, storing and retrieving inactive medical records should be done annually, e.g. in January each year.
• Access to medical records and financial/accounts information by the patient/relative, legal representative or other medical practitioners should comply with privacy legislation.
• All relevant conversations pertaining to patients should be recorded in the patient’s file. This may be in relation to accounts, appointments and other non-clinical issues.
• In order to improve performance of your clinical and management software, you should archive “inactive” patient files on a regular basis (monthly). The RACGP defines active patients as those patients who have been seen at least three times in the preceding two years.

RACGP Electronic health records

RACGP Computer and information security standards

Privacy obligations of medical practitioners in regard to patients’ records and health information:
Nationally, the Privacy Act 1988 and the National Privacy Principles 2014
Australian Privacy Principles and National Privacy Principles – Comparison Guide

• In New South Wales - Health Records and Information Privacy Act NSW 2002
• In Victoria – Victorian Health Records Act 2001
• In Australian Capital Territory – Health Records (Privacy and Access) Act 1997