Insurer requests sensitive medical record? Do I send the file?

30 June 2020 | Rocky Ruperto, LLM, LLB (Hons), BSc (Psych), Legal and Policy Officer – Advocacy, Education and Research, Avant


When Dr Quick* received another request for records from an insurance company he passed it on to his secretary and asked her to copy and send the file in accordance with the request. Later that morning, the secretary put her head around Dr Quick’s door. “Do we send all the records in relation to that request? The file has all those before and after photos from her breast enhancement last year.”

Dr Quick isn’t certain. He knows there was an attached patient consent, but does he have to send all the records? He thinks the request is more likely in relation to the skin graft he had to perform following an accident a few months before. Would she have realised that information regarding her breast enhancement might also be covered by the request?

He instructs the secretary not to send anything until he has a chance to go through it, and if necessary, seek advice from Avant.

Release of information

Avant’s Medico-legal Advisory Service commonly receives calls from members seeking advice about responding to requests from a third party for patient records. It can be a confusing and complex area, and exactly what to release to whom is not always clear.

In most instances, records can be released with valid patient consent. However, privacy principles require that you release only as much information as is necessary to fulfil the request. It is your responsibility to carefully consider what information is being requested, and what information is covered by the patient’s consent, so you do not inadvertently release more information than is required.

Patient consent should be in writing, and contain the patient’s name and signature. It should be dated and clearly indicate what information can be released to whom. If the consent is older than 12 months, you should query its validity with the patient or request an updated authority.

Requests from third parties should specify why they are requesting the records, and what information is relevant to their investigation. If the request is unclear or unreasonably requests everything you have, you may need to clarify its scope with the patient.

Although the patient already signed a consent form, if there are any uncertainties, it is good practice to ask the patient to confirm their consent or discuss with them the details required to be released. In some instances, patients may have signed a very broad consent under the mandatory conditions of an insurance policy. The patient may not have considered how the company may seek to rely on it later to access information. Patients will often appreciate you double checking or specifically seeking verbal consent to release information they may have forgotten about. You should make a note of this conversation and keep it with the documentation relating to the request.

If, such as in Dr Quick’s case, you consider the file contains particularly sensitive or private information, you need to consider whether this information is relevant to the purpose of the request and therefore required to be released.

Sometimes, the information will clearly be relevant to the request and you will be required to release those documents as part of the file. In these cases, you may want to give the patient a courtesy call and discuss the release with them. By explaining your obligations and giving the patient pre-warning, you may be able to avoid patients getting upset or embarrassed when they discover that information has been shared.

If in the discussion, the patient amends or withdraws their consent, assure them that you will not release any information without the appropriate authority. Ask the patient to contact the requesting party to clarify their consent and the requested information. You will need to carefully document this discussion in the patient’s record and await a further written request with appropriate consent prior to releasing any information.

When not to release despite patient consent

In very limited circumstances, you may not be obliged to release information in accordance with a patient’s valid consent. These situations are invariably complex and are limited to when you hold a reasonable belief that release of that information will cause significant harm to the patient or another person. If you are concerned the release of private medical information may cause significant harm, contact us for medico-legal advice on 1800 128 268 to discuss the best way forward.

Release without patient consent

There are also situations in which you are obliged by law to release information without the patient’s consent.

These include a summons or subpoena to produce medical records to a court or tribunal, or a warrant from the police. It is important to remind your practice staff that police are not automatically authorised to receive confidential medical information and should ideally produce court documents, a warrant or patient consent. If police attend your practice and request records without the benefit of clear authorities, call us for advice.

Some legislation also requires information to be released without the patient’s consent – for instance, public health requirements to report infectious diseases or mandatory reporting of children at risk.

If you or your practice receives any other request to release information without your patient’s consent, and you are uncertain of your obligations, call us for advice.


Take a copy of any requests you receive, along with details of any further information sought or clarified. You should include these in the patient record. Document any discussions you have with patients. This will help show you acted appropriately if there is a dispute or complaint in the future.


Generally, doctors are only required to release records that are relevant to a particular request and in line with the patient’s consent. Dr Quick needs to read the request carefully and determine who is requesting the records and for what purpose. This will help ensure he does not include any documents that fall outside the request. This is particularly important where a medical record contains sensitive information.

Dr Quick’s secretary was right to query the request in this case. It seems unlikely the patient expects or understands that the photographs could be covered by her signed consent. It is also unlikely the photographs are relevant to the insurance claim. Once Dr Quick checks with her, she may wish to modify her consent.

If you are unsure of your obligations or receive a complex request, contact our medico-legal advisers via email on nca@avant.org.au or if you require immediate advice, call 1800 128 268.

*This scenario is fictitious and has been based on Avant claims experience to date. Names have been invented and any resemblance to real persons, living or dead, is purely coincidental.

This article was originally published in the Australian Society of Plastic Surgeons’ Newsletter in February 2020.


Share your view

We welcome your feedback on this article.