HR Fact Sheet

Health Records in NSW

In NSW, matters relating to the recording, storage, and access to health records are covered by the Health Records (Privacy and Access) Act 1997 (ACT).


What is health information? What forms part of health information?

Health information is defined in NSW to be any identifiable information or opinion held by your organisation about a person’s health, health services that have been provided (or are going to be provided) to a person, and their wishes about future health services.

Health information also includes the personal, non-health related information that is collected about a person that has been collected in the course of providing a health service, or in connection with a person’s decision to donate body parts or organs. For instance, if a person’s name and contract details are collected in the course of providing a health service, this will be classified as health information, even though it the information is unrelated to health.

A person’s health information can be in writing, audio, or in electronic form, and includes all copies of the information. It can also include photographs, medical test results, medical imaging reports and clinical notes.

Does the Act apply to all health information?

The Act only covers health information that may identify a person. De-identified health information is not protected under the Act.

Additionally, for public sector employers, the Act does not apply to health information that relates to information about an employee’s suitability for employment. This extends to candidates for employment.

In the private sector, the Act does not protect health information that forms part of, and in held in, an employee’s record. This does not extend to the health information of candidates for employment, whose health information is protected under the Act.

What are my obligations in keeping health information? How should health information be stored?

Once health information has been recorded about a person, it must be kept by your organisation for a defined period.

If the person was under the age of 18 when the information was collected, the information must be stored until the day they turn 25. If the person was over the age of 18 when the information was collected, the information must be stored for seven years, dated from the last time the person received a service at your organisation.

The Act requires you to store health information in a way to ensure that the information is stored securely. You must take reasonable steps to protect against loss, unauthorised access, modification, disclosure or misuse. Measures taken could include physically locking access to physical records, and password-protecting and keeping a secure backup of electronic information.

Can a person’s health information be edited?

A person may request that their health information is amended to ensure that their information is accurate or up to date, complete, and non-misleading.

An example would be a patient’s request to change their telephone number in your records. You may refuse to amend the information if you do not believe that the person’s health information is incomplete or misleading, or if the requested amendment is inaccurate. This refusal must be in writing.

How can health records be disposed of?

When disposing of health information, you must take reasonable care to ensure that patient confidentiality is not compromised. This includes taking steps to de-identify the information.

You must keep a register of the health information that you destroy or transfer. This register needs to include information about whose records have been destroyed, the period of time the record covered, and the date the record was destroyed or transferred. If the health information is transferred to another provider, you must keep a record of the name and address of the organisation to which the health information was transferred.

What if my organisation closes or moves location?

If your organisation closes and the information is not transferred to another practice, then the requirements for the retention and secure storage of health information still apply.

Access for patients

Is a person entitled to access their health information?

The Act gives people the right to access health information about themselves held by health services organisations. A person is entitled to request this health information.

What format does the person’s request to access their health information need to be in?

The Act specifies that a request for access to health information held by a private organisation must:

  • be in writing;
  • give the name and address of the requestee; and
  • identify the information to be accessed.

However, the Act also allows for special circumstances; for instance, you may still provide access to the health information if the person in question is unable to put the request in writing because of a disability.

How do I give access?

You may provide the person with either a copy of their health information, or may show them the information and give them reasonable time to inspect and take notes on their health information.

In their request, if the person specifies how they would like to access the information, you must provide it in the form specified, as long as this would not place unreasonable demands on your organisation’s resources or compromise the preservation of the physical record itself.

Before granting access, you must take reasonable steps to confirm the person’s identity.

When does access to a person’s health records need to be granted?

You must respond to a request to access health information within 45 days of receiving it.

In what circumstances can I refuse a person access to their health information?

You can only refuse access to health information where:

  • Giving access to the health information would constitute a significant risk to the life or health of the individual or a third party;
  • The health information pertains to existing or anticipated legal proceedings between the organisation and the individual;
  • Giving access to the individual would constitute an unreasonable breach of the privacy of another person(s);
  • It would be in contravention of a court order of a law to provide the information;
  • This is a repeated request for health information that has already been declined under one of these categories;
  • The health information has already been provided to the individual.

What about the health records of children or incapacitated persons?

The Act separates children based on their developmental capacity.

If a child lacks the capacity to provide informed consent to accessing their health information, their parent or guardian is able to make the request to access the health information on behalf of the child.

However, if the child does have capacity, their health record may only be requested by, and can only be provided to the child in question.

Incapacitated person’s records can be requested by their legally appointed attorney or guardian, provided the person has the power to make decisions about their health.

What about deceased persons?

The Act does not apply to the health information of a person who has been deceased for more than 30 years.

For people who have been deceased less than 30 years, access to health information can be granted to the executor or administrator of the person’s estate, or to a family member on compassionate grounds.

Can I charge a fee for providing access to health information?

Yes, under the Act, you are entitled to charge a fee for providing access to health information, to cover the administrative costs of providing that information. However, the fee cannot be excessive and cannot discourage people from accessing their health information.

Access for employees of the organisation/team

Who in our organisation is entitled to access a person’s health information?

The person’s health service provider, the members of the person’s treating team (specialists, referring health service providers, etc) and certain administrative staff may be entitled to access a consumer’s heath record.

Administrative staff can access as much health information as is necessary to perform a task, where it is directly related to the purpose for which it was collected. Examples include sending out a reminder email with information about an upcoming health service, using the information for billing purposes or using the information to investigate a complaint.

Access for third parties

How can third parties be given access to health information?

A person (or the person’s guardian if the person is incapacitated), may request that access to their health information be given to a third party. Such a request must be made in writing and it must name the third party who is authorised to be given access to the health information.

An immediate family member may request and be granted access to the health information of an individual, without the consent of the individual in question, on compassionate grounds. This would include informing a spouse of a cause of death, or notifying a next of kin about a hospital admission. Information cannot be disclosed where the person has previously expressed a wish contrary to disclosure and would ordinarily not extend to disclosing the whole of a person’s health information.

There may be circumstances where may be required to disclose the health record of a consumer without consent. Circumstances include the disclosure of a category 4 or 5 condition for public health reasons, to find a missing person, or upon the request of a law enforcement agency.

Contact our Employment Law & Investigations Team for more information.

Back to the HR Breakfast Club Main Page here.

Join our mailing list

Get in touch