State Government Victoria Australia Department of Health header
Victorian Government Website (Victoria the place to be)
Victorian Government Health Information header
Health Home
Main A to Z Index | Site Map | About Health  
Office of the Health Services Commissioner

Health home > Office of the Health Services Commissioner home > Resources > Publications > Health Records Act FAQ



Health Records Act FAQ

Page Contents: General | Consent | Use & Disclosure | Access | Transborder data flows | School related issues | Interaction with other legislation | Openness


1. Can a fee be charged for access to information?
The regulations setting a maximum fee for access, set by the Department of Health, can be found at the Victorian Legislation and Parliamentary Documents website.

2. To what extent do organisations need to be aware of records legislation and other provisions concerning privacy, use, disclosure and access in other jurisdictions, such as the ACT and NSW?
Under Health Privacy Principle (HPP) 9, Transborder data flows, an organisation must reasonably believe that the recipient of the health information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the HPPs. Alternatively consent from the individual to transfer the information is required.

3. Who owns the health information if a health service provider is employed by a non-health service provider e.g. a school? - the employer or the provider?
The Health Records Act (the Act) does not affect ownership of health information, but gives the individual about whom the information relates the right to access that information. Therefore ownership of the health information would be decided by the contractual arrangements between the employer and the employee, but whoever holds the information would need to make it available for access if requested and ensure that the information is held in a manner compliant with the HPPs.

4. Does ownership of information imply rights regarding the information? E.g. school principal inspecting records that are in the custody of a provider.
The organisation holding the health information must itself comply with the HPPs relating to the use and disclosure of the information. If the information was collected for a particular purpose (e.g. to enable the health care service to be delivered effectively) then HPP 2 requires it to be used only for that purpose, or for a directly related secondary purpose which the person would expect, or falling into one of the exceptions in HPP 2. There are no implied rights under the Act. If the use or disclosure were permitted by the HPPs then it is allowed, otherwise it would be a contravention of the Principles.

5. Residents in aged care facilities have their own doctors to attend to them, with the doctors’ records often kept at the facility for convenience. Does the facility have any rights to these records?
Health service providers providing a health service to nursing homes, hostels or retirement villages need to comply with the Act regarding the health information they hold, even if it is held on behalf of another health service provider. They have an obligation to ensure compliance with the HPPs regarding good record keeping in areas such as security of health information. It is up to the individual health service provider and the facility concerned to make arrangements that suit them to ensure that their obligations under the Act are met, and this would include what rights the facility has to the records. The client has a right to request access to health information held about them, preferably through the health service provider rather than the facility.

top of page

6. Where health information has been commissioned/paid for by a third party, e.g. insurance industry, who has responsibility for the record?
If an organisation holds health information about an individual then they are obligated under the Act to provide access to the individual if requested, provided the information does not fall into one of the exemptions. If the health service provider who made the report keeps a copy of the report commissioned by a third party, then the individual about whom the information relates can request access to that information from either the health service provider or the third party.

7. Does the Health Records Act apply to scanned records?
The Health Records Act applies to health information held by an organisation in a document in possession or under the control of an organisation. A document is defined in the Interpretation of Legislation Act 1984 (Vic) as:
"document" includes, in addition to a document in writing—
(a) any book, map, plan, graph or drawing;
(b) any photograph;
(c) any label, marking or other writing which identifies or describes anything of which it forms part, or to which it is attached by any means whatsoever;
(d) any disc, tape, sound track or other device in which sounds or other data (not being visual images) are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced there from;
(e) any film (including microfilm), negative, tape or other device in which one or more visual images are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced there from; and
(f) anything whatsoever on which is marked any words, figures, letters or symbols which are capable of carrying a definite meaning to persons conversant with them;
Therefore the Health Records Act would apply to scanned records in the same manner as to paper records.

8. What belongs to the health service provider and not to the individual?
The Health Records Act is about access, not ownership – it all belongs to the holder of the information, but the individual to whom the information relates is able to access the information under the Act.

9. Are the notes made by medical students to be included in the history? The sequel to their seeing patients is that their notes are part of the record whether or not they are filed in the history. Are they able to be removed?
Student notes should be included in the record, as they form part of the patient care. They are health information made by the organisation or under its supervision, with a notation that the notes were made by a student, signed and if necessary amended by the supervisor. This should be no different than current practice.

10. Does the Act give people a new right to sue in court over a breach of privacy?
Section 8 of the Act says “nothing in this Act gives rise to any civil cause of action” other than in accordance with the procedures in the Act. This means only those processes to deal with complaints as set out in the Act can be followed and these are limited to conciliation and investigation by the Health Services Commissioner, with the possibility of a complaint being dealt with at the Victorian Civil and Administrative Tribunal.

11. What is the status of any existing professional and ethical codes and standards now the Health Records Act is operational?
Existing professional and ethical codes and standards still operate, as long as they don’t conflict with the Act. The Act sets a minimum standard and is legally binding, all organisations that collect, hold or use health information must comply with it. However, if a profession wishes to maintain an existing code that is in accordance with the Act they are able to do so.

top of page

12. To what extent does the legislation interact with the various requirements set by accreditation bodies?
Accreditation processes usually require the person or organisation in question comply with any relevant Commonwealth, State or Territory laws, such as the Health Records Act. Compliance with the Act would therefore be part of an accreditation process.

13. Are the working notes of a health service provider considered health information for the purpose of the Act?
If the working notes fall within the definition of health information, and they are held by the organisation then they are subject to the Act.

14. How does the Health Records Act apply to locum health service providers?
The Act applies to health information held by locum health service providers in the same way as it does to other health service providers, with the individual able to apply for access to that information. If the locum kept separate records from those of the practice then when the information is collected the patient would need to be made aware of how they can contact the locum to access the information if they wish. All the health privacy principles would apply to the health information held by the locum health service provider.

15. How does the Health Records Act apply to health service providers employed by organisations that provide a health service to their staff? Is it the health service provider or the employer with the obligation to comply with the legislation? Is this different if the health service provider is not an employee but an independent contractor?
The Act applies to all organisations that hold health information, with an obligation to comply with the Act. If the employer holds the records with the health information then they must provide access and ensure compliance with the health privacy principles. If it is the health service provider who controls the records that hold the health information then the health service provider must comply with the legislation. If the health service provider is an independent contractor and keeps separate records from the employer then the individuals must be made aware of how to contact that health service provider and access the health information if desired. In this situation the health service provider must also comply with HPP 10 on transfer or closure of a practice when the health service provider leaves the employer and does not provide a health service elsewhere.

16. How does the Health Records Act apply in respect of deceased health service providers?
HPP 10 provides that the legal representative of the deceased provider must publish a notice in a newspaper circulating in the locality of the practice stating that the practice has been, or is about to be, sold, transferred or closed down and the manner in which they propose to deal with the health information held by the practice. The legal representative must also take any steps to notify individuals of these matters as set out in the guidelines issued by the Health Services Commissioner.

17. Hospital archives contain photographs of patients and staff going back many years. Researchers request access to the photographs, as they want to use them for publication in books. Is this still allowed?
The information about a person, which can be derived from a photograph, may be able to be regarded as ‘health information’ as defined by the Act, if it reveals identifying information about a person’s health. Section 15 of the Act exempts certain types of ‘publicly available health information’ from the operation of the Act. If the information in question is kept in a library, art gallery or museum for the purposes of reference, study or exhibition, then it would be exempt under section 15 (1)(b) of the Act. It would also appear to be exempt under section 15(1)(b) if the document is “archives within the meaning of the Copyright Act 1968 of the Commonwealth.”

18. Should an organisation establish an internal complaints handling process?
Many organisations may find they need only adapt an established complaints handling process, such as those used to deal with complaints about non-privacy matters. Being in a position to deal adequately with complaints should minimise the number of times the Health Services Commissioner will become involved. Swift, effective complaints handling saves time and cost all round.

top of page


19. What is the age of consent for collection, access, use and disclosure of health information?
No specific age is set by the Act. The same factors as currently apply when deciding on whether a child can consent to treatment apply with issues of consent under the Act. Consent for collection, access, use or disclosure of health information involves assessing a child’s competency to consent in accordance with the current Common Law test of competency.

See Information Sheet 5 for further information.

20. Do you need consent to use information for fundraising purposes?
An organisation must not use or disclose health information about an individual for a purpose other than the primary purpose for which it was collected without consent, unless one of the circumstances in HPP 2.2 applies. If the primary purpose for which the information was collected was other than to allow the organisation to approach the person for money, then it would be a secondary purpose for which consent would be needed. It may be that the circumstances are such that you might be able to characterise fundraising as a directly related secondary purpose, which the person would reasonably expect the organisation to use it for. If so, then that would be allowed under the Act.

21. How specific does consent need to be?
Consent means the voluntary agreement of the individual or of the individual’s authorised representative about a proposed action, and should be informed, freely given and current. Under the Act it can be express or implied. Express consent is provided explicitly, either orally or in writing, it is unequivocal and does not require any inference on the part of the organisation seeking consent. Implied consent arises when consent may be reasonably conferred from the action or inaction of the individual.

22. What if an individual is incapable of giving consent to collection, use or disclosure of health information?
The power to give consent may be exercised on behalf of an individual who is incapable of giving consent by an authorised representative of that individual. An individual is considered incapable of giving consent by reason of age, injury, disease, senility, illness, disability, physical impairment or mental disorder if they are incapable of understanding the general nature and effect of giving the consent, or communicating the consent (or refusal) despite the provision of reasonable assistance by another person.
An authorised representative means a person who is:
(a) a guardian of the individual; or
(b) an attorney for the individual under an enduring power of attorney; or
(c) an agent for the individual within the meaning of the Medical Treatment Act 1988; or
(d) an administrator or a person responsible within the meaning of the Guardianship and Administration Act 1986; or
(e) a parent of an individual, if the individual is a child; or
(f) otherwise empowered under law to perform any functions or duties or exercise powers as an agent of or in the best interests of the individual--
except to the extent that acting as an authorised representative of the individual is inconsistent with an order made by a court or tribunal.

23. Should a health service provider be more specific when obtaining consent in respect of electronic information?
Consent should at all times be informed and current, regardless of the manner of collection, use or disclosure, whether electronic or paper based. The organisation handling the information should make it clear to the individual how they manage the information and how they use and disclose it.

top of page

24. In relation to children with divorced or separated parents, which parent is able to consent for collection, use and disclosure?
Under current law both parents have equal rights to a child who is a minor, unless the right has legally been removed from one parent. If an organisation is unsure whether there are orders against one parent they can contact the Family Court for assistance.

25. Is consent needed when information is to be used in new ways within the organisation, particularly if the organisation has expanded?
Health information must be used by an organisation in a manner consistent with HPP 2. If a use of health information does not fit within any of the paragraphs of HPP 2 then consent would be required to use it in that manner.

26. Is consent needed when information is to be placed in temporary storage?
An organisation has an obligation to take reasonable steps to protect the information it holds from misuse, loss, unauthorised access, modification or disclosure. There is no obligation to get consent for to the manner by which an organisation maintains the information it holds, but the privacy policy should contain this information.

27. Do we need to get consent before taking photos of an individual?
Taking a photo is collection of personal information, and so all the HPPs relating to collection of health information apply. There would be circumstances where consent is not required, in accordance with HPP 1.1, but generally it is best practice to get consent if taking a photo.

28. What if there are communication difficulties (eg language barriers) in ensuring that an individual is generally aware of the matters outlined in HPP 1? What steps must an organisation take to overcome this?
The Act requires an organisation take steps that are reasonable in the circumstances to ensure the individual is generally aware of the matters outlined in HPP 1. If an organisation deals with individuals with communication problems on a regular basis then it may be considered a reasonable step to have brochures in languages other than English, or Braille where appropriate etc. The steps that the organisation must take would depend on the individual circumstances of the organisation, and what they consider is reasonable in those particular circumstances.

29. Must HPP 1 be complied with where information is collected from an unsolicited source?
HPP 1 applies where an organisation collects health information, whether solicited or not. However, where the information is unsolicited there may be implied consent for the organisation to have it, otherwise the individual would not have supplied the information. If a third party supplied the information the organisation needs to comply with HPP 1.5 about making the individual aware that the information has been collected.

top of page

Use & Disclosure

30. What constitutes a serious threat to a person’s safety? What happens where the threat is more general in nature and not so imminent? Can the information be disclosed in those circumstances?
Under HPP 2.2(h) an organisation can disclose information if they believe there is a serious and imminent threat to an individual’s life, health, safety or welfare. There are no definitions about what is serious and imminent, but it would need to be fairly immediate, not a possibility in the future.

31. Does HPP 2 oblige disclosure?
Nothing in HPP 2 requires an organisation to disclose health information about an individual. An organisation is always entitled not to disclose health information in the absence of a legal obligation to disclose it.

32. Under what circumstance can a health service provider disclose health information about an individual to a family member?
Health information can always be disclosed with the consent of the individual concerned. HPP 2.4 also allows a health service provider to disclose health information about an individual to an immediate family member if it is either necessary for the care of the individual or the disclosure is made for compassionate reasons, where the individual is incapable of consenting to the disclosure.

top of page


33. Can access to information be given to a patient if it comes from a health service provider and is marked ‘confidential’?
The Act states that an organisation holds health information if it is in a document which is in the possession or under the control of the organisation, whether alone or jointly with other persons. The fact that another person created the information is not relevant to the question of access. A claim of confidentiality would not prevent the information from being accessible of itself, as s27(2) specifically does not exempt information given in confidence by a health service provider. Access could only be denied to it if one of the exceptions under HPP 6.1 Act applied to the information.

34. Will a plaintiff lawyer (through the client) be able to access a copy of a report about the client compiled at the request of the insurer?
An individual has the right of access to information about himself or herself, regardless of where it is held, or who owns the information. The Act allows an individual to authorise someone else to represent him or her by having access to the information on his or her behalf and that authorised representative may be a lawyer. If the information was collected before 1 July 2002 then the individual may receive a summary of the information, not a copy of the report itself, and would not be entitled to any opinions in that information, merely facts as listed in s 25 of the Act. For information collected after 1 July 2002 the individual is able to obtain a full copy of the information.

35. There are times when a consultant or GP sees a patient and there are some aspects of his thinking that he does not want to be available at any stage to the patient, the law, or the relatives. How do you retain that information?
You can’t – if the information is written in the record and it is not exempt under HPP 6.1 because of situations such as a serious threat to life or health, privacy of others or given in confidence with no consent for disclosure, then the person to whom the information relates would be able to get access. This information would also be required to be produced in a court if a subpoena is issued for it.

36. If a case is a pending medico-legal matter, do you have to release the record to the patient or the solicitor?
If the information relates to existing legal proceedings between the organisation and the individual and it is not accessible by process of discovery or is subject to legal professional privilege then access can be withheld under HPP 6.1(c). It would need to be assessed on a case-by-case basis to see if the legal proceedings are ‘existing’. Current laws about subpoenas etc still stand.

37. Not all patient information is in the medical record. Does all information need to be collected when patient requires access - eg. Allied Health, Catheter Laboratory records?
An individual is entitled to access all health information held about them collected after the commencement of the Act. It is the responsibility of the organisation to collate the information and know where all the information is kept so that it is available to be assessed and where appropriate, released for access if requested.

38. Who can access medical records of deceased patients?
The legal representative has the right of access to the records of a deceased patient in the same way as it applies in relation to an individual who is not deceased, under s 95 of the Act. This is not necessarily the next of kin. It is conceivable that the family would want access to a record when there is no legal representative e.g. the deceased left no assets and there is no need to apply for a grant of probate or letters of administration. In these circumstances there would be no right of access under HPP 6, however, the organisation could grant access under HPP 2.4, which allows for access to an immediate family member where the individual is incapable of giving consent. This would be voluntary; there is no statutory right of access in this situation. Section 141 of the Health Services Act would also apply in this situation for hospitals, community health services and day procedure centres.

39. Are we required to provide statistics at the end of the year on the number of access requests, time taken to respond etc (similar to FOI stats. provided to Department of Justice)?
At this stage at there is no requirement for the reporting of statistics. However, it would probably be beneficial for organisations to keep a record for their own auditing purposes.

top of page

40. How long does the health provider have to deal with each access request?
An organisation must deal with a written request for access within 45 days of receipt of request or 7 days after payment of fee, whichever is later.

41. What responsibility is there to disclose/summarise the records of historical consultations made by other health professionals who have since left the practice?
If an organisation holds health information that is subject to an access request they may agree to give the individual access to the information in full in the manner set out in the Act. If they do not agree to give access in this manner, they must, at a minimum, give the individual an accurate summary of the health information even if the provider who wrote it is no longer part of the organisation.

42. Does an individual have a right to request health information collected before 1 July 2002 to be corrected if they feel it is inaccurate, incomplete, misleading or not up to date?
Yes, if the individual is able to establish that the information is inaccurate, incomplete, misleading or not up to date, the organisation must take reasonable steps to correct the information. It is not relevant as to when the information was collected, but it would not be necessary to alter every page of a record that had a wrong address as long as the current address was on any page that is still be used.

43. Is it the Health Records Act or the FOI Act that applies to the records of health service providers employed in a public hospital that carry on a private practice on the same premises?
If the health service provider within the public hospital sees the individual, and the record belongs to the hospital, then the FOI Act applies for requests to access that record. If the health service provider carries out private practice in rooms on the same premises, but keeps separate records, then the Health Records Act applies for requests for access to those records.

44. In record keeping and obligations under the Health Records Act and the FOI Act, what should a health service provider do in order to distinguish between services given to public patients and to those to private patients?
Compliance with the HPPs under the Health Records Act extends to both the public and private sector, therefore there is no need to distinguish between a private and public patient. The difference between private and public sector under the Act is access to health information for the public sector is through the FOI Act rather than the Health Records Act. However, the FOI Act has been amended by the Health Records Act to give similar modes of access as that under the Health Records Act, so from the provider’s perspective the record keeping and obligations for both private and public sector records will be the same.

45. Does the Health Records Act abrogate copyright ownership in documents?
Claiming copyright on a document would not protect it from access by the individual that it is about, in view of the statutory duty to provide access and it being a term of the contract. The Act states that an organisation holds health information if it is in a document which is in the possession or under the control of the organisation, whether alone or jointly with others. The Act does allow, under s 98, an organisation to obtain and act on expert advice in order to perform a function under the Act. There is a need to examine the information before granting access to ensure that there is not requirement for it to be withheld because of serious threat to the life or health of the person seeking access or any other person. If a GP file contained specialist letters/reports the Act would allow the GP to talk to the specialist about the request and discuss whether there is any need to exempt it.

46. Can access to the health information be refused?
Holders of health information can and in some circumstances must refuse access to health information. These situations are listed in Health Privacy Principle 6.1 of the HRA. If an organisation denies access, it must provide reasons for doing so.

47. Can a health service provider still charge a fee after rejecting access?
An organisation is not required to charge a fee for providing access and must not charge a fee for the lodgement of a request for access. If access were refused there would be no fee, because no service has been provided.

48. What happens when there are couples or groups in counselling and one party requests access?
Individuals are only entitled to access health information about themselves. If a service were being provided in a group setting then there would be either implied consent to sharing of the information within the group, or the implications of the group session should be discussed at the beginning. If information is obtained about an individual outside the group setting then the other members of the group are not entitled to access that information.

top of page

Transborder Data Flows

49. Can an organisation transfer health information about an individual to someone outside Victoria?
Information can be transferred outside Victoria with consent of the individual to whom the information is about. Otherwise the organisation transferring the health information must reasonably believe that the recipient of the organisation is subject to a law or binding scheme that is substantially similar to the HPPs.

50. If a health service provider has offices in Victoria and interstate, with the interstate office treating a Victorian, can they access their records interstate?
The Act only applies to an organisation that collects, or holds health, information in Victoria. Organisations that operate in Victoria and interstate are only bound by the Act to the extent that they do things relevant to the Act in Victoria. If an organisation’s Sydney office is treating a Victorian patient while they are in Sydney, then they can access the records held in Victoria, subject to any Commonwealth or NSW laws regulating this collection.

School related issues

51. Are schools considered health service providers?
Schools are considered as a health service provider to the extent that they provide a health service. There will be some persons within the school that are health service providers, e.g. school nurses, counsellors, and the provisions in the Act applicable to health service providers would apply to the information collected, used and held by these people.

top of page

Interaction with other legislation

52. How will the Health Records Act interact with the Commonwealth Privacy Act?
The Victorian Health Records Act and the Commonwealth Privacy Act are both valid legislation, which co-exist, and apply to health information. The Health Records Act is health specific, whereas the Commonwealth Act is more general, but covers health information as ‘sensitive information’. Those organisations working in the private sector will need to comply with both Acts and the consumer can choose which Act they prefer to seek remedy for a breach of their privacy.

53. The Commonwealth Privacy Act differs to the Health Records Act concerning some issues that are specifically addressed by the Health Records Act, which Act will apply?
Both Acts will apply and providers will need to comply with both. Complying with a specific provision within one Act, such as access to health information, should not be a breach of the more general provisions in the other Act.

54. With the commencement of the Health Records Act does the Federal Privacy Commissioner (FPC) have any powers relating to health service providers and other health service providers in Victoria?
The FPC has jurisdiction over Victorian health service providers if a complaint is made against the health service provider under the Commonwealth Privacy (Private Sector) Amendment Act. If the complaint against a health service provider is made under the Health Records Act then the Health Services Commissioner has jurisdiction to resolve the complaint.

55. How does the Health Records Act interact with other existing Commonwealth and State legislation concerning privacy, confidentiality, secrecy, access and disclosure?
The HPPs do not override other legislation – existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information (e.g. adoption information) are preserved. Specific statutory provisions will override the general standards in the Health Records Act to the extent of any inconsistency.

56. What is the relationship between the Health Records Act and the Victorian FOI Act?
The Health Records Act gives individuals access to health information about them held in the private sector, whereas the FOI Act will continue to give individuals access to health information about them held by the public sector.


57. What details should be included in an organisation’s privacy policy?
An organisation’s privacy policy may have a similar structure to others, but its contents are likely to be different. Using a good model from elsewhere can save time and resources but it is important that privacy policies are tailored to individual organisations because every organisation collects and handles personal health information differently. Also, if the organisation focuses on its own, distinct privacy policy it comes to understand the privacy standards in the practical context of its day-to-day operation.

The policy should detail how the organisation manages the health information it holds and the steps the individual must take in order to obtain access to their information.

top of page


Last updated: 27 April, 2007
This web site is managed and authorised by the Office of the Health Services Commissioner

Copyright | Disclaimer | Privacy Statement | State Government of Victoria Home | Download Help

For general enquiries to the Department of Health telephone 61 3 90960000