The Health Records Act 2001 (the Act) created a framework to protect the privacy of individuals' health information. It regulates the collection and handling of health information. The Act:
- gives individuals a legally enforceable right of access to health information about them that is contained in records held in Victoria by the private sector; and
- establishes Health Privacy Principles (HPPs) that apply to health information collected and handled in Victoria by the Victorian public sector and the private sector.
The access regime and the HPPs are designed to protect privacy and promote patient autonomy, whilst also ensuring safe and effective service delivery, and the continued improvement of health services. The HPPs generally apply to:
- all personal information collected in providing a health, mental health, disability, aged care or palliative care service; and
- all health information held by other organisations.
Complaints about interferences with privacy (breaches of Part 5 of the Act or an HPP) are handled by the Health Complaints Commissioner.
Who must comply with the Health Records Act?
The Act applies to the health, disability and aged care information handled by a wide range of public and private sector organisations. This includes health service providers, and also other organisations that handle health information. For example:
- bodies such as companies, incorporated associations, unincorporated associations, Local Government, Victorian Government agencies and Departments, public hospitals and other public bodies (such as Victoria Police); and
- sole practitioners, partnerships, Members of Parliament, and trustees.
The Health Privacy Principles (HPPs) in the Act apply to health information that is handled in Victoria. The Act will apply in two main ways.
- Does the organisation provide a health, disability or aged care service?
When an organisation provides a health, disability or aged care service, the HPPs apply to all identifying personal information originally collected by the organisation in the course of providing that service. All such information is "health information". Such a provider is referred to in the Act as a "health service provider".
This will include personal information collected to provide services by persons or entities such as:
- GP clinics
- speech pathologists
- Personal information collected in other situations
The HPPs will apply to the collection, use and handling of identifying personal information that is defined as "health information" under the Act. This will include:
- information or opinion about the physical or mental health, or disability, of an individual
- an individual's expressed preferences about the future provision of health, disability or aged care services to him or her
- the nature of health, disability or aged care services that have been, or are to be, provided to an individual
- information originally collected in the course of providing a health, disability or aged care service to an individual
- personal information collected in connection with the donation of human tissue
- genetic information that is or could be predictive of the health of an individual or their descendants.
Any organisation that handles this kind of identifying health information is subject to the HPPs, unless an exemption under the Act applies. The exemptions under the Act are very limited.
The Act applies regardless of the size of the business or organisation. There is no "small business" exemption.
Organisations that are subject to the Act, when they handle health information, include:
- Victorian Government Departments and public bodies established under Victorian law
- blood and tissue banks
- public and private sector employers (e.g. in relation to their employees' personnel records)
- kindergartens and crèches
- insurers and superannuation organisations
- any other organisation that holds health information or health reports concerning its clients or customers.
Access to health records and maximum fees for access
- Access to health information
Individuals have an enforceable right of access to their health information held by a private sector organisation under the Victorian Health Records Act 2001 (the Act),
A private sector organisation includes health service providers who are sole practitioners or in partnerships.
Requests for access to health information held by Victorian public sector organisations are made under the Freedom of Information Act 1982 (Vic). If you wish to apply for your records that are held by the Victorian Department of Health, please visit .
1.1 What health information is an individual entitled to receive?
An individual has a right of access to their health information held by a private sector organisation under Part 5 and Health Privacy Principle 6 (HPP 6) of the Act. It relates to all health information collected by the private sector organisation on or after 1 July 2002.
A more limited right of access also applies to certain health information that is collected by a private sector organisation before 1 July 2002, including:
- the individual's health or disability history
- the results of an examination or investigation
- a diagnosis or speculative diagnosis
- a plan or proposed plan of management
- services provided or action taken
- genetic information that is or could be predictive of health
- other personal information about a donation of body parts.
In both cases an individual's right to obtain access is subject to the grounds set out in HPP 6 that permit an organisation to lawfully refuse access.
1.2 Forms of access
The Act enables an individual to request health information collected by a private sector organisation on or after 1 July 2002 in a number of ways. Access can be by way of:
- inspection of the health information or, if the health information is in an electronic form, a printout of that information, and having the opportunity to take notes of its contents
- the provision of a copy of the health information
- the provision of an accurate summary, instead of a copy, if the organisation and the individual agree that a summary is appropriate; or
- an opportunity to view the record, and in the case of health information held by a health service provider, it may be accompanied by an explanation of the information by the health service provider. (In addition, if the organisation that has received the request for an explanation is not a health service provider, it may agree to allow an explanation to be given by a suitable health service provider, but it is not legally obliged to do so under the Act.)
Access may also be granted in any of these ways to health information collected by the organisation before 1 July 2002, where the organisation agrees to this. In the absence of any agreement, the Act entitles the individual to receive an accurate summary of the information.
In addition, Health Privacy Principle 11 (HPP 11) gives an individual a right to request that their health information be transferred from one health service provider to another. The health service provider must then consider the request under HPP 11, regardless of whether the information was originally collected by that provider before or after 1 July 2002. The requirements of HPP 11 are outlined further below.
- Fees for access and related activities
The Act provides that regulations may be made by the Governor in Council to fix the maximum levels of fees that may be charged when organisations provide access under the Act from 1 July 2002.
The Health Records Regulations 2002 came into operation on 1 July 2002 alongside the Act, but these were updated in September 2012, when the Health Records Regulations 2012 came into effect. The 2012 regulations contained a new fee schedule (see table below).
A key objective of the regulations is to strike an appropriate balance between allowing adequate cost recovery for organisations and not setting maximum fees that are prohibitive for applicants.
These regulations apply when an individual is exercising a statutory right to obtain access to, or requests the transfer of, health information under the Act. No person other than the individual concerned (or their guardian, authorised representative or other authorised person) has the ability to require access under the Act. When an organisation voluntarily gives information to a third-party, as permitted under the standards set out in HPP 2 of the Act or another law, this is 'disclosure' of health information; it is not 'access'
Fees may only be charged for granting access under the Act where this is permitted by the Act itself or the regulations. Generally, the regulations set out:
- when a fee may be charged
- how the fee may be calculated in a particular case
- what is the maximum fee that may be charged in a particular situation.
The fee caps are summarised in the table below. The fee caps are expressed in 'fee units', the value of which is determined each year by the Treasurer under the Monetary Units Act 2004. This allows the fee cap to increase each year in line with general cost increases. The current value of a fee unit is available at the Department of Treasury and Finance. Further information about health records for individuals and organisations can be found on the .
Table of Fees
Items 1 & 2
1.2 fee unit per half hour or part thereof**
Reasonable costs incurred for assessing and collating health information, not exceeding 2.5 fee units.
Use of equipment not in organisation's possession
Reasonable costs incurred
20 cents per page for A4 black & white. Reasonable costs otherwise.
(c) Time for assessing & collating health information
2.5 fee units
(d) Transporting records held off site
1.2 fee units
Actual postage cost, if request to be posted
Greater of usual consultation fee (if a health service provider) or 2.9 fee units per quarter hour, up to 9.4 fee units.
>20 cents per page for A4 black & white if at least 20 pages. Reasonable costs otherwise
Item 2: Summary of health information to another health service provider
Greater of usual consultation fee or 2.9 fee unit per quarter hour, up to 9.4 fee units, where the time taken to prepare is at least 30 minutes
Reasonable costs not exceeding 4.7 fee units per quarter hour up to 23.6 fee units
** The current fee for supervision is expressed in terms of quarter hours. However, in order to make use of the Monetary Units Act, the fee units must be expressed as 1 fee unit or more. Therefore this has changed to be expressed in terms of a half-hour, although the Regulations provide for charges to be made in quarter-hour increments.
Item 3 above (providing a copy) is most relevant, as most individuals who are seeking access request a copy of their records. Note the following:
- Time for assessing & collating health information – the fee is 2.5 fee units
- The fee for making a copy of health information to the individual at 20 cents per A4 black and white page (plus GST) and is not indexed every year.
Organisations must consider each element of the fee structure as set out in the regulations and determine if it is applicable to the particular access request.
The Act does not require any fee to be charged when access is given or information transferred. Organisations are encouraged to consider whether a charge is appropriate in relation to each request. This is especially the case in situations where no (or minimal) costs would be incurred. (For instance, if information is readily available in an electronic form and a printout is provided.)
An organisation may therefore decide not to charge a fee, or to charge the maximum fee permitted in the particular case, or a lesser fee.
The Act does not permit a fee to be charged for lodging a request for access. The maximum fees relate to the granting of access.
There are three main areas where the regulations fix maximum fees.
2.1 Personal access
An individual may request access to health information about them that is held by a private sector organisation (including health service providers who are sole practitioners or in partnerships) under Part 5 and HPP 6 of the Act. This is outlined above.
These provisions set out where access to parts of a record may be legitimately refused, to take into account the fact that such access may not be appropriate. (For example, if providing access to information would have an unreasonable impact on the privacy of another person.)
Regulation 5 and schedule 1 to the regulations set out the maximum fees that may be charged by a private sector organisation when it provides a copy or an accurate summary, allows the individual to inspect the health information (with an opportunity to take notes), or allows the individual to view the information (without the opportunity to take notes).
The regulations do not specify a maximum fee that is available when a private sector health service provider gives an individual an explanation of their information under the Act. Section 32(4) of the Act provides that in such a case the person giving the explanation may charge the individual a fee that does not exceed their usual fee for a consultation of a comparable duration.
Public sector organisations (such as Government Departments and public hospitals) and others who are subject to the Freedom of Information Act 1982 (‘FOI Act’) should note that, if they receive a request for access to health information, the request is governed by the FOI Act, not Part 5 and HPP 6 of the Health Records Act.
2.2 "Second opinion" about serious threat
The Act (Part 5) and the FOI Act (s 33) both contain a special procedure that applies when a person applies for health information about them and granting that person access under either Act would constitute a serious threat to their life or health. In such a case, the public or private sector organisation that has received the request must refuse to give the person access to this part of the health information.
The Acts provide that an independent health service provider nominated by an individual can be asked to give a "second opinion" about that decision. The organisation may also suggest a health service provider who can perform this role.
If an individual chooses to nominate a health service provider for the purposes of this discussion, or accepts an independent nominee proposed by the organisation, that provider may charge the individual a fee for performing this service, provided the fee does not exceed the maximum set out in regulation 7. This will be lessor of 4.7 fee units per quarter hour of the time spent or a maximum 23.6 fee units.
2.3 Making information available to another health service provider
An individual may make a statutory request under HPP 11 to a health service provider for some or all of their health information to be made available to another health service provider. The individual may also authorise the other health service provider to make this request on their behalf.
Unlike the access regime for individuals under Part 5:
- HPP 11 only applies in relation to information held by a "health service provider". This includes any organisation to the extent that it that provides health, disability or aged care services, and pharmacists; and
- HPP 11 applies to health service providers in both the public and private sectors. (This includes private practitioners, private health and aged care disability providers, any other private organisation that provides a health, disability or aged care service, and public hospitals.)
This provision is especially relevant where an individual does not wish to personally obtain their health information under Part 5, but does require that it be made available to another provider.
It is customary for information to be shared between providers who are jointly involved in the care of an individual, without requiring that individual to pay a fee before one provider makes the information available to the other. For instance, general practitioners do not charge a fee before providing relevant information to a specialist to whom they have referred a patient, with the consent of the patient. Provided such disclosures are made in accordance with HPP 2, they are authorised under the Act and are not intended to fall within HPP 11. The Act is not intended to discourage the lawful exchange of information between providers on behalf of the patient, where this occurs free of charge.
However, such a transfer of information for further treatment or services is a voluntary disclosure by a provider. HPP 11 will give individuals a legal right to require that information be made available to another health service provider. Regulation 8 and schedule 2 allow a fee to be charged when information is made available in response to such a request as follows:
- copies of 20 (or more) black and white A4 pages
- a copy in another form (e.g. colour pages or x rays)
- an accurate summary, which has to be prepared in response to the request (because it does not exist before the request is made), if it takes the health service provider at least 30 minutes to prepare.
Schedule 2 of the regulations sets out the maximum fees that can be charged in these cases.
See the Table of Fees above to calculate the fee payable
Regulation 10 provides that if GST is payable for providing access under Part 5/HPP 6, transferring information to a health service provider under HPP 11, or acting as a "nominated health service provider" to assess serious threat, that the amount of GST payable may be added to the amount otherwise permitted under the relevant regulation. For example, if under schedule 1 a charge of $30.00 is the maximum amount that can be charged for providing copies of information to an individual, and GST is payable, then the overall maximum fee is $33.00.
Collection of 'family medical history' under the Health Records Regulations 2023
Authority to collect family medical history
HPP 1 of the Health Records Act (the Act) specifies the circumstances in which a public or private sector organisation may collect identifying health information. This principle sets out a number of the grounds for the collection of health information for the purposes of providing health services. HPP 1 also allows regulations to be made to specify additional grounds
It is an accepted part of some health services delivery, especially medical practice, that a health service provider will prepare a family medical history or social medical history from information provided by the person seeking health services, to assist in diagnosing and treating that person or to provide him or her with other health, disability or aged care services. This history will ordinarily be prepared without the consent of the relatives or other third parties concerned, as it will not be practicable to obtain their consent.
Regulation 9 of the Health Records Regulations 2023 (the regulations) therefore supplements HPP 1 by allowing a health service provider to request and record health information about a third party, provided that:
- the information collected about that third party does not contain any more identifying information than is reasonably necessary to provide safe and effective treatment or services to the person who is being treated or receiving services from the provider; and
- the information is collected from the person being treated or who is receiving the services, or if he or she unable to give the information because of an incapacity (due to age, injury, disease, senility, illness, disability, physical impairment or mental disorder), from that person's authorised representative, immediate family member or primary carer.
Organisations should refer to regulation 9 for details of this ground of collection.
The terms "immediate family member" and "parent" are relevant to this regulation, and are defined in section 3 of the Act as follows:
immediate family member of an individual means a person who is-
(a) a parent, child or sibling of the individual
(b) a spouse or domestic partner of the individual
(c) a member of the individual's household who is a relative of the individual
(d) a person nominated to a health service provider by the individual as a person to whom health information relating to the individual may be disclosed.
parent, in relation to a child, includes-
(a) a step-parent
(b) an adoptive parent
(c) a foster parent
(d) a guardian
(e) a person who has custody or daily care and control- of the child.
Regulation 9 also provides that a health service provider who collects health information under this provision is not obliged to inform the third party to whom the information relates about the collection.
Health Records Regulations 2023
The Health Records Regulations 2023 (‘the regulations’) commenced on 18 August 2023. The regulations replicated the 2012 regulations with minor clarifying amendments to regulation 9. More information about the new regulations is available on the .
Reviewed 18 August 2023