People regard health information as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protections around the handling of health information. For example, an organisation generally needs an individual's consent before they can collect their health information.
In addition, all organisations that provide a health service are covered by the Privacy Act (whether or not they are small businesses). Organisations providing a health service include:
- traditional health service providers such as private hospitals and day surgeries, doctors, pharmacists
- allied health professionals (e.g. psychologists)
- complementary therapists (like naturopaths and chiropractors) and
- in some cases gyms, weight loss clinics etc.
The Privacy Act regulates how these organisations collect and handle personal information, including health information. It also includes provisions that generally allow a person to access information held about them. Our Office has information sheets and guidelines to help individuals and organisations providing a health service understand their rights and responsibilities.
Can I get access to my medical records?
If your medical records are held by a private sector organisation, such as a doctor in private practice or by a private hospital, as a general rule, you have a right to gain access to information held about you. You may exercise this right in a number of ways, depending on the sort of information you have asked for, the type of organisation and the way the organisation holds its records. More information about access to health records is available at www.privacy.gov.au/faq/health/q5.
Can I access my health information at a public hospital?
Personal information held by state or territory public hospitals is not covered by the Privacy Act, but may be protected by relevant State and Territory laws. Public hospitals located in the ACT are covered by the Privacy Act.
Can an organisation charge me for access to my health information?
Yes, an organisation can charge for providing access to medical records. However, the fees which an organisation can charge for providing access must not be excessive and it cannot charge you just for making a request for access.
If an organisation incurs substantial costs in meeting a request for access, then the organisation could charge a reasonable fee to meet the administrative costs involved. For example, an organisation could recover some of the costs of photocopying or for the staff time involved. For more information on charging for access to medical records, see Guidelines on Privacy in the Private Health Sector and, on charging for access generally, see Information Sheet 4.
What about my healthcare identifier?
Healthcare identifiers are 16 digit numbers issued to all those receiving healthcare in Australia. The Healthcare Identifiers Act 2010 provides strong controls around access, use and disclosure of healthcare identifiers. For more information see Healthcare Identifiers
Other places to go
- If you're an individual and would like more information about your health privacy rights, see our consumer's guide to privacy and health information: My Health My Privacy My Choice.
- For a snapshot of how the Privacy Act applies to health information, see Health information and the Privacy Act 1988: A short guide for the private health sector.
- Health service providers can find out more about complying with the National Privacy Principles in the Privacy Act by reading our Guidelines on Privacy in the Private Health Sector.
- If you are after guidance on something specific, you may find our health information sheets helpful.
- Got a question on health privacy? Chances are someone's asked it before. See our Frequently Asked Questions on health.
- For information on privacy guidelines for medical research, see Health and medical research.
- For information on Medicare and the Pharmaceutical Benefits Scheme and the privacy guidelines that apply, see Medicare and pharmaceutical benefits.
- For information on privacy guidelines for genetic information, see Health and genetic information.
- For further information there are dedicated health pages for individuals and businesses available on this site.
- If you think an agency or organisation has misused your personal information, you can make a complaint. To find out more, see Complaints.