The Law Handbook 2024

Chapter 9.1: Health and the law 871 Access to medical records Patients have rights to access information held by health service providers. The way to access this information depends on whether the health service provider is a public one (e.g. a public hospital) or a private one (e.g. a private hospital, a general practitioner). Note that access to information may, or must, be refused in some circumstances. Public health service providers Under the Freedom of Information Act 1982 (Vic) (‘ FOI Act ’), people who have been treated in public hospitals in Victoria can gain access to their health records. If a public hospital refuses access to a patient’s medical record under the FOI Act, the patient may seek review with the Office of the Victorian Information Commissioner (see ‘Contacts’ at the end of this chapter). Private health service providers Individuals treated in private hospitals, by private doctors or other private health professionals, have the right to gain access to their health records under the Health Records Act 2001 (Vic) (‘ HR Act ’), and under the Privacy Act 1988 (Cth) (‘ Privacy Act ’). For more information, see Chapter 12.2: Privacy and your rights. A person may complain to the Victorian Health Complaints Commissioner or the Office of the Australian Information Commissioner (see ‘Contacts’ at the end of this chapter) if a private hospital, health professional, or any private sector organisation holding health information, refuses to provide a person with access to their own records. Privacy and confidentiality Introduction People generally assume that all communication between themselves and their doctor, or other health professional, will remain private. If it were not so, people might be reluctant to seek medical treatment and may be less honest in describing their ailments. The law generally reflects this expectation, though the principle of confidentiality is subject to exceptions. Statutory regulation of privacy The HR Act and the Privacy Act set out situations in which it is lawful for health professionals and institutions to disclose health information, and also impose obligations relating to data quality, data security and access to health information (amongst other things). In Victoria, all health services are subject to the HR Act and its Health Privacy Principles ( HPPs ), in addition to any specific statutory restrictions on sharing information (see ‘Confidentiality in hospitals and other services’ below). Additionally, private health service providers are subject to the Privacy Act and its Australian Privacy Principles ( APPs ). Both Acts set up complaint procedures for individuals who believe confidential information about them has been unlawfully disclosed to a third party or their health information has not been appropriately handled. For more information, see Chapter 12.2: Privacy and your rights. Confidentiality in hospitals and other services In Victoria, the Health Services Act 1988 (Vic) (‘ HS Act ’) establishes the regulatory framework for various kinds of health services, including public and private hospitals, day procedure centres and community health centres. These bodies are each ‘relevant health services’ that are subject to additional confidentiality obligations in section 141 of the HS Act. That section applies to the relevant health service itself, the board of the service, a person who is/was a member of the board, a delegate to a board, a proprietor of such a service, or a person engaged or employed in a service or performing work for the service. These people are generally prohibited from disclosing information that could directly or indirectly identify an individual, except to carry out functions or exercise powers under legislation or where an exception applies (see below). Additionally, the HS Act (s 141(3)) lists the cases in which confidential information may be lawfully disclosed: • with the prior consent of the person to whom it relates or, if that person has died, with the