SummaryRead the full fact sheet
- By law, your medical records and health information must be kept safe and private by all medical and healthcare professionals, and all healthcare facilities, such as hospitals and clinics.
- You are allowed to access your child's health information.
- If you care for an adult, you can be authorised to have access to their information.
- You always have the right to access your own health information.
- If you think your doctor or other provider is mishandling your information, your first step is to ask them about it. If you think your health records have been shared without you agreeing to this or if you have any other worries about your records, speak to your doctor first.
There are laws that set out how your medical records and information can be shared. Any healthcare professionals who you see are bound by these rules. This means they cannot discuss your health information with anyone else without your consent. Your medical information must be stored in a way that protects your privacy.
Medical confidentiality is a set of rules that limits access to information discussed between a person and their healthcare practitioners.
With only a few exceptions, anything you discuss with your doctor must, by law, be kept private between the two of you and the organisation they work for. This is also known as doctor–patient confidentiality.
When you go to a new doctor, you can choose whether to share your previous medical records with them by giving your written consent to your other doctors, so that they can send your new doctor the information in your medical file.
Privacy in healthcare
Privacy in a healthcare situation means that what you tell your healthcare provider, what they write down about you, any medication you take and all other personal information is kept private. You have a legal right to this privacy, and there are laws that guide health service providers in how they collect and record information about your health, how they must store it, and when and how they use and share it.
You can give any of your health professionals your consent to share your health information, for example, when you change doctors and you want your new doctor to have access to your medical history. You also have a legal right to access your health information.
Definition of health information
Health information is any information about a person’s health or disability, and any information that relates to a health service they have received or will receive. Health information is sensitive and personal, which is why there are laws to protect your rights to keep your health information private.
How health services collect, store and share information
In Victoria, a health service is any organisation that collects information about people’s health, such as:
- doctors’ surgeries or clinics
- specialist clinics
- dental surgeries
- public and private hospitals
- sexual health clinics
- disability services
- nutrition services, such as dietitians and nutritionists
- maternal and child health clinics
- allied health services, such as optometrists and physiotherapists
- naturopaths, chiropractors, massage therapists and other complementary medicine providers
- fitness providers, such as gyms, fitness trainers and weight loss services
- healthcare workers in childcare centres, schools, colleges and universities.
Exemptions to privacy laws
There are two types of situations where a health service may use or share your health information without your consent. These are:
- when your or someone else’s health or safety are seriously threatened and the information will help, such as if you are unconscious and paramedics, doctors and nurses need to know if you are allergic to any drugs
- when the information will reduce or prevent a serious threat to public health or safety, for example, if you have a serious contagious illness and the public needs to be warned.
There are certain exemptions that may apply in law enforcement situations and in a court of law.
Health information privacy laws only apply rights to living people. They do not apply once the person is deceased.
Managing your own health information
You own your health information and decide who can access it. You always have the right to access it yourself by asking for a copy. You can keep a personal health record at home or via the free eHealth system, which is a secure online summary of your health information, run by the Commonwealth Government.
You control what goes into your eHealth record, and who is allowed to access it. You can add or delete information or change who has the right to access your record by changing the information online or by writing a letter stating the changes to eHealth. It allows you to choose which of your doctors, hospitals and other healthcare providers can view and share your health information to provide you with the best possible care.
Managing someone else’s health information
If you are a parent or guardian, you can access the health information of the children in your care. For someone who is over 18 years old, you can become their authorised representative if you have been given medical power of attorney, or if they have nominated you in an advance care plan.
Consent, medical treatment and health records in hospital
When you go to hospital, you can choose to give the staff access to your health records. You do not have to, but giving them your consent to access your information will help them provide the best care possible for you. Hospital staff are required to protect patients’ privacy and confidentiality.
While you are in hospital, staff will create a file that includes information about any tests, treatment and medication they give you. You can access this information by asking for a copy and adding it to your personal health or eHealth record.
There are situations when a person can be admitted to hospital and treated without their consent. An example of this is an emergency situation where a person requires urgent treatment and is unable to communicate, for example, is unconscious.
Your responsibilities about confidentiality and privacy
You can discuss your health and healthcare with anyone you choose, but you need to keep in mind that people who are not your healthcare providers are not bound by confidentiality rules.
If you keep a personal health record, you are responsible for keeping it safe and private. However, an eHealth record is kept safe and private by the Department of Human Services.
Breaches to your privacy or confidentiality
If you think a healthcare provider is breaking or abusing your privacy or confidentiality, your first step is to ask them about it directly. Start by talking to the person involved, and then talk to the organisation they work for. It can help to write down your complaint, date and details to discuss as this can make it formal and you can keep a record of any conversations and correspondence.
If the issue is not resolved to your satisfaction, you can contact the by calling 1300 582 113.
You can also use these channels to make an official complaint. You can do this online or by filling in a and emailing it to the commissioner.