Documentation, legislation and storage of patient health records

This section discusses the legal requirements for managing patient health records in Australia and Aotearoa New Zealand, including storage, retention, destruction and disposal. The information provided is not comprehensive and psychiatrists should seek advice from their Medical Defence Organisation (MDO) or their legal representative as necessary. Some additional guides have been included to assist with understanding of various acts and codes.

Ownership of medical records

A simple rule of thumb is that a patient owns the information contained in their health record and the psychiatrist owns the material form of the record.

Health records legislation, guidelines and codes

Key Australian legislation

In Australia, the Office of the Australian Information Commissioner administers the Privacy Act 1988(the Act). The Act includes 13 Australian Privacy Principles which contain the mandatory requirements for the handling and using of personal information. Within the Act there are provisions that deal specifically with heath information. Under the Act, Health information is defined as a subset of sensitive information, which in turn is a subset of Personal information. Depending on your jurisdiction, your State or Territory may have separate legislation regarding health information.

For further information on how these principles are applied refer to:

• Australian Privacy Principles guidelines
• Guide to securing personal information
• Australian Digital Health Agency – Secure health messaging

For a list of Australian legislation, guidelines and codes for health records management refer below.

Key New Zealand legislation

The Office of the Privacy Commissioner – Te Mana Matapono Matatapu – administers the Privacy Act 2020. The Privacy Act applies to almost every person, business or organisation in Aotearoa New Zealand. The Act sets out 13 privacy principles that guide how personal information can be collected, used, stored and disclosed.

‘However, health practitioners are to be guided by the Health Information Privacy Code 2020 (Privacy Code) which outlines how health information specifically is to be collected, used, held and disclosed by health agencies. It takes the place of the information privacy principles for the health sector.’

Importance of good documentation in health records

Good documentation is central to good clinical practice and are part of continuity of patient care. Other health professionals may have clinical interactions with your patient therefore the patient record should provide a comprehensive recording of the patient’s presenting symptoms and your diagnosis, treatment and care plans. Quality health records can safeguard the psychiatrist if there are allegations about the care provided to patients. Missing, incomplete or illegible documentation will place the health practitioner at risk of being unable to explain or document his/her decision-making. Strong, supportive expert opinions are more readily obtained when clinical reasoning, even in the presence of adverse outcomes, is well documented.

In Aotearoa New Zealand, failure to keep good clinical records may breach the Code of Health and Disability Services Consumer Rights, Right 4: the right to Services of an Appropriate Standard.

In recording health information about their patients, a psychiatrist should:

• keep clear, accurate and legible records
• ensure contemporaneous record health information is recorded as soon as possible after the consultation or clinical interaction
• check what they have written to ensure information is not ambiguous or misleading.

Australian legal requirements for Medicare

In Australia, the Medical Benefits Schedule (MBS) requires that all health practitioners who provide a service for which a Medicare benefit is payable, maintain accurate and contemporaneous health records which demonstrate how they have met the requirements of the MBS or Pharmaceutical Benefits Scheme (PBS). The risk of Medicare concerns leading to a Professional Services Review (PSR) referral can be minimised by ensuring:

• clear justification or management decisions, including referrals and prescriptions, which accord with generally accepted, competent professional practice
• notes are eligible and contain sufficient details, particularly for Medicare items that are less common.

Almost without exception Medicare Australia take the view that inadequate records equate to an inability to justify a claimed service. The quality and content of notes will more than likely determine the outcome of any Medicare Australia investigation and subsequent PSR.

Refer to:

• Australian Government Department of Health – Administrative Record Keeping Guidelines for health Professionals
• Professional Services Review – Information for practitioners referred to PSR.

Alterations and corrections to health records

Health records should not be altered. Once notes have been made, they should not be edited, erased or obliterated. Amendments in the normal course of patient management – i.e. corrections, retrospective notes, entries made out of date or time sequence, and addenda – should be clearly marked as such in the record. The amendment should be initialled, and date of the correction included.

No changes of any sort should be made to the relevant patient’s health record in situations when a health practitioner becomes aware of a claim or complaint. The inappropriate alteration by a medical practitioner of medical records relating to a claim or complaint will have an adverse impact on the proceedings and impact upon their prospects of a successful defence. It may breach ethical professional guidelines.

Health records content

A psychiatrist should ensure that within a patient’s health record the following information about the patient is recorded:

• contact, including emergency, details and other demographic information including the patient’s ethnic/ cultural background. Māori and pacific people have particular needs and cultural preferences
• medical history, evidence of physical examination
• clinical findings, diagnosis (as a minimum a provisional diagnosis), decisions, investigations, treatment, drugs prescribed, procedures/interventions and progress for each treatment episode
• consultation notes (including care outside normal opening hours and home visits)
• information provided to patients
• medical management plan
• letters received from hospitals or consultants and other clinical correspondence
• investigations or referrals and results
• comprehensive completion of all patient/client care forms
• copies of certificates provided (e.g. Sick and Workers Compensation Certificates or ACC Forms completed).

Secure storage of health information

Patient health records may be kept in paper or electronic format, or a combination of both. When a combination is used, a cross referencing system is required for the relevant patient records. Electronic records must be able to be printed, as required.

Patient health records must be stored securely to protect them from misuse, loss, unauthorised access, modification, disclosure, damage, loss or theft. Reasonable steps must be taken to ensure the security and storage of patients’ health information including:

• Having a written policy on the privacy of patient health information that states:
  • who controls access and the levels of access allowable to individual staff
  • the use and security of passwords, including regular changes to passwords.
• the use of the information for purposes not authorised by legislation will not occur without the consent of the patient or their authorised representative.
• Storing them where the public cannot access them but where authorised staff have ready access.
• Providing lockable physical security for paper records.
• Seeking advice from an IT specialist about protection against unauthorised access, amendment of records, computer viruses, and firewalls.
• Using up-to-date IT applications and software to prevent external attacks.
• Using backup IT technology for electronic health records – preferably offsite, such as server or cloud technology – and performing complete backup on a regular basis.

New Zealand practitioners should refer to ‘Rule 5: Storage and security’ of the Privacy Code. The Accident Compensation Corporation (ACC) guide provides useful information about protecting your patient’s information.

Practitioners may wish to ensure their staff are trained in storing and managing patient information / records. The Privacy Commissioner provides useful training courses.

Scanning of documents

Electronic health records, which have been created by the scanning of a patient’s health records in paper format, must be of an acceptable standard for legal purposes. To ensure this, the electronic copy must be:

• an exact replica
• unable to be edited
• able to be printed.

Legislation, guidelines and codes for health records management

Australia

All states and territories

• Privacy Act 1988 (Cth)
• Office of the Australian Information Commissioner
  • APP Guidelines 
  • APP Quick reference tool
  • Privacy fact sheet 17: APP
• Privacy and Health Record Resource Handbook for Medical Practitioners in the Private Sector
• Handbook for the management of health information in general practice

New South Wales

• Health Records and Information Privacy Act 2002 
• Statutory guidelines on training – NSW Information and Privacy Commission

ACT

• Health Records and Information Privacy Act 2002 
• Health Records (Privacy and Access) Act 1997

Victoria

• Health Records Act 2001 
• Health records: Providers (Health Complaints Commissioner – see Health Privacy Principles, specifically HPP2)

Queensland

• Information Privacy Act 2009

Applies to general privacy in the Queensland public sector.  Only special provision made for health agencies, is that they must comply with ‘National Privacy Principles’ as contained in Schedule 4 of the Act.

Tasmania

• Personal Information Protection Act 2004

Personal information Protection Principles
Applies to personal information in a general sense, held by State government agencies and University of Tasmania.

South Australia

N/A – Privacy concerns covered by administrative instruction requiring government agencies to comply with a set of Information Privacy Principles (IPPs). Also established a South Australian Privacy Committee.

Western Australia

N/A - Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA). The Freedom of Information Act is overseen by the Office of the Information Commissioner (WA).

Aotearoa New Zealand

Legislation

• Privacy Act 2020
• Health Information Privacy Code 2020
• Health (Retention of Health Information) Regulations 1996
• Official Information Act 1982

Useful resources

• Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996
• Medical Council of New Zealand Managing patient records.

Accident Compensation Act

A very useful guide on basic privacy principles

NZ Medical Association

Members are able to access information on all key legislation in New Aotearoa Zealand

Contact

For enquiries about this page, contact policy@ranzcp.org

Disclaimer

This information is intended to provide general guide to practitioners, and should not be relied on as a substitute for proper assessment with respect to the merits of each case and the needs of the patient. The RANZCP endeavours to ensure that information is accurate and current at the time of preparation, but takes no responsibility for matters arising from changed circumstances or information or material that may have become subsequently available.