Patient Medical Records Requests: A Complete Legal Guide for Australian Doctors   

Patients have a right to access their medical records under the Privacy Act 1988 (Cth). However, release to third parties — including family members, lawyers, insurers, and courts — requires specific authority. When in doubt about any request for records, seek medico-legal advice before releasing anything. 

Requests for patient medical records are one of the most frequent medico-legal issues facing Australian practitioners. They arrive from patients themselves, from lawyers, from courts, from insurers, and — in some of the most complex cases — from the families of deceased patients. 

Getting it wrong — releasing too much, too little, or to the wrong person — can expose you to regulatory complaints, privacy breaches, and civil liability. This guide explains the legal framework, your obligations, and the practical steps to handle each type of request correctly. 

The Legal Framework: Privacy Law and Medical Records in Australia 

State and territory legislation also applies in some contexts: 

Key Distinction: Ownership vs Access: The physical or digital record is generally owned by the healthcare provider or practice — not the patient. However, patients have a right to access the information in those records. This means you control the record, but you cannot generally refuse a patient access to their own health information. 

When Can You Release Patient Records? 

Records can be released in the following circumstances — each with its own requirements: 

1. With the Patient’s Written Consent 

The most straightforward situation. A competent adult patient can authorise release of their records in writing. Verbal consent is generally insufficient when records are being released to a third party. The written authority should specify: 

• Who the records are being released to 

• What records are covered (date range, specific encounters, etc.) 

• The purpose for which the records will be used 

• The patient’s signature and date 

2. Directly to the Patient 

Legitimate grounds to withhold or restrict access include: 

• Release would pose a serious threat to the patient’s life, health, or safety 

• Release would unreasonably disclose information about another individual 

• Access would be unlawful or court-ordered to be withheld 

3. Via Subpoena or Court Order 

4. For Mandatory Reporting or Regulatory Purposes 

5. To Lawyers Acting for the Patient 

Lawyers regularly request records on behalf of clients in personal injury, WorkCover, and family law matters. Before releasing records to a lawyer: 

• Confirm you have a signed authority from the patient authorising the release 

• Review the authority carefully — ensure it covers the records being requested 

The Most Complex Situation: Records of Deceased Patients 

The death of a patient creates some of the most difficult record release questions. Family members — even a spouse or adult child — do not automatically inherit the right to access a deceased patient’s records. This surprises many practitioners and many grieving families. 

The Privacy Act’s protections do not automatically extinguish on death. However, they do apply differently. The following parties may have legitimate grounds to request records: 

• The executor or administrator of the estate (with proof of appointment — typically a grant of probate or letters of administration) 

• A coroner or coronial court (subject to state/territory coronial legislation) 

• A court or tribunal with relevant jurisdiction 

• The deceased’s insurer where a claim is being made against the estate 

• A person with written authority signed by the deceased prior to death 

Warning: Do Not Auto-Release to Family – A spouse or adult child asking for a deceased patient’s records — even in distressing circumstances — does not have automatic legal authority to receive them. Before releasing anything, confirm the requester’s legal status. If they are the executor or administrator, ask for evidence of appointment. If you are uncertain, seek medico-legal advice before acting. 

Responding to Requests From Lawyers — What You Need to Know 

Lawyers are among the most frequent requesters of medical records. Important principles to remember: nvene with additional support. 

Tip: Odd or Broad Requests – Be wary of requests that seem unusually broad (‘all records ever’) or that come with pressure to respond urgently. You are entitled to ask for clarification and to take reasonable time to assess the request. If a request feels wrong, it may be. Seek advice. 

What Records Should You Withhold or Redact? 

Not everything in a file needs to be released with every request. Consider whether: 

• Records pre-date the scope of the request (e.g., a request related to a 2022 injury does not require 2010 records) 

• Records contain information about third parties who have not consented to disclosure 

• Mental health records or sensitive information are specifically addressed by the request — some mental health records have additional protections under state legislation 

• The request was not made by or authorised by the person with legal authority to receive the records 

When in doubt about redaction, it is better to be more conservative and invite the requesting party to make a more specific request, or to seek legal advice before acting. 

Practical Steps When You Receive Any Records Request 

Regardless of who is requesting, follow these steps: 

• Step 1: Identify who is requesting and on what authority 

• Step 2: Determine the scope — what specific records, for what period? 

• Step 3: Obtain and review patient authority (if required) 

• Step 4: Assess whether any records should be withheld or redacted 

• Step 5: Prepare the records and charge a reasonable fee if appropriate 

• Step 6: Release to the correct recipient (court registry for subpoenas, not the solicitor) 

• Step 7: Document what you released, to whom, when, and on what authority 

Checklist: Before Releasing Any Records 

☐  Have I confirmed the requester’s identity and authority? 

☐  Do I have written consent from the patient (if living)? 

☐  Is this a subpoena, a lawyer’s request, or a patient request? (Different rules apply.) 

☐  Is the patient deceased? If so, who has legal authority to authorise release? 

☐  Are there third-party records in the file that should be withheld? 

☐  Have I sought medico-legal advice if any aspect of this request is unclear? 

☐  Have I documented what I released, to whom, and when? 

Frequently Asked Questions 

Q: Can I charge for releasing medical records? 

Yes. You are entitled to charge a reasonable fee that reflects the actual cost of locating, retrieving, and copying records. You cannot charge a fee so high that it constitutes a barrier to access. The OAIC provides guidance on reasonable fees under APP 12. 

Q: What if a patient wants to see their mental health records and I’m concerned this could harm them? 

Q: Can I release records to police without a warrant or subpoena? 

Q: A lawyer has sent a letter saying they’re investigating a claim against me. What do I do with the records request in the same letter? 

Stop. Call your medico-legal insurer before releasing anything. When a letter suggests a potential claim, the records request must be handled very carefully — what you release, and how, can affect your legal position significantly. 

This publication is general in nature and is not comprehensive or constitutes legal or medical advice. You should seek legal, medical or other professional advice before relying on any content, and practice proper clinical decision making with regard to individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Tego Insurance Pty Ltd is not responsible to you or anyone else for any loss suffered in connection with the use of this information.

All content on this page has been written in a generic way, and has not been presented with any knowledge of your personal objectives or financial needs.