Changeflow GovPing Data Privacy & Cybersecurity Access Your Health Information Rights in Australia
Routine Guidance Added Final

Access Your Health Information Rights in Australia

Favicon for www.oaic.gov.au Australia OAIC Privacy Determinations alt
Detected
Email

Summary

The OAIC published guidance explaining that Australian privacy law grants individuals a general right to request access to health information held by health service providers. The guidance specifies that providers should respond within 30 days, may charge a non-excessive fee for access, and must provide written notice if refusing a request. Individuals may authorize representatives, request information in specific formats, and lodge complaints with the OAIC if unsatisfied.

“A health service provider should respond to a request for access to your health information within a reasonable period. We generally think 30 days is a reasonable period.”

OAIC , verbatim from source
Published by OAIC on oaic.gov.au . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Australia OAIC Privacy Determinations alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

The OAIC published a guidance page explaining the existing rights of individuals under Australian privacy law to access their health information held by health service providers. The document details procedural steps: individuals should contact providers directly, requests may be made in writing with identification, and providers may charge a non-excessive fee covering staff time, reproduction, and postage. Providers may refuse access only in limited circumstances such as threats to life or health, impact on another person's privacy, or unlawful disclosure — and must provide written notice explaining the refusal and complaint options.

For health service providers, this guidance confirms existing obligations under the Privacy Act 1988 and Australian Privacy Principles. Providers should establish clear procedures for handling access requests, respond within a reasonable period (typically 30 days), and maintain written records of refusals including appeal mechanisms. When doctors retire or die, records retention depends on state or territory law, with some jurisdictions (ACT, NSW, Victoria) requiring 7-year retention or until a child patient turns 25.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Access your health information

Public hospitals

State or territory laws cover health information a public hospital holds about you.

How to request access

Contact the health service provider that holds your health information to request access. Only you or another person you’ve authorised, such as a legal guardian or authorised representative, can make the request.

You may be asked to put your request in writing and for information that identifies you. You may be asked to include:

  • your name and address
  • the health information you want
  • how you’d like to access the health information (such as, by email, paper copies or if you just want to look at the information)
  • if you authorise a person or organisation to access the health information on your behalf.

When should you get a response to your request?

A health service provider should respond to a request for access to your health information within a reasonable period. We generally think 30 days is a reasonable period.

Can a health service provider refuse your request?

A health service provider can refuse to give you access to your health information in some situations, such as if:

  • it may threaten your or someone else’s life, health or safety
  • it may impact someone else’s privacy
  • giving access would be unlawful. If giving you certain information would impact someone else’s privacy, a health service provider could block out that part and give you the rest of the information. If it’s not possible to give information directly to you because of a concern for your health or safety then they might give access through an agreed third party.

If your health service provider refuses to give you access they must give you a written notice telling you why, and how you can complain about their refusal.

How will you receive your health information?

You can ask for your health information to be given to you in a particular way — by email, phone, hard copy, electronic record, in person, letting you view it, or sending a copy to another health service provider.

If you ask for access in a way that is unreasonable or not practical, a health service provider can give it to you another way — such as on a USB stick rather than paper copies, giving you a summary of the information or allowing you to view it. Another option is to use an agreed third party.

If a health service provider refuses to give you access in the way you requested they must give you a written notice telling you why, and how you can complain about their refusal.

Is there a charge?

A health service provider may charge a fee for giving you access, but this charge can’t be excessive.

The charge may include the cost of:

  • staff searching for, locating and retrieving the requested information, and deciding which health information is relevant to the request
  • staff reproducing and sending the health information
  • the postage or materials involved in giving access
  • using an intermediary, if necessary. A health service provider can’t use this charge to discourage you from requesting access to your health information. If possible, they should tell you the likely amount of the charge.

They should also discuss with you options for changing your request to minimise the charge. For example, by changing the way they give it to you — by email rather than paper copy.

When you change your health service provider

If you want access to your health information because you are changing to another health service provider, your current health service provider might prefer to transfer your record to the new health service provider rather than giving you the information directly.

If your doctor has retired or died

Whether a doctor is required to retain patient records depends on the law in the relevant state or territory. For example, in the ACT, NSW and Victoria, privacy law requires a health service provider to keep records for 7 years or, in the case of a child, until the child turns 25. For more information about state and territory privacy laws, see Privacy in Your State.

If a doctor is part of a larger practice and has retired or died, the practice may retain the doctor’s records. Sometimes, when a doctor has died, the records will become the property of the executor of the doctor’s estate and the only way a patient can access the records is to locate the executor and seek a copy of the records. However, if the doctor used My Health Record you may be able to continue to access your medical records on My Health Record, even though the doctor has retired or died.

For more information about accessing your health information, see the Australian Privacy Principles, Chapter 12

If you’re not happy with a health service provider’s response, you can lodge a complaint with us.

Related pages

### Correct your health information ### Australian Privacy Principles guidelines

Did you find this helpful?

Yes

No Share Facebook Twitter Linkedin

Related changes

Favicon for www.oaic.gov.au Australian Privacy Rights, Consent to Personal Information
Routine Apr 23, 2026 Australia OAIC Privacy Determinations alt Data Privacy & Cybersecurity
Favicon for www.oaic.gov.au Access Your Australian Credit Report for Free Every Three Months
Routine Apr 23, 2026 Australia OAIC Privacy Determinations alt Data Privacy & Cybersecurity
Favicon for www.tga.gov.au Overseas-Registered Products Available for Cyclophosphamide and Ifosfamide Injection Shortages
Priority review Apr 23, 2026 TGA Australia Safety Alerts Consumer Protection

Get daily alerts for Australia OAIC Privacy Determinations alt

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.oaic.gov.au
Australia OAIC Privacy Determinations alt oaic.gov.au/privacy
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from OAIC.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
OAIC
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Minor

Who this affects

Applies to
Healthcare providers
Industry sector
6211 Healthcare Providers
Activity scope
Health information access Privacy rights
Geographic scope
Australia AU

Taxonomy

Primary area
Data Privacy
Operational domain
Regulatory Affairs
Topics
Healthcare

Browse Categories

Agriculture & Food Safety 77 AI Regulation 3 Banking & Finance 482 Consumer Protection 120 Courts & Legal 436 Data Privacy & Cybersecurity 123 Defense & National Security 53 Education 64 Energy 103 Environment 169 Gaming 2 Government & Legislation 461 Healthcare 15 Healthcare & Life Sciences 395 Immigration 10 Insurance 86 Labor & Employment 167 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 85 Securities & Markets 177 Tax 92 Telecom & Technology 48 Trade & Sanctions 151 Transportation 101

Get alerts for this source

We'll email you when Australia OAIC Privacy Determinations alt publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!