Privacy fact sheet X
How you can access or correct your health information
Month 2015
ThePrivacy Act 1988(Privacy Act) protects your personal information. Personal information is information or an opinion that identifies you or could identify you, and includes information about your health. This fact sheet outlines what you need to know about accessing health information your health service provider holds about you, and asking for corrections to that information.
What is health information
Health information is any information about your health or a disability, as well as any other personal information collected while you are receiving a health service. Health information is a type of sensitive information under the Privacy Act. For specific examples of health information, seeFact sheet: Privacy and your health information.
Accessing your health information
Can I access my health information?
Generally, under the Privacy Act, when you ask your health service provider (provider) for access to your health information, they must give you access to that information.
However, there are some situations where they can refuse your request. More information is provided below.
Form of access
Your provider should generally give you access to your health information in the way you request. For example, you may ask for copies of your health information or ask only to view the information.
However, if the way you want to access your health information is unreasonable or not practical, the provider can decide to give you access to your health information in a different way.
For example, it may not be practical for the provider to give you hard copies of your entire electronically held medical record. Rather, the provider may decide to give you this information electronically, such as on a disc or USB stick.
When can my provider refuse my request to access my health information?
Your provider can refuse to give you access to your health information in particular situations. These situations include:
- where your provider reasonably believes giving you access would pose a serious threat to the life, health or safety of the public or any individual (including you)
- where giving access would unreasonably impact upon another individual’s privacy
- where your provider is allowed or required to refuse you access because of a law or court/tribunal order.
Chapter 12 of the OAIC’s APP Guidelinesprovides more detailed information about situations where your provider can refuse your request for access.
What happens if my provider refuses my request for access or form of access?
Generally, your provider is required to give you a written notice that tells you why they have refused to give you access and how you can complain about their refusal.
Provider still to take steps to give you access
Where your provider is allowed to refuse your request for access, or form of access, they must still attempt to give you access to your health information in a way that meets both your needs and their needs.
For example, there may be a situation where your provider refuses you access to their notes about your health because they are concerned the information may be misunderstood and giving you access may pose a serious threat to your health or safety. Your provider could instead consider giving you a summary of the information or allowing another person who you and your provider agree on to access the information on your behalf.
Correcting your health information
Can I ask that my health information is corrected?
Providers have to take reasonable steps to correct health information they hold to make sure it is accurate, complete, up-to-date, relevant and not misleading for the purposes for which they are holding it.
You can ask your provider to correct health information they hold about you.
Notifying others about corrections
If your provider corrects your information, you can also ask that they notify others to which they have previously given the incorrect information, about the corrections.
When can my provider refuse to correct my health information?
Your provider can refuse your request where they are satisfied that the information you have asked to be corrected is accurate, up-to-date, complete, relevant and not misleading.
You should remember that a record can still be considered correct where you do not agree with the information. For example, your provider may have diagnosed you with a particular condition during a previous appointment and recorded their diagnosis on your medical record. You may disagree with your provider’s diagnosis and ask that they correct the information. However, as your medical record may be needed to provide an accurate history of your interactions with your provider, your provider may refuse your request because they believe the information correctly details their opinion or initial diagnosis.
Your provider can also refuse your request where it is not practical or lawful for them to change your health information as you ask. For example, if you ask your GP to delete particular health information from your medical record, they may not be able to do so because of their professional record-keeping obligations.
What happens if my provider refuses to correct my health information?
Generally, your provider is required to give you a written notice that includes information about their refusal reasons and how you can complain about their refusal.
Associating a statement
If your provider refuses your correction request you can ask them to include a statement with your health information, stating that you think the information is incorrect.
Process for access and correction requests
How do I make a request to access or correct my health information?
Your request to access or correct your health information should be made to the provider who holds that information.
There are no set rules about how you should make your request. However, in some situations it may be reasonable for the provider to ask you to make your request in a particular way. For example:
- you may need to provide proof of identity before getting access to your health information
- if you are asking for a large number of corrections to your health information, you may need to make your request in writing.
Your provider’s privacy policy should set out how they prefer you to make an access or correction request.
How long does my provider have to respond to my request?
Your provider must either grant or refuse your request for access or correction within a reasonable time from when you made your request.
Generally, this means your provider should deal with your request within 30 days. However, this will depend on the situation. For example, requests about health information your provider has archived in a secure off-site storage area may take longer to respond to than requests about electronically stored information.
How much does it cost to access or correct my health information?
Making a request
You do not have to pay any fee to ask for access to, or correction of, your health information from your provider.
Associating a statement
You do not have to pay any fee to have your provider include a statement with health information you think is incorrect.
Access charges
Your provider can charge you a fee for giving you access to your health information. For example, your provider can charge for the costs of staff retrieving your health information or postage and photocopying costs.
However, any charges must not be excessive. Whether an access charge is excessive depends on a number of things such as the size and functions of your provider’s organisation and the type and quantity of personal information it holds.
Examples of excessive charges may be ones that include:
- the cost of legal advice your provider obtained regarding your request for access
- the cost of staff retrieving your health information charged at the level of a medical health professional rather than administrative staff.
State and Territory laws on access and correction of health information
You may also have a right under State or Territory law to access and correct your health information held by some private sector health service providers.
Any health information that is held by State or Territory authorities (such as public hospitals) is not covered by thePrivacy Act 1988.
You can visit our website for more information about relevantState or Territory laws.
How can you complain?
You can make a complaint if you believe a provider has not handled your health information properly under the APPs.
You should first make a complaint to the relevant provider and give them an adequate opportunity to deal with the complaint. Depending on the situation, you should generally allow your provider at least 30 days to respond to your complaint.
A provider cannot charge you for making a complaint and their privacy policy must detail how you may complain to them and how they will deal with your complaint.
If you are not satisfied with a provider’s response to your complaint, you may then complain to us. For more information about our process, please refer to the OAIC’sprivacy complaintswebpage.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.
For further information
telephone: 1300 363 992
email:
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at
Privacy fact sheet X: How you can access or correct your health information1