HealthEngine controversy: Data sharing with third party providers

Girl with barcode on neck
anthony mennillo

Anthony Mennillo

Claims & Legal Services, MIGA

Some medical practitioners store archived hard copy medical records in a shed, usually locked up.  A decision of the Australian Privacy Commissioner in 2014 indicates this needs to be reconsidered.

The Facts

A GP practice stored hard copy medical records in a locked shed at the back of the premises.  The practice moved to an alternate site but still owned and controlled the previous premises.  The boxes in the shed contained medical records including progress notes, specialist correspondence, results of medical investigations, discharge summaries, staff pay records, Medicare vouchers, paid invoices and accounts to third parties such as WorkCover.  There were approximately 960 patient records stored in the shed which were mainly inactive patients of the practice.  For current patients the hard copy records had been scanned into the new electronic record held and controlled at the new premises.

The shed was broken into and the medical records interfered with.

The Australian Privacy Commissioner conducted an “own motion” investigation into the incident.

The Privacy Commissioner’s Findings

The Privacy Commissioner found that the practice had breached its obligations under the Privacy Act 1988 (Cth) (“the Act”) in a number of ways:

  1. Security of Personal Information

    Organisations are required to take reasonable steps to protect the personal information they hold from unauthorised access, use and loss.

    In considering whether the practice had taken reasonable steps to keep information secure it had regard to the:

    • sensitivity of the personal information handled; and
    • likely impact in the event that the personal information was compromised.

      As the information was health information and therefore “sensitive information” for the purposes of the Act, a higher level of privacy protection is afforded to it under the Act than other personal information.

      The Commissioner found that more stringent steps were required by the practice to keep this information secure than may be required of organisations that do not handle sensitive information.

  2. Storage of Records Generally

    Even though the garden shed door was locked with three pad locks, the Privacy Commissioner found that the practice  did not take reasonable steps in relation to the security of the personal information.

    Importantly, the Commissioner did not consider there to be any circumstances in which it would be reasonable to store health records, or any sensitive information, in a temporary structure such as a garden shed. 

    In this particular case the Privacy Commissioner found the following to be exacerbating factors:

    • the shed was not located at the current premises and so the practice was not in a position to effectively monitor access to the shed; and
    • the practice did not identify or deal with the health records stored in the garden shed for a period of more than two years following its relocation to the new premises.

    The Commissioner found that the practice did not take reasonable steps to store the records securely. 

  3. Secure Destruction or De Identification of Personal Information
  4. Organisations are required to take reasonable steps to destroy or permanently de-identify personal information the organisation no longer required. 

The Commissioner found that the practice did not demonstrate in this instance that it had systems in place to identify all personal information that was not being used or disclosed for a permitted purpose.  The Commissioner also found that the majority of the records identified in the shed related to patients who ceased to be active patients many years ago which also indicated a failure by the practice to identify and securely destroy or de identify personal information that was no longer being used or required.

The Privacy Commissioner’s recommendations

The Privacy Commissioner recommended during its investigation that the practice:

  • undertake a risk assessment with respect to their records management and privacy practices;
  • organise privacy training for all the staff including partners, doctors and other health professionals; and
  • develop the practice’s ‘data breach’ response plan to adequately reflect its obligations under the Act.
  • The practice was in the process of implementing these recommendations in addition to reviewing its privacy policy generally.

    What this means for all private health service providers

    The Privacy Commissioner’s findings in relation to storage of hard copy medical records are far reaching as there are many health service providers that store records that are no longer required in this way. 

    Importantly, legislation in some states and territories (NSW, Vic, ACT) creates a statutory obligation to retain records for 7 years from the date of the last consultation for adults, and for minors until they turn 25 years of age. There are also situations where continuing retention of medical records is warranted.1

    Given the Privacy Commissioner’s recommendations it may be an opportune time for health service providers generally to implement the recommendations of the Commissioner within their own practices, particularly storage and archiving protocols.

    Providing Medical Records at the request of a Court

    A common enquiry by doctors and midwives is about how to respond to Court documents requiring the production of patient medical records. Depending on which state or territory you practise and the Court involved, the documents will have various names such as Subpoena or Summons to Produce. There are also requests from the Coroner for such information. Not all jurisdictions have a specific form so if there is any doubt, the validity of the document should be checked. These requests mean that patient consent is not required.

    It is vitally important that all the documents requested by the Court are provided to the Court.  It can be awkward for the practitioner, if questioned about the medical records, to find that various documents out of the patient record have not been provided to the Court. There can be serious consequences with not complying with the request.

    How should I approach these requests?

    Read the document carefully.  The request will detail the information to be provided. It is important to review and understand the scope of the request and that only the documents that are within the scope of the request are provided (eg the request may be limited to a specific injury or time period). It is important that all the documents requested are provided.

    Often administrative staff are left the unenviable job of compiling the documents to be provided and sending them to the Court.

    It is important the patient’s regular doctor at the clinic review the request and the responding documents before sending them to the Court. The doctor is ultimately responsible for compliance. 

    What documents form part of the medical record?

    • All the progress notes (eg records of consultations, investigation findings, certificates, forms)
    • All correspondence (except medico-legal documents discussed below)

    The Court document will usually advise if the original records are required or whether a copy will suffice. Now, with the majority of records being kept electronically, a print out from the relevant medical records program will be sufficient, subject to the matters raised below.

    What documents are often overlooked and may need to be provided?

    • Hard copy records
    • Faxes
    • SMS and email correspondence
    • Archived medical records
    • Do you keep any records at home or in another location?

    Billing records and notes on message pads may also form part of the patient’s records but are not usually provided as a matter of course. If they are required, they will usually be specifically requested.

    What documents require careful consideration?

    • Medico-legal correspondence - if correspondence is received by or sent to solicitors then the documents may be subject to legal professional privilege
    • Do the medical records contain notes detailing the counselling provided to the patient in relation to sexual abuse? If so, they may be protected communications. There are various restrictions on access to counselling communications. Also, do the records contain ‘sensitive’ information about the patient or a third party (e.g. husband or wife)?

    If the requested records contain any of the above type of information, we recommend you contact your medical indemnity insurer to obtain specific advice on dealing with these records.

    If you have any concerns about providing the records more generally, i.e. whether a claim or complaint may be made against you, contact your medical indemnity insurer.

    MIGA offers superior cover complemented by excellent medico-legal support 24/7. If you are not insured with us, give us a call to see if MIGA can offer you more value and better protection.

    At MIGA, we are always on your side!

    DISCLAIMER: Insurance policies available through MIGA are issued by Medical Insurance Australia Pty Ltd. MIGA has not taken into account your personal objectives or situation. Before you make any decisions about our policies, please read our Product Disclosure Statement and Policy Wording and consider your own needs. Call MIGA for a copy on 1800 777 156 or visit our website at The information contained in this document is of a general nature only and does not purport to take into account, or be relevant to your personal circumstances. This information is not intended to be nor should it be relied upon as a legal or any other type of professional advice.


    1. See MIGA’s health records resource -


    The Private Practice Magazine

    Practice, financial and lifestyle 
    management insights relating 
    to medical professionals

    head-settings Created with Sketch.

    Risk management resources

    If you are not insured with MIGA, give them a call to see if they can offer you more value and better protection. Or please contact us if you would like an introduction to Anthony Mennillo.

    Contact us for an introduction 

    Call us on 02 9229 9731 or leave your details, including the name of person you would like an introduction to and we will be in touch.

    By signing up, you confirm you are happy to be contacted about The Private Practice Services and offers. View our privacy policy.