Managing Medical Records: Privacy Pitfalls in Record Digitisation

Managing medical records - particularly when transitioning from physical to digital formats - requires careful attention to privacy and security. A recent determination by the Office of the Australian Information Commissioner (OAIC) underscores key obligations under the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APP), specifically APP 11 which governs the security of personal information.

Background to the complaint

The complainant was a patient of a Queensland psychiatrist (the respondent) from 2016 to 2019. On referral, the complainant’s former psychiatrist personally delivered over 20 years of handwritten medical records to the respondent. 

In 2021, the complainant made several requests for access to these records. The respondent advised they were secure but needed to be located in the midst of office renovations and a broader medical record digitisation process. By December 2021, the respondent informed the complainant the historical medical records provided by the former psychiatrist did not form part of the complainants newly created digital file, and had been destroyed by a third-party shredding service, leading to the complainant lodging a complaint with the OAIC.

Despite the respondent’s assertion that the historical medical records were unsolicited, unrelated to his treatment of the complainant and inadvertently securely destroyed, the OAIC found that the practitioner failed to take all reasonable steps to safeguard the complainant’s personal information. This constituted a breach of APP 11.1 and an interference with the complainant’s privacy.

Security obligations under APP 11

APP 11 requires regulated entities to take “reasonable steps” to protect personal information collected from misuse, interference, loss, and unauthorised access, modification, or disclosure. The Commissioner clarified: 

 The respondent outlined multiple measures taken to protect the complainant’s personal information, including:

• storing old hard copy records relating to existing patients in secure fire-resistant cabinets;
• transitioning the paper-based practice to password-protected electronic files to reduce reliance on hard copy records;
• securely destroying hard copy records through a third-party provider; and
• implementing a “clean desk” policy to ensure unused files were locked away.

In assessing whether these steps were reasonable, the OAIC considered the:

• nature of the entity - the respondent was a sole-practitioner, not a large or well-resourced entity;
• personal information held - the respondent held health information which is considered sensitive information under the Privacy Act and subject to a higher level of protection;
• possible adverse consequences – the OAIC found there to be a significant risk of adversity in mishandling such records, including the risk of exacerbating existing medical conditions and jeopardising the ability for the complainant to receive future treatment. 

OAIC’s Determination

The OAIC found that the respondent should have taken further steps to protect the complainant’s personal information, including notifying the complainant prior to destroying the historical records and providing an opportunity for the files to be collected. 

More generally, the OAIC noted that it would not have been unreasonably burdensome for the respondent during its digitisation process to implement a documented procedure for the retention and destruction of medical records, ensure proper processes were in place for reviewing files prior to destruction and to maintain a register of medical records citing the reasons for destruction.

The respondent was found to have interfered with the complainant’s privacy and required to:

• implement a documented procedure under APP 11 for protecting personal information in hard copy records within 90 days;
• pay the complainant $7,500 for non-economic loss within 30 days;
• provide the complainant access to their digital patient file (in accordance with APP 12 relating to access to personal information); and
• notify the OAIC within 7 days of completing each of the above steps, including providing a copy of the APP 11 procedure.

Privacy is a process, not a checkbox

This determination offers several lessons for medical professionals and other regulated entities:

• Sensitivity matters: health information demands heightened care due to its risk of adverse consequences. Safeguards should not only be maintained but ideally strengthened when transitioning systems.
• Small scale is no excuse: sole practitioners are still expected to meet the standards of the Privacy Act. Whilst size and scale are factors considered when determining what measures are ‘reasonable’ it is unlikely to be a justification for non-compliance with obligations.
• Documentation is critical: even well-meaning actions, such as the digitisation or records, can result in breaches if not backed by documented. Policies and registers are not just administrative - they’re protective mechanisms.

This determination reinforces that privacy compliance is not a one-off task but an ongoing process. As digitisation becomes the norm, robust policies and proactive procedures are essential to safeguard sensitive patient information and avoid regulatory breaches.

This article was written by  Ariel Bastian,  Senior Associate Corporate Commercial, Anna Kosterich, Restricted Practitioner Corporate Commercial and Karen Fong, Associate Corporate Commercial.