When should all information be entered in the patients medical record?

An event summary captures key health information about significant healthcare events that are relevant to the ongoing care of an individual.

An event summary may be used to indicate a clinical intervention, improvement in a condition or that a treatment has been started or completed.

An event summary may contain:

• allergies and adverse reactions
• medicines
• diagnoses
• interventions
• immunisations
• diagnostic investigations.

View example of an event summary

Who can create an event summary?

Any healthcare provider at any participating healthcare organisation that has a Healthcare Provider Identifier - Individual (HPI-I) – such as an after-hours GP clinic, hospital, community pharmacy or an allied health organisation - can upload an event summary to an individual's My Health Record (if they have clinical software with this functionality).

What is the difference between a shared health summary and an event summary?

For regular patients, a GP, Registered Nurse or Aboriginal and Torres Strait Islander health practitioner is likely to create or update a shared health summary to give a holistic picture of an individual's health at a point in time.

The event summary is intended for use by healthcare providers who are not the patient's regular healthcare provider (i.e. not their regular medical practitioner, Registered Nurse or Aboriginal and Torres Strait Islander health practitioner), to give information about a patient's significant healthcare events (for example receiving travel immunisations) or to indicate a change in their health status (for example the end of wound management).

The types of events recorded in an event summary will vary, and across healthcare sectors there will be different common scenarios. Some examples of what an event summary could be used for include:

Travelling/transient patients

Offering to upload an event summary for a holidaying patient or an individual on the move means less reliance on the patient's memory of the event when they return to their regular provider, which could affect any future care provided to the patient.

Patient receiving an after-hours medical service

In a situation where a patient is not visiting their regular GP (e.g. at the weekend or over a public holiday) but the healthcare event and diagnosis are significant, it may be useful for the healthcare provider to upload an event summary. The diagnosis could be referenced by the patient, their regular GP and any future healthcare providers.

Patient receiving travel immunisations or a flu vaccine

This is information about a patient that is clinically relevant for other healthcare providers, but may not necessarily be administered by their regular provider. It may not trigger an update to the shared health summary - in which case an event summary could be used.

Patients receiving a service from a healthcare provider who are not authorised to upload a shared health summary

Event summaries can be completed by authorised healthcare providers who are not authorised to upload a shared health summary. This could be, for example, an Allied Health Professional who is wanting to share a summary of the consultation.

Do I need my patient's consent to upload an event summary?

No. The My Health Records Legislative framework authorises registered Healthcare Provider Organisations, involved in a patient's care, to upload clinical information. There is no requirement to obtain consent on each occasion prior to uploading clinical information. There is also no requirement for the patient to review the event summary before it is uploaded to their My Health Record.

The Australian Medical Association (AMA) states that it is good medical practice to advise a patient that you will be uploading information to their My Health Record, particularly if this information might be considered sensitive. See section 4.5 of the AMA's Guide to using the PCEHR.

Can I edit or delete an event summary once it is uploaded?

The author of a clinical document can delete a clinical document from the My Health Record system if, for instance, it has been uploaded in error or contains a mistake.

An event summary cannot be edited once it is in the My Health Record system, however they can be superseded by a new version that replaces the original.

How do I create an event summary?

The information contained in an Event Summary should be in a format that can be understood by healthcare providers outside of your own organisation. It should describe and summarise the presentation of the event, the assessment made, and the action taken. As per standard practice, all clinically relevant information should be recorded and saved in the patient's local notes.

If you decide to create an event Summary, it should be one of the final tasks at the end of the consultation, after the healthcare provider has entered a progress note, updated medical history and made any changes to the patient's medication regime in the local record.

Each conformant software type has its own individual method for creating event summaries but document layout will be consistent across any software platform.

Healthcare providers can learn how to create and upload a Shared Health Summary to a patient’s My Health Record with the following:

The NSW Health Record and Information Privacy Act 2002 (HRIP Act) creates the right of individuals to access their health information from NSW health service providers, public sector agencies and private sector organisations that hold health information.

Access can be provided in several ways, such as providing:

• a copy of the record in electronic or paper format (or, in the case of extensive medical records, a summary of the key information in the record), or
• a reasonable opportunity to view the record and take notes.

Individuals can request access to their own health information[3], or to another individual’s health information if they present evidence of written consent from that individual.

Individuals can also request access to information about an individual who is incapable of making the request as their authorised representative, such as for children they have parental responsibility or guardianship for; or other individuals for whom they hold power of attorney.[4]

As a provider, you must ensure that the person requesting access to the health information has the right to do so. You may request proof of a person’s identity and, where relevant, evidence of parental authority, guardianship and power of attorney[5].

When will access not be granted?

There is a limited set of situations[6] where access may not be granted that is applicable to a private sector person.

These include situations where:

(a) Providing access would pose a serious threat to the individual’s health, or the health of others;

(b) Providing access would have an unreasonable impact on the privacy of others;

(c) The information requested relates to existing or anticipated legal proceedings between the individual and the provider;

(d) Providing access would reveal the intentions in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the provider unreasonably to disadvantage;

(e) Providing access is unlawful;

(f) Denying access is required or authorised by or under law;

(g) Providing access would likely prejudice an investigation;

(h) Providing access would likely prejudice a law enforcement function;

(i) A law enforcement agency performing a lawful security function asks a private sector person not to provide access on the basis that the access would cause damage to the security of Australia;

(j) The request has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again;

(k) There have been repeated, unreasonable requests for information to which access has already been given.

Law enforcement agencies or court orders may also prevent you from providing access.

Valid requests should be granted access in all other situations.

In considering requests for access to information under the HRIP Act, public sector agencies should also be aware of section 22 of the HRIP with regard to the provisions of the Government Information (Public Access) Act 2009 that impose conditions or limitations.[7]

A request for access to health information should be:

• In writing
• Include the name and address of the person making the request
• Identify the health information that is requested
• State the form in which the information is requested

You are required to send a response even when it is appropriate not to grant access. The response should include a clear explanation of why access can’t be granted, with reference to the specific reason as contained in the HRIP Act.

It may be that access can be provided for parts of the information requested. In these cases, you should explain clearly why only partial access has been provided.

In sensitive cases, it may be beneficial for the response to be carefully worded and for the relevant clinicians to review it before it is sent to the individual.

How should I provide access?

Access should where possible be provided in the format requested by the individual. This will likely be as a document in a commonly-used format, such as a spreadsheet or PDF.

You do not have to grant individuals direct access to your systems. You should consider the privacy impacts of providing information and the requested format. You should never grant access to or provide the health information of any individual other than the one who is the subject of the request, except to an authorised representative or with written authority.

Depending on the size of the record, it may be appropriate to provide a summary, rather than the full medical record.

One of my patients is moving to a new practice. Do I need to give the new GP access to the patient’s record?

Records should be made available to ensure continuity of care for the patient, if the patient has provided consent for this transfer to occur. If the patient’s record is extensive it is acceptable to provide a summary of relevant information. The Royal Australian College of General Practitioners (RACGP) has published a guideline about the information that should be included in the transfer of care document, which can be found on the RACGP website.[8]

You should keep a record of the person and practice the information has been provided to and the date this occurred.

What is a reasonable timeframe to provide access?

The public sector is required to send a response within a reasonable timeframe. The IPC recommends a response should be provided within 28 calendar days of first receiving the request.

The HRIP Act requires that a response to a request for access must be given within 45 calendar days. This response must either be the granting of access to the requested information or a refusal to grant this access; any other communication about the request is not a response under the terms of the Act. If a response is not given within 45 calendar days it will be treated as if the request has been refused.

However, all access requests should be processed as quickly as possible.

What fees can I charge?

Under the HRIP Act access should be provided without excessive expense. Fees can be charged to cover the cost of providing access to a medical record, such as administration, photocopying and printing. This fee must not be excessive, and should consider the individual circumstances of the patient so it does not act as a barrier for the patient to access their record or to the continuity of health care. It is recommended that health providers be transparent with individuals about the fees involved with granting access and the way those fees have been calculated.

Once the requester has been notified that a fee is being charged and that access won’t be granted until that fee is paid, a private organisation can wait until 7 days after the fee has been paid to provide access, provided that this 7 days does not exceed 45 calendar days from when the request was received.

In circumstances where the individual has indicated that they would have difficulty in paying the fee, you may consider alternative pricing models, or else suggest providing access to a summary of the health information, which may carry a lower fee.

Information about the charges for providing access to health records within the NSW public health system can be found at: //www1.health.nsw.gov.au/pds/Pages/doc.aspx?dn=IB2019_036

Please note information on charges in the public health system is regularly updated.

Section 2.6 of The RACGP Guide – Privacy and Managing Health Information in General Practice provides advice on charging for providing access to health information for GPs. This can be found here.

What should I do if I receive a request for access to a medical record as part of a legal proceeding?

If a health care provider receives a subpoena or court order to produce medical records they are generally required to comply. Failure to produce the record may result in penalties or legal action. The RACGP has prepared advice on the information that should be provided to meet the requirement of a comprehensive medical record, which can be accessed on the RACGP website[9]. Medical Defence Organisations can provide advice on compliance with subpoenas or court orders if you have concerns about compliance.

Should I provide medical records if requested by an insurer?

You must obtain the consent of the patient before releasing any information to a third party, including insurers or Insurance and Care NSW (icare). You should ensure that the information disclosed is consistent with the consent provided.

Do parents always have a right to access their child’s records?

In most cases a parent who holds parental responsibility or guardianship may be able to access their child’s records.

You may ask the parent/guardian to provide evidence or authority of that arrangement before providing access.

However, between the ages of 14-16, young people may seek treatment without the knowledge of a parent or guardian, subject to the health care provider’s assessment of the young person’s capacity to understand the consequences of any proposed treatment. A similar assessment should be made in determining whether information can be disclosed to parents/guardians in situations where the young person has capacity to make independent decisions about their health care.

As stated above, you may request evidence of parental authority, or guardianship.

Can I provide information about a deceased patient to a family member?

Please refer to the IPC Fact Sheet on Access to a deceased person’s health information (currently under review). 

What am I required to do with my records if I close my Practice?

If you are closing your Practice you (or your representative) should make arrangements for records to be stored for the required statutory period, or transferred to another provider nominated by the patient.

Patient consent must be obtained before records are transferred to any other provider. If records are to be stored, reasonable steps must be taken to inform patients how they can locate and access their records, and to protect records from unauthorised access, modification or disclosure.

Advice on how to manage changes in Practice circumstances can be found at: //www.racgp.org.au/FSDEDEV/media/documents/Running%20a%20practice/Practice%20resources/Management%20toolkit/Closing-a-medical-practice.pdf.

Useful resources

Good medical practice: code of conduct for doctors in Australian which includes information about privacy, closing a practice and record keeping requirements:
//www.medicalboard.gov.au/codes-guidelines-policies/code-of-conduct.aspx

Patient access to health information:
//www.racgp.org.au/FSDEDEV/media/documents/Running%20a%20practice/Protecting%20practice%20information/Privacy-and-managing-health-information-in-general-practice.pdf

Fees and charging for access to health information:
//www1.health.nsw.gov.au/pds/Pages/doc.aspx?dn=IB2019_036

Guidelines on managing requests from third parties:
//www.racgp.org.au/download/Documents/e-health/managing-external-requests-for-patient-information.pdf

OAIC Guide to Health Privacy:
//www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/

IPC checklist for private sector providers (responding to a request for patient access):
//www.ipc.nsw.gov.au/media/2451

IPC checklist for public sector providers (responding to a request for patient access): //www.ipc.nsw.gov.au/sites/default/files/2020-01/Checklist_Public_sector_staff_responding_to_a_request_to_access_health_information_September_2019.pdf

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:            
Website:           www.ipc.nsw.gov.au

Next review date: February 2022

NOTE: The information in this Fact Sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.