Telehealth and Medical Record Keeping

Every time you use a telehealth service, a medical record is created. This is exactly the same as an in-person consultation — the doctor documents what you told them, what they assessed, and what they did about it. The difference is that your record now exists across multiple systems: your regular GP, the telehealth platform, potentially My Health Record, and wherever your prescriptions are dispensed.

Understanding how your health information is handled, stored, and shared is not just about privacy — it is about making sure your care is coordinated and that nothing falls through the cracks.

The Australian Privacy Act and Health Records

Health information in Australia is regulated primarily by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Health information is classified as "sensitive information" under the Act, which means it receives a higher level of protection than general personal information. Any organisation that collects health information — including telehealth providers — must comply with these principles.

The key APPs relevant to telehealth records are:

• APP 3 (Collection) — health information can only be collected when it is reasonably necessary for the provider's function. A telehealth service can collect your symptoms, history, and contact details, but not information unrelated to your care.
• APP 5 (Notification) — the provider must tell you what information they are collecting, why, and who they might share it with. This is usually covered in the privacy policy and consent process.
• APP 6 (Use and Disclosure) — your health information can only be used for the purpose it was collected, or a directly related purpose you would reasonably expect. Sharing with your regular GP is a directly related purpose. Sharing with an insurer or employer without your consent is not.
• APP 8 (Cross-border Disclosure) — if a telehealth provider stores data overseas (for example, using US-based cloud servers), they must ensure the overseas recipient complies with the APPs. This is relevant for services using international cloud infrastructure.
• APP 11 (Security) — the provider must take reasonable steps to protect your health information from misuse, interference, loss, and unauthorised access. Encryption, access controls, and audit logging are standard measures.

What Gets Recorded in a Telehealth Consultation

• Your presenting complaint — what you told the doctor about your symptoms
• Relevant medical history — conditions, medications, allergies
• The doctor's clinical assessment and reasoning
• Any prescriptions issued, including eScript details
• Any certificates issued, including the reason for certification
• Advice given and any follow-up recommendations
• Consent records — what you agreed to and when

This documentation serves the same purpose as in-person records: continuity of care, medico-legal protection, and clinical quality. A doctor who does not document a telehealth consultation is not meeting their professional obligations.

My Health Record Integration

My Health Record is Australia's national digital health record system. Some telehealth providers upload consultation summaries and prescriptions to My Health Record, while others do not. If a provider does upload to your record, you will be able to see the information through the My Health Record portal or app. You have the right to control what appears on your My Health Record — you can set access controls, remove documents, and restrict which providers can see it.

Record Retention Periods

Australian law requires health records to be retained for minimum periods. These are not optional — they are legal requirements that apply to all healthcare providers, including telehealth services.

• Adult records — must be kept for at least 7 years from the date of last entry
• Records for patients under 18 — must be kept until the patient turns 25, or for 7 years from the date of last entry, whichever is longer
• Records relating to mental health treatment — some jurisdictions require longer retention
• Records involved in known complaints or legal proceedings — must be kept until the matter is resolved, regardless of other retention periods

After the retention period expires, the provider may destroy the records, but they are not required to. Many digital systems retain records indefinitely because the cost of storage is negligible.

Your Rights as a Patient

Under the APPs, you have several important rights regarding your health records:

• Access — you can request a copy of your health records at any time. The provider must respond within 30 days and can charge a reasonable fee for retrieval.
• Correction — if your records contain inaccurate, incomplete, or outdated information, you can request a correction. The provider must either make the correction or add a note explaining why they declined.
• Complaint — if you believe your health information has been mishandled, you can complain to the provider directly, to the Office of the Australian Information Commissioner (OAIC), or to the relevant state health complaints body.
• Consent withdrawal — you can withdraw consent for future collection or use of your information, though this may affect the provider's ability to deliver care.

Data Breach Obligations

Under the Notifiable Data Breaches scheme, any organisation covered by the Privacy Act must notify affected individuals and the OAIC if a data breach is likely to result in serious harm. For health information, the threshold for "serious harm" is lower than for other types of data — because health information is inherently sensitive. If a telehealth provider experiences a data breach involving your health records, they are legally required to tell you what happened, what information was involved, and what steps they are taking.

Sharing Records with Your Regular GP

One of the practical challenges of using multiple healthcare providers is fragmentation. Your regular GP may not know about a prescription issued via telehealth, or a condition you discussed with an online doctor. Most telehealth services offer to send a consultation summary to your nominated GP — and accepting this offer is generally a good idea. Continuity of care depends on your GP having a complete picture, and a telehealth consultation sitting in isolation helps nobody.