Loading article
What gets documented, who can see it, and how patient access rights work.

In this article
Medical information only. This article is for general information and does not constitute medical advice. Treatment decisions are made by an AHPRA-registered doctor after reviewing your circumstances.
Review
InstantMed Clinical Team
Clinical governance review for guide content
Updated
7 July 2026
General information only, not personal medical advice.
A telehealth consultation should create a medical record. That record is not a marketing file, a simple booking note, or a customer-support ticket. It is the clinical trail showing what information was provided, what the doctor considered, what advice or outcome followed, and what should happen next.
For patients, the record matters for two reasons. First, it protects continuity of care. A later doctor needs to understand what was assessed and what was not. Second, it protects privacy. Health information is sensitive information, so it should be collected for a clear purpose, handled securely, shared only where appropriate, retained under the right rules, and made available for access or correction where the law allows.
A medical record is the professional account of the consultation. In telehealth, it may be created from a form, secure messages, a phone or video consultation, uploaded documents, file notes, clinical templates, eScript details, certificate details, or follow-up communications.
The important point is not the format. The important point is whether the record is clear enough to explain the clinical decision later.
| Record purpose | Why it matters | What it should avoid |
|---|---|---|
| Continuity of care | Another clinician can understand the problem, context, advice, and follow-up | Isolated notes that only state the final outcome |
| Clinical safety | Red flags, contraindications, uncertainty, and escalation advice are visible | Hiding risk factors because the consultation was online |
| Patient rights | The patient can request access or correction through a real process | Treating clinical notes as unreachable internal material |
| Privacy and accountability | Access, sharing, and retention can be governed properly | Casual copying, unnecessary uploads, or broad staff access |
| Complaints and review | A concern can be assessed against what happened at the time | Reconstructing decisions from memory after the fact |
This applies even when a consultation is simple. A short record can still be a good record if it captures the relevant history, assessment, advice, decision, and follow-up.
The Medical Board of Australia's code of conduct says maintaining clear and accurate medical records is essential for continuing good care. It describes records as needing to be accurate, up to date, legible, and sufficient to facilitate continuity of care.
In practice, a telehealth record commonly needs to capture:
| Record element | Telehealth examples | Why it matters |
|---|---|---|
| Patient-provided history | Symptoms, timing, severity, medicines, allergies, medical history, pregnancy or breastfeeding status where relevant | The doctor can only assess the information available at the time |
| Mode and consent | Form answers, secure messages, phone, video, identity checks, consent to remote care | Shows how the consultation occurred and what limits were explained |
| Clinical assessment | Suitability for telehealth, reasoning, risk factors, red flags, missing information | Separates a clinical decision from an automated form result |
| Advice and safety-netting | Self-care advice, warning signs, when to seek local or urgent care | Makes the next step clear if symptoms change |
| Outcome | Certificate, prescription, referral, decline, request for more information, or no treatment | Explains what was done and why |
| Follow-up and sharing | Usual GP summary, pharmacy or pathology pathway, review timing, complaint or correction route | Reduces fragmentation across services |
Good telehealth record-keeping does not mean broad sharing. It means the right information is available to the right person for the right purpose.
A doctor involved in the consultation may need the full clinical context. Support staff may need narrower information for identity follow-up, delivery issues, refunds, technical help, or complaint handling. A pharmacy may need valid prescription information. A usual GP may receive a summary if that is part of the care plan and the patient agrees or the disclosure is otherwise lawful.
Other people sit outside that care boundary. An employer may be given a certificate or other document the patient chooses to provide, but that is different from the clinical record. A family member should not become the default contact unless the patient has authorised that arrangement. An insurer, workplace, school, or third-party app should not receive sensitive clinical detail just because it is convenient.
| Person or organisation | Usually appropriate? | Boundary to check |
|---|---|---|
| Treating doctor | Yes | Access should relate to the consultation or follow-up care |
| Support staff | Sometimes | Access should be limited to the job being done |
| Usual GP | Often useful | Ask whether a summary will be sent and what it includes |
| Pharmacy or pathology provider | Sometimes | Only the information needed for the prescription, test, or referral pathway |
| Employer | Usually no clinical record | A certificate is not the same as the provider's medical note |
| Family member | Only with authority | Make contact details and consent explicit |
| My Health Record | Separate system | Ask whether anything will be uploaded or viewed |
Patients can usually request access to health information held by a healthcare provider. The OAIC explains that a provider should respond within a reasonable period, generally 30 days, and that patients can ask for access in a particular form. There are exceptions, but refusal should not be unexplained.
You can also ask for a correction if health information is inaccurate, out of date, incomplete, irrelevant, or misleading. Correction does not always mean deleting the original clinical note. Sometimes it means adding an amendment or note so the record is accurate and complete without erasing what was recorded at the time.
Practical steps:
Medical records are not normally deleted immediately after a consultation. Providers may need to retain them for legal, clinical, professional, insurance, audit, complaint, or continuity-of-care reasons.
The risky mistake is to state one retention period as if it applies to every Australian telehealth record. RACGP guidance notes that some state and territory laws set specific retention periods. For example, ACT, NSW, and Victoria requirements include keeping adult records for seven years from the last service and records for children and young people until age 25. Other contexts can have different rules, and unresolved complaints or legal matters can affect retention.
Sharing boundary
The clinical record, a patient document, a GP summary, and My Health Record are different sharing pathways.
| Retention question | Practical meaning for patients |
|---|---|
| How long is the record kept? | Ask the provider for the retention policy that applies to your record and jurisdiction |
| Can I request deletion? | You can ask, but retention duties may mean the provider cannot delete the clinical record immediately |
| What happens after the retention period? | Information should be securely destroyed or de-identified when it is no longer needed and lawful to keep |
| Are downloaded documents included? | PDFs, certificates, eScript messages, uploaded images, and email attachments may create extra privacy risks |
| What if there is a complaint? | Records may need to be kept until the complaint, claim, or investigation is resolved |
Secure disposal matters as much as secure storage. If records are no longer needed and the law does not require retention, the provider should take reasonable steps to destroy or de-identify the information. Patients should also clean up copies on shared devices, email inboxes, downloads folders, and cloud drives.
My Health Record is Australia's national shared digital health record system. It is not the same as the telehealth provider's own medical record.
The Australian Digital Health Agency explains that patients can manage privacy and access settings in My Health Record, including seeing who has accessed the record, restricting access to documents, and changing access controls. That does not mean every telehealth consultation automatically appears there.
| System | What it may contain | What to ask or check |
|---|---|---|
| Telehealth provider record | Consultation notes, form answers, messages, uploaded files, clinical reasoning, outcome, follow-up | How can I access or correct it? Who can view it? How long is it retained? |
| My Health Record | Shared health documents from connected healthcare providers and government health systems | Will anything be uploaded or viewed? What access settings have I chosen? |
| Patient copies | Certificates, eScripts, referrals, screenshots, photos, PDFs, email attachments | Is this stored on a shared device or account? Do I still need it? |
If continuity of care matters, ask how information will be shared with your usual GP. A concise clinical summary can be more useful than assuming every system will automatically stay in sync.
A record is only useful if it is accurate, available, and connected to the next step. Before relying on a telehealth consultation for ongoing care, check the basics.
Decision guide
A good medical record supports care, but it does not replace care. If symptoms change, a record from an earlier online consultation may be out of date. If a problem needs examination, vital signs, imaging, pathology, wound assessment, or urgent observation, the safest next step may be local or emergency care rather than trying to solve the issue by editing the old record.
Retention and rights
Keeping, securing, accessing, correcting, and disposing of records are separate steps.
Patients and providers can both create avoidable record problems.
Common patient-side mistakes include using someone else's email or phone number, sending sensitive documents through ordinary email when a secure upload is available, leaving downloaded certificates or scripts on shared computers, uploading more documents than requested, or forgetting to tell a usual GP about an online consultation that affects ongoing care.
Common service-side problems include vague privacy policies, no clear records contact, unsupported deletion promises, broad support-staff access, missing safety-netting advice, unclear GP-sharing processes, and records that only document the outcome without the clinical reasoning.
The goal is not to make every record long. The goal is to make it clear enough that the patient, the treating doctor, and any future clinician can understand what happened.
Does a telehealth consultation create a medical record?
Yes. A telehealth consultation should create a clinical record just like an in-person consultation. The record may include the information you provided, the doctor's assessment, advice, outcome, prescriptions or certificates where relevant, follow-up instructions, and consent or communication history.
Can my employer see my telehealth medical record?
No, not without a lawful basis or your consent. An employer may see a certificate or document you choose to provide, but that is different from the provider's clinical record. The clinical record should not be sent to an employer just because the consultation related to work.
How long are telehealth records kept in Australia?
Retention rules depend on the provider, record type, and state or territory law. Some jurisdictions set minimum periods such as seven years from the last service for adult records and longer rules for records created for children or young people. Ask the provider for its retention policy if timing matters.
Can I ask for a copy or correction of my telehealth record?
Usually yes. The OAIC explains that patients can request access to health information held by a provider and can ask for incorrect information to be corrected. Providers can refuse in limited circumstances, but they should explain the reason and complaint options.
Is My Health Record the same as the telehealth provider's own record?
No. My Health Record is the national shared digital health record system. A telehealth provider may also keep its own clinical record. Not every telehealth consultation is automatically uploaded to My Health Record, and patients can manage access settings within My Health Record.
Yes. A telehealth consultation should create a clinical record just like an in-person consultation. The record may include the information you provided, the doctor's assessment, advice, outcome, prescriptions or certificates where relevant, follow-up instructions, and consent or communication history.
No, not without a lawful basis or your consent. An employer may see a certificate or document you choose to provide, but that is different from the provider's clinical record. The clinical record should not be sent to an employer just because the consultation related to work.
Retention rules depend on the provider, record type, and state or territory law. Some jurisdictions set minimum periods such as seven years from the last service for adult records and longer rules for records created for children or young people. Ask the provider for its retention policy if timing matters.
Usually yes. The OAIC explains that patients can request access to health information held by a provider and can ask for incorrect information to be corrected. Providers can refuse in limited circumstances, but they should explain the reason and complaint options.
No. My Health Record is the national shared digital health record system. A telehealth provider may also keep its own clinical record. Not every telehealth consultation is automatically uploaded to My Health Record, and patients can manage access settings within My Health Record.
InstantMed Medical Team

Telehealth privacy depends on law, clinical governance, security controls, and patient-side habits. Learn what to check before sharing health information with an online doctor service in Australia.

Telehealth can be safe when the service is regulated, the doctor has enough information, and there is a clear path to in-person or urgent care when remote review is not enough.

Telehealth safety screening is the clinical filter that decides whether remote care is suitable. It checks symptoms, red flags, medical history, medicines, identity, privacy, and escalation needs before an online outcome is given.