In today’s digitised healthcare environment, managing patient confidentiality goes far beyond professional courtesy—it’s a legal requirement. For Queensland doctors and practice managers, privacy compliance is central to both protecting patients and safeguarding practices from significant legal and reputational risks.

This article breaks down key obligations under the Privacy Act and Australian Privacy Principles (APPs), while also providing practical steps you can take to strengthen compliance in your practice.

Who Owns Patient Records?

There is no universal rule on who owns patient records. Ownership usually rests with either the practice or the individual doctor, with the other party licensed to access them.

The safest approach is to make ownership clear in practice agreements from the outset. This avoids disputes, especially when a doctor departs and patients follow. Without clarity, both legal and financial risks can quickly escalate.

Collecting and Using Information

Health information is among the most sensitive personal data. Under the Privacy Act and APPs, patient details must be:

• Collected fairly and lawfully
• Obtained with informed consent (particularly sensitive health data)
• Used only for the purpose it was collected

Practices must also take reasonable steps to protect patient information from misuse, unauthorised access, or disclosure. Training staff, restricting access, and maintaining strong cybersecurity protocols are essential safeguards.

When Disclosure is Permitted

Doctors and practices may disclose patient information only if:

• It is directly related to the purpose of collection
• The patient has consented
• It is legally required
• The patient would reasonably expect it

Extra caution is required when responding to requests from spouses, parents, or insurers. For overseas disclosures, patients must consent, or the receiving organisation must comply with Australian privacy standards.

Retention, Destruction, and Data Breaches

Patient records must be kept for:

• Adults: At least seven years from the last consultation
• Children: Until the patient turns 25

Once records are no longer needed, they must be securely destroyed or de-identified, with the process documented.

Healthcare is also the most frequently reported sector for data breaches in Australia, commonly caused by phishing, ransomware, or human error. Every practice should have a breach response plan that includes:

• Containing the breach
• Notifying affected patients
• Assessing whether to notify the OAIC under the Notifiable Data Breach scheme

Third Parties, Consent, and AI

Confidentiality extends beyond doctors to reception staff, nurses, IT providers, and contractors. Practices should regularly review contracts with third-party providers, especially if data is stored offshore.

Informed consent remains central. Privacy policies must explain what data is collected, how it is used, whether it is stored overseas, and patients’ rights to access or correct information.

With AI tools increasingly used for transcription, scheduling, and diagnostics, new challenges arise. Practices should ensure AI systems comply with privacy obligations, disclose their use to patients, and update privacy policies accordingly. From 10 December 2026, practices must also disclose if automated decision-making is used via AI.

What to Do Now

To strengthen confidentiality compliance, practices should:

• Review privacy policies and consent forms
• Confirm patient record ownership in contracts
• Audit third-party service providers
• Train staff in privacy and cyber-awareness
• Have a breach response plan in place
• Review AI systems in use

Final Word

Confidentiality is at the heart of patient trust—and compliance is the legal foundation that supports it. By reviewing agreements, policies, and systems now, Queensland doctors and practices can protect their patients, avoid risk, and operate with confidence.

Need tailored advice? Hillhouse Legal Partners can assist with patient record ownership, privacy compliance, and AI use in your practice.