What's in this template?
This Patient Access and Correction Procedure template gives Australian healthcare practices the operational document required to handle requests under Australian Privacy Principles 12 and 13. It is built directly from the structure of the OAIC's APP Guidelines (Chapters 12 and 13) and the Guide to Health Privacy, then tailored for medical and allied health settings.
The template covers 12 sections plus a sign-off block and a printable request form:
- Purpose — links the procedure to APP 12 and APP 13
- Recognising a request — phrases that trigger access or correction obligations
- Roles — Reception, Privacy Officer, treating clinician, Practice Manager
- Step-by-step access procedure — 6 steps from receipt to response
- Grounds for refusing or limiting access — APP 12.3 grounds with examples
- Step-by-step correction procedure — receive, assess, action, refuse
- Timeframes and fees — 7-day acknowledgement, 30-day decision, no charge for the request
- Special situations — children, family violence, deceased, insurers, employers
- Recording and reporting — privacy register entries
- Appendix A — Patient request form — printable intake form
- Related documents — full document set
- Approval and review — formal sign-off table
Editable placeholder fields
{{practice_name}},{{practice_state}}{{privacy_officer}},{{privacy_officer_email}},{{phone}}{{access_fee}}— your standard production fee (no fee for the request itself){{review_date}},{{next_review_date}}
Who needs this procedure?
Every Australian healthcare practice that holds patient information. APP 12 and APP 13 bind every APP entity, regardless of turnover. Patient access and correction requests are among the most common privacy interactions a practice will have, and a documented procedure is the OAIC's expected baseline.
That includes:
- General practices of any size, including solo GPs
- Specialist medical practices
- Allied health practices (physiotherapy, podiatry, psychology, optometry, dental)
- NDIS providers holding participant information
- Pharmacies, pathology and diagnostic imaging providers
- Aboriginal Community Controlled Health Organisations
- Private hospitals, day surgeries and aged care providers
The most common audit finding is that reception staff don't recognise an access request when the patient does not use those words. The procedure section "Recognising a request" addresses that directly.
APP 12 and APP 13 at a glance
APP 12 gives an individual a right of access to the personal information held about them by an APP entity. Access must generally be provided within 30 days, in the manner requested where reasonable, with no charge for the request itself (cost-recovery for production is permitted). Access may only be refused on the limited grounds in APP 12.3 (serious threat, unreasonable impact on others, frivolous, legal proceedings, and others — see section 5 of the template).
APP 13 gives an individual the right to seek correction of personal information held about them. Where the practice agrees, the correction is made and (if requested) third parties to whom the information has been disclosed are notified. Where the practice refuses, the patient may attach a statement of correction that must be made apparent to anyone reading the record.
Privacy Act requirement
Failure to comply with APP 12 or APP 13 is one of the most common subjects of OAIC complaints. After the 2022 Privacy Act amendments, penalties for serious or repeated breaches can reach $50 million. Accreditors also look for a documented procedure — RACGP Criterion C6.3 explicitly references patient access to records.
State health records legislation in NSW (HRIPA), Victoria (HRA) and the ACT (HRPPA) imposes additional access and correction obligations, often with shorter timeframes than the 30 days under APP 12. The procedure template defaults to whichever timeframe is shorter / more favourable to the patient.
How to customise this template
- Download the Word document and replace every
{{placeholder}}with your details - Set your standard production fee — note that no charge can be made for the request itself; only reasonable cost-recovery for copying and postage
- Confirm timeframes for your state — NSW HRIPA and Vic HRA may impose shorter access timeframes than APP 12
- Train reception staff to recognise an access or correction request even when the patient does not use those words
- Print Appendix A as the standard intake form for any patient request
- File the privacy register with the Privacy Officer — log every request and its outcome
- Have it approved by the Privacy Officer and practice owner and signed in the approval table
Related templates and tools
This procedure is the operational document for APP 12 and APP 13. Pair it with:
- Privacy Management Plan — APP 1.2 governance backbone
- Privacy Policy — patient-facing statement of access and correction rights
- Patient Data Collection Notice — points patients to this procedure
- Data Breach Response Plan — if information is released to the wrong person
- Health Records Management Policy — clinical record lifecycle
Frequently asked questions
What is APP 12 and how does it apply to medical records?
APP 12 of the Privacy Act 1988 gives individuals a right of access to personal information held about them by an APP entity. For medical practices, this means patients have a right to access their clinical records. Access must be provided within 30 days, in the manner requested where reasonable, with no charge for the request itself. Access may only be refused on limited grounds.
How quickly do we have to respond to an access request?
The Privacy Act requires the entity to respond within 30 days. State legislation (NSW HRIPA, Vic HRA, ACT HRPPA) may impose shorter timeframes. The template defaults to acknowledging within 7 days and deciding within 30 days, which complies with both the Privacy Act and the state statutes.
Can we charge a fee for record access?
No fee can be charged for the access request itself. Reasonable cost-recovery fees are permitted for the production of the records (copying, postage, secure file transfer). The fee must be disclosed in advance, must not be excessive, and cannot be a barrier to the right of access. NSW HRIPA caps the fee at the cost of production.
When can we refuse to release a record?
APP 12.3 lists the grounds for refusal: serious threat to life, health or safety; unreasonable impact on the privacy of others; frivolous or vexatious requests; existing or anticipated legal proceedings; prejudice to negotiations; prejudice to law enforcement; and commercially confidential evaluative material. Where access would pose a serious threat, the practice must offer access through an agreed intermediary (e.g., another doctor) before refusing outright.
What if the patient wants information about another person changed?
A patient cannot request correction of information about another person held in their record (e.g., family history mentioning a relative). APP 13 only applies to information about the requesting individual. Where third-party information is embedded in the record, the procedure addresses redaction at section 4 step 4.
Can a parent access a child's medical records?
Generally yes for young children, but the answer depends on the child's age, capacity and circumstances. A Gillick-competent child can object to a parent's access. Where there is family violence or court orders, special caution applies. The treating clinician makes the call and the decision is documented. The template's section 8 ("Special situations") addresses this directly.
What happens after a patient is deceased?
The Privacy Act does not apply to deceased persons. State health records legislation often does — NSW HRIPA, for example, allows access by the executor or personal representative. The practice releases on evidence of authority (Grant of Probate, Letters of Administration, executor evidence). The template covers deceased-patient requests at section 8.