Management of Client Records Frequently asked Questions
The Department of Health (the Department) is responsible for managing and administering the Australian Government Hearing Services Program (the program).
As specified in the Service Provider Contract (the contract), program client records are owned by the Commonwealth. Contracted Service Providers (providers) must manage, store, transfer and dispose of program client records in accordance with the contract, program legislation, the Archives Act 1983 (the Archives Act), the Privacy Act 1988 (the Privacy Act) and the Freedom of Information Act 1982 (the FOI Act).
Client personal and health information is deemed sensitive information under the Australian Privacy Principle (APP) and extra precautions are required in the management of this information.
These pages contain answers to frequently asked questions about the management of client records created and/or held by providers. The FAQs should be read in conjunction with the Management of Client Records factsheet.
What must I keep in the client record?
The client record must contain any documents created or received in the delivery of services to program clients. It must also show records and evidence of all services provided to program clients sufficient to justify any claims for payment for those services. A client record is not ‘complete’ unless it contains all relevant information. Please refer to the Hearing Services Program (Voucher) Instrument 2019 (the instrument) the definition of ‘Records’ in the contract, the Schedule of Service Items and Fees, and Provider Factsheets for details of the record requirements for specific services.
When a client relocates to a new provider, or the record is requested by the department, it must include copies of any results and reports from systems such as in NOAH, Simply Hearing or Fitting Wizard in a format that is accessible. If the client record is in paper format this would mean a printout of the documents, if in electronic format a copy in PDF or other accessible format must be included. You may wish to add these to the client record immediately as they are produced, or add them when the client record is requested. You may be required to show evidence of a process to ensure that complete client records are transferred.
What do ‘access’, ‘custody’ and ‘ownership’ mean?
Access is the right to view the information held in a client record. Access to a client record does not imply ‘custody’ or ‘ownership’ of that record. Custody is the right to physical possession of a client record. The right to custody of a client record will usually assume the right of access, but does not assume ownership. The entity with custody of a client record is responsible for maintaining the record and ensuring it remains complete and accessible.
Ownership is the legal right to own a client record, and assign custody and access. Client records are Commonwealth records and are owned by the Commonwealth.
How long must I keep client records?
Clause 11.1(e) of the contract requires client records to be retained for a minimum of seven years from the date of the provider’s most recent interaction with the client. The date of the most recent interaction would be date of the last service provided to the client, the date of the last contact with the client or the date you are notified that the client is deceased. This is the ‘minimum retention period’.
What do I do with client records that are older than the minimum retention period?
Where all documents on a client record are older than the minimum retention period, client records may be destroyed.
- You must not destroy a client record where any of the documents are within the minimum retention period. You also cannot destroy part of a client record, the record must remain complete for the entire minimum retention period.
- For information on destruction, see ‘How can Commonwealth records be destroyed?’ below.
What does ‘accessible’ mean in reference to client records?
An accessible client record is one that can be viewed at any time by any person with the right to access the record. A client record that requires the use of specialised software to view it (in the case of electronic records) or contains pages that are faded, damaged, missing or otherwise illegible (in the case of paper records) is not accessible or complete.
Client records must be accessible and complete for at least the minimum retention period.
What do I do if a client requests their record?
If a client requests their record, you may give them a copy or allow them to view the record.
- Access to the information does not give the client ownership or custody of the record.
What do I do with client records when my business is closing?
If you are closing your business, or your contract is expiring or has been terminated, all client records that are not to be transferred to a new provider must be returned to the department.
- Where a business has been sold to another provider, client records can only be transferred to the new provider if clients have been notified of the transfer and have been given the option to change to a different provider. This occurs as part of the closure process.
How can I store paper records?
Paper client records must be kept in a cabinet that cannot be accessed by anyone who does not need or require access. The storage system should be protected by a physical security system such as locks, alarms etc. Where a client record is required to be off-site (i.e. in transit to a visiting site or for a home visit), the record should be out of sight and preferably locked in the boot or other lockable container in the car.
APP 11 requires you to take such steps as ‘are reasonable in the circumstances to protect the information’.
What are the requirements for digitising paper records?
When digitising client records, the entire record must be digitised. The new electronic document must restrict future changes, or must be capable of recording any changes made, for example by using metadata. When digitising paper client records rigorous quality checking must be performed to ensure that client records remain complete and accurate.
You must ensure that electronic documents are created in a format that will optimise the chances of being accessible for at least the minimum retention period. Preferred formats are:
- open source (non-proprietary) formats
- those which are widely used
- supported by several software applications or operating systems
- readable by a readily available viewing ‘plug-in’ if the specific production software is not available to all users.
Client records digitised from paper records must include a certification that a quality check has occurred, and that the electronic client record is an exact copy of the complete paper client record. This certification should include:
- the date the original paper client record was created
- the date the client record was digitised
- the name of the person who digitised the client record
- the date the quality check was performed
- any issues found during the quality check and how these were rectified
- the name of the person who performed the quality check.
Individual documents relating to a client must be packaged in one complete client record.
The new electronic record becomes the original client record.
The Digital Continuity 2020 Policy promotes a consistent approach to information governance across the Australian Government. It applies to government information, data and records, including those created by providers.
The National Archives of Australia (NAA) guide to Digitising accumulated physical records provides useful information and tips on the digitisation of paper documents.
What do I do with paper client records when they have been digitised?
Where a paper client record has been digitised and confirmed as true and correct, the source record (paper client record) should be destroyed.
For information on destruction, see ‘How can Commonwealth records be destroyed?’
How can I store electronic records?
Electronic client records must be stored in a password-protected system that cannot be accessed by anyone who does not need or require access. The storage system should be protected with security software, and a disaster recovery and/or business continuity plan in place.
A dedicated Electronic Document & Records Management System (EDRMS) is preferred, rather than a standard computer folder system. An EDRMS is an automated software application designed to assist with the creation, management, use, storage and disposal of information and records. This could include some Office Management Systems (OMS).
It is preferred that any EDRMS incorporates the use of metadata. This is information embedded within an electronic document that is used by the EDRMS to identify and capture information on the usage of that document. This helps to ensure the client record remains accurate and complete, and any changes, amendments or people accessing the record can be identified.
APP 11 requires you to take such steps as ‘are reasonable in the circumstances to protect the information’.
Why do I need a disaster recovery or business continuity plan?
To ensure the integrity and availability of client records in electronic storage systems, you must have disaster recovery and business continuity plans. These plans must include the backup of electronic client records. This could be an internal or external backup. Either system must have protections at least equivalent to the production storage system, and must restrict access to only those who require it.
The use of an internal (on-site) backup must take into consideration the risk of a disaster occurring at the site and destroying both the original and backup copies of the client records.
The use of an external (off-site) backup service must take into consideration the location of the backup server and the backup service disaster recovery and business continuity plans.
Can I use cloud storage for client records?
The concern with cloud storage is the protection of the private health information of clients. You must not use systems such as Google Drive, Google Docs, Dropbox (except for the Department’s secure Drop Box), iDrive, iDocs or any other unsecured cloud service.
The Australian Signals Directorate (the ASD) no longer certifies cloud service providers and all previous certifications are now void. If you were using an ASD certified cloud service prior to July 2020, you can continue to use this previously certified cloud service.
If you wish to change cloud providers or start using a cloud service, or you are a new provider coming onto the program, the security of your selected cloud service must be assessed. Only an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment. You must request a copy of a current IRAP assessment of the cloud service and contact the program at firstname.lastname@example.org before storing client records on the new service.
You must ensure that the service agreement with a cloud services provider states that the records will be hosted on an Australian server and will not be disclosed outside Australia. The agreement must also state that the records will be encrypted to at least the equivalent of Unclassified with a DLM of Sensitive: Personal or Official with an AIMM of Personal: Privacy.
How can Commonwealth records be destroyed?
Please note from 21 June 2019 there is a freeze on the destruction of Commonwealth records. Providers must not destroy any program client records until the Department of Health advises that the freeze has ended. This includes records of program clients who are deceased or who have not accessed the program for seven or more years.
Where a paper client record has been digitised, and the electronic client record is to become the original record, the source record (paper client record) can be destroyed. Please contact the program via email@example.com for requirements.
The disposal freeze on all program client records falls under the terms of reference for the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability.
Providers must hold all records until they are informed they can be destroyed, or they are required for the Royal Commission.
As per section 24(1) of the Archives Act 1983 (Cth) penalties apply for records disposed of in breach of this freeze order.
How can I transfer client records?
Client records can only be transferred between providers where the client has given their authorisation. See the Client relocations provider factsheet for further information.
You must only transfer paper client records using registered mail or courier. Electronic client records can be transferred using registered mail or courier on a USB drive secured with a password, or using secure and/or encrypted email.
The client record may include a copy of any data from systems such as NOAH or an OMS, but you must also include copies of any results and reports from the system in a format that is accessible. If the client record is in paper format this would mean a printout of the documents, if in electronic format a copy in PDF or other accessible format must be included. This is because the new provider may not use the same software, and the record is then not accessible and is incomplete.
Where a client record is in electronic format it must be transferred in electronic format. Every time a client record is printed and then scanned in to create a new electronic record, the quality of the record can be degraded. This does not meet departmental requirements for integrity and may result in the client record, or parts of the client record, not being accessible for the minimum retention period.
The Privacy Act acknowledges that ‘health information about an individual’ is sensitive information. Client records must not be transferred by unsecured email, as email systems are not secure enough for the transfer of sensitive information. If you wish to use a secure and/or encrypted email system for the transfer of electronic client records, you must consider the location of any storage, the security and compliance with the Privacy Act, the Archives Act and program requirements as part of your decision.
Where electronic client records are transferred and receipt has been confirmed, the client records should be destroyed, ensuring you keep any documents required under program legislation or the contract.
Can I keep a copy of a transferred client record?
You must not keep a copy of any client record, or part of any client record, except where required under program legislation or the contract.
Clause 12.3 of the contract requires you to retain all original Claim Forms submitted to the department or DHS and copies of all receipts issued to clients for a period of at least seven years. As these are no longer part of the transferred records, this would be seven years from the date of service or the date of the receipt.
What is a ‘Data Breach’?
Data breaches can occur in a number of ways. Some examples include:
- lost or stolen laptops, storage devices, or paper client records
- hard disk drives and other digital storage media being disposed of or returned to equipment lessors without information being correctly destroyed
- databases being ‘hacked’ or otherwise illegally accessed
- paper records stolen from unsecured recycling or garbage bins or from cars
- mistakenly providing personal information to the wrong person
- an individual deceiving an agency or organisation into improperly releasing information.
The Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act) came into effect from 22 February 2018. As a health service provider and holder of personal health information (client records), you are subject to the NDB scheme.
The NDB scheme introduces an obligation to notify individuals whose personal information is involved in an eligible data breach. This must include recommendations about the steps individuals should take in response to the breach.
Under the NDB scheme, an eligible data breach occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
What do I do if a data breach occurs?
If you suspect a data breach has occurred, the NDB scheme allows a period of 30 days in which you can conduct an assessment to determine if an eligible data breach has occurred.
If you identify an eligible data breach, you must notify the Office of the Australian Information Commissioner (OAIC) and follow the requirements under the NDB scheme. You must also notify the department as specified in clause 20.6 and clause 24.1 of the contract.
Further information regarding identifying eligible data breaches and determining serious harm is available on the OAIC website.
Is the management of client records monitored by the department?
We check compliance with record keeping requirements as part of our compliance monitoring activities as outlined in the Compliance Monitoring and Support Framework.
Where required, we will notify the OAIC of any identified breaches of the Privacy Act and will follow the instructions of the OAIC in relation to any notified breaches.
Persistent or significant non-compliance with any of the legislative or contractual requirements in relation to program records management may result in referral for compliance actions up to and including actions under Section 6 of the Contract (Breach and Termination) and/or referral to the OAIC for actions under Part V of the Privacy Act (Investigations etc.).