dociva-logoDociva

Who Can Access Your Telehealth Medical Records?

Telehealth medical records should be accessible only to people and organisations with an authorised healthcare, operational or legal reason. This commonly includes the treating practitioner and appropriately authorised members of the healthcare team. Limited administrative or technical access may also be necessary, but it should match the person's role rather than expose every clinical detail.

You can generally request access to health information held about you. Other people—such as family members, employers or insurers—do not receive an automatic right to your full record merely because they know about the appointment or paid for it.

The exact position depends on who holds the record, the applicable federal, state or territory law, consent, age, capacity and any legal exception. This article provides general Australian privacy information, not legal advice.

Key Points

  • The treating practitioner and authorised care team usually need access for healthcare.
  • Reception, billing, support and security staff should see only what their work requires.
  • A provider's local telehealth record is not automatically the same as My Health Record.
  • Sharing with another provider should have a healthcare purpose and follow applicable consent rules.
  • Patients can generally request access or correction, subject to limited lawful exceptions.
  • Family members, employers and insurers do not automatically receive the complete clinical record.
  • Access controls, audit logs and secure transfer are important privacy safeguards.
  • Emergency or legally required access can operate differently from routine access.

Medical Certificates

Sick Leave Certificate

Choose this option if you are unable to work due to illness or injury, including mental health issues or stress.

Available for $16.90

Apply Now

Carer's Leave Certificate

Choose this option if you are unable to attend work because you need to care for a family member or someone in your household.

Available for $16.90

Apply Now

What Counts as a Telehealth Medical Record?

A telehealth record may include registration details, identity checks, symptoms, medical history, allergies, medicines, consultation notes, assessment, advice, prescriptions, referrals, certificates, uploaded photographs, messages, results and follow-up instructions. The provider may also retain appointment, billing and technical information.

Not every data item is visible to every worker. A receptionist may need contact and appointment details but not detailed consultation notes. A clinician may need history and results but not unrelated payment information. A system administrator may maintain infrastructure without needing readable patient content.

The broader guide to telehealth services in Australia explains how remote care creates ordinary clinical records while adding digital communication and platform data.

The Treating Practitioner and Healthcare Team

The doctor conducting the consultation needs enough information to assess the patient safely, document care and arrange follow-up. Another authorised clinician may need access for handover, review of results, after-hours care or a referral.

Access should be connected to a current care relationship or another legitimate function. Working for the same clinic should not create permission to browse the records of neighbours, colleagues, public figures or family members without a work reason.

The Medical Board of Australia's telehealth guidelines require doctors to protect patient privacy, use secure systems, maintain appropriate records and provide follow-up and handover where needed.

Administrative, Billing and Support Staff

Administrative staff may need to confirm identity, arrange appointments, process payments, send approved documents or respond to a patient request. Billing staff may need item, provider and payment details. Support staff may need account or connection information to resolve a technical problem.

Those functions do not justify unrestricted clinical access. A well-designed service separates roles, masks unnecessary information and records sensitive actions. Privileged support access should be controlled, time-limited where practical and reviewed.

Read the technical checklist for role-based access control in telehealth. Documented job titles are not enough; the running platform should enforce patient, clinic and function boundaries.

Why Choose Dociva?

FeaturesDocivaMedical Certificate in Clinics
Are they certified?
Are they legal?
Are they valid?
Accepted by employers, schools, universities?
Available anytime
Cost effective
Reduced wait time
Reduced exposure to illness

External Technology and Service Providers

A telehealth business may use hosting, video, secure messaging, payment, identity, transcription or customer-support suppliers. A supplier may process some patient information on behalf of the healthcare provider, but it should receive only the access needed for a defined service.

The provider should assess security, contractual controls, incident response, retention and any overseas handling. A privacy policy or collection notice should explain likely disclosures in understandable terms. Patients can ask whether a third party stores consultation content or merely transmits an encrypted connection.

The OAIC Guide to Health Privacy explains how Privacy Act obligations can apply to private-sector health service providers, including collection, use, disclosure, access and security.

Your Local Provider Record and My Health Record Are Different

A clinic or telehealth platform normally keeps its own record. My Health Record is a separate national digital health record. Information does not necessarily appear in both places, and My Health Record is not a complete copy of every clinical note held by every provider.

The Australian Digital Health Agency's My Health Record information explains that authorised staff in registered healthcare provider organisations may access the system to provide or support healthcare, subject to legal requirements and patient access controls.

A provider may upload eligible documents or view information relevant to care, depending on its participation, system capability and the patient's controls. Ask the telehealth service whether it uses My Health Record and which document, if any, it expects to upload.

Patient Controls in My Health Record

Patients can use My Health Record privacy settings to restrict access to the whole record or particular documents. They can also choose who receives notifications and review which organisations have accessed the record.

The Digital Health Agency explains how to restrict access to My Health Record. Restrictions can affect what a treating professional can see, so discuss continuity and safety implications before hiding information needed for care.

Emergency access has specific conditions and should not be treated as a convenient workaround for ordinary restrictions. The provider's own local record may have separate access controls that are not changed through My Health Record settings.

Book Online Consultation

Get Expert Medical Advice Today

Convenient and Affordable Online Consultations

Connect with trusted, licensed healthcare professionals to receive expert medical advice, obtain verified medical leave certificates for work or personal needs, and access personalised treatment plans designed to address your specific health concerns. Enjoy the convenience of high-quality healthcare services delivered directly to you, eliminating the need for travel or long waiting times—all from the comfort and privacy of your own home.

Standard Consultation

Ideal for addressing general health concerns, prescription renewals, and obtaining medical certificates for urgent short-term health needs or minor illnesses.

Duration: 8 minutes

Coming Soon

Book Now

Extended Consultation

Recommended for more detailed discussions, chronic condition management, or when additional time is required to address your health needs.

Duration: 15 minutes

Coming Soon

Book Now

Can You See Who Accessed a Record?

My Health Record provides an access history showing organisations that have accessed the record and certain activity. The Digital Health Agency's access history guidance explains what patients can review and how to set notifications.

A private telehealth provider should also maintain appropriate internal logs, although its patient-facing view may differ. Ask the privacy contact to investigate unexpected access. A log entry can require context: an organisation-level event may not identify every staff action in the same way as the clinic's internal audit system.

Do not accuse an individual based on an unfamiliar organisation name alone. Record the date and details, ask for an explanation and use the provider's complaint process if the response does not resolve the concern.

Access by the Patient

You can generally ask a covered private health provider for access to health information it holds about you. Access might be provided through a portal, copies, inspection or an explanation, depending on what is reasonable and lawful.

The OAIC guidance on accessing health information explains that access can be refused in limited circumstances and that a provider should normally give reasons and available complaint options. State and territory regimes may govern public-sector records.

Ask for the specific record and date range you need. A consultation summary may answer the clinical question faster than requesting every platform log. If information appears inaccurate or incomplete, ask about correction and whether a clarifying note can be added.

Family Members, Carers and Representatives

A patient can usually authorise relevant information to be shared with a family member or carer, but consent should identify the person and scope. Permission to join one appointment does not automatically create permanent access to every past and future record.

Formal representatives may have rights based on guardianship, parental responsibility, an enduring document or another law. The provider should verify identity and authority rather than relying on possession of the patient's phone or knowledge of personal details.

Age, maturity, capacity, safety and confidentiality affect records involving children and dependent adults. A provider may need legal or clinical guidance where the patient and representative disagree. The patient's welfare and applicable law—not family preference alone—guide the decision.

Employers, Schools and Insurers

An employer or educational institution may receive a medical certificate supplied by the patient, but that does not usually entitle it to the full consultation note or diagnosis. The certificate should disclose only information appropriate to its purpose.

An insurer may request records under a valid authority or process, but the provider should verify the request, scope and consent. A broad form should not automatically lead to disclosure of irrelevant information without assessment.

Read how telehealth medical certificates work and remember that a clinical record contains more sensitive detail than the document a patient chooses to submit.

Sharing With Another Healthcare Provider

A telehealth doctor may need to send a clinically relevant summary, referral, result or medicine information to the patient's regular GP or another treating professional. The provider should confirm the recipient, use a secure channel and follow consent and legal requirements.

Sharing does not always mean transferring the complete record. The minimum useful information depends on the handover purpose and risk. Urgent continuity may require prompt contact; routine care may use secure messaging or a patient-provided copy.

See how telehealth information is shared with a regular GP for channels, consent and follow-up responsibility.

Access Required or Permitted by Law

Health information may sometimes be used or disclosed without ordinary consent where legislation, a court process, public-health requirement, serious threat or another recognised exception applies. The threshold and process depend on the circumstances and governing law.

A request from police, a lawyer or another agency should not be treated as automatic authority. The provider should verify identity, legal basis, scope and documentation, and seek advice where needed. Disclose only what the lawful purpose requires.

Public hospitals and state services may operate under different privacy and information-access legislation from a private national platform. The overview of Australian privacy laws in digital healthcare explains why more than one regime may be relevant.

How Providers Should Protect Access

Reasonable safeguards include unique accounts, multi-factor authentication for sensitive access, least privilege, secure transfer, encryption, session controls, workforce training, supplier review, backups, monitoring and an incident response process.

Access should be removed promptly when a worker changes role or leaves. Shared accounts make it difficult to determine who viewed or changed a record. Large exports, unusual searches and emergency access should receive appropriate monitoring.

Security cannot be guaranteed absolutely. Read how telehealth platforms protect patient privacy for realistic provider controls and patient questions.

What to Do About Suspected Unauthorised Access

  1. Change the account password and enable multi-factor authentication if compromise is possible.
  2. Record dates, messages, unfamiliar activity and affected documents.
  3. Contact the provider through an independently verified official channel.
  4. Ask its privacy contact to preserve logs and investigate access.
  5. Request an explanation of containment, correction and notification steps.
  6. Use the provider's complaint process and relevant external pathway if unresolved.

Do not circulate screenshots containing other patients' or staff members' information. A careful investigation should establish what was accessed, by whom, for what reason and whether the event was authorised before conclusions are made.

More of Our Services

Using Dociva

Dociva presently offers online request pathways for sick-leave, carer's leave, study and multi-day medical certificates. Each request is subject to independent assessment by an Australian registered medical practitioner, and no certificate outcome is guaranteed.

Dociva accepts requests for standard and extended consultations, specialist referrals, pathology referrals, radiology referrals and prescriptions. Access to the resulting records should remain limited to authorised people with a legitimate care, operational or legal need.

For an available certificate category, review the Dociva medical certificate request choices. Use your own account, protect sign-in details and consult current privacy information to understand how submitted records and documents are handled.

Frequently Asked Questions (FAQs)

They should not. Access should match an authorised healthcare or work purpose, with sensitive clinical detail restricted to people who need it.

No. The provider keeps its own record. Only eligible information uploaded through participating systems appears in My Health Record.

Generally yes, subject to applicable law and limited refusal grounds. Ask the provider how to make a specific access request.

Not automatically. Providing a certificate does not usually authorise access to the complete consultation note or unrelated health information.

Do not share credentials. Use an approved representative or delegation process and define the scope of any consent.

Secure the account, document the activity and contact the provider's privacy team through an official channel for investigation.