Digital Record-Keeping for Prescribers in Australia: Ensuring Compliance and Security

Key Takeaways

• Prescribers must maintain detailed electronic records of issued eScripts.
• Records include prescriber and patient identifiers, as well as dispensing metadata.
• Systems must comply with national electronic prescribing standards.
• Audit trails document access and modifications.
• Retention periods are generally 7 years for adults and until age 25 for minors.
• Patients have the right to request access to and correction of their records under the Privacy Act.

The transition to e-prescribing in Australia's health system has changed how prescriptions and health information are recorded and stored. AHPRA-registered prescribing practitioners have a legal and professional duty, under the National Health Act 1953 and the Privacy Act 1988, to keep accurate, safe and readily available records of all eScripts they have issued.

Digital record-keeping supports improved traceability, accountability, and continuity of care within the eScript & Prescription Access Hub. This chapter explains the high standards prescribers must meet to protect your digital health record.

Records That Prescribers Are Required to Maintain

Whenever a Prime Medic GP issues an eScript, their clinical software automatically records comprehensive metadata and clinical information. This goes beyond merely a line in the file; it is a formal record of a legal transaction.

Required Information

• Prescriber Identifiers: Full name of the practitioner, AHPRA registration number, and Healthcare Provider Identifier-Individual (HPI-I).
• Patient Identifiers: Full legal name, date of birth, and Individual Healthcare Identifier (IHI) to accurately associate the script with the right national record.
• Transaction Metadata: Date and time the script was generated, unique token ID, and the particular Prescription Delivery Service (PDS) used (e.g., eRx).
• Instruction Detail: Quantity, number of repeats, and any required intervals between dispensing for clinical safety purposes.

These items constitute the core of our official e-script required information and form part of the required regulatory documentation.

Prescribers' Secure Storage of Medical Records and System Requirements

Prescribers are required to use secure, compliant clinical software when storing eScript information. Electronic health record data must be stored in software that complies with the Electronic Prescribing Conformance Scheme requirements issued by the Australian Digital Health Agency (ADHA).

Security-Related Safeguards

• Encryption: The information is encrypted in accordance with national electronic prescribing and health data security standards, so that even if a thief steals the physical hardware, the data would remain protected against unauthorised access.
• Multi-Factor Authentication (MFA): To access the prescribing systems, a password is required, and the doctor must also use a second factor of identification (e.g., a secure token or mobile prompt) to verify identity before accessing prescribing functions.
• Backend Security: Records are typically stored on secure servers operating within Australian regulatory frameworks and support compliance with applicable privacy and data security requirements.

Audit Trails and Access Logs

Audit trails are a key feature of digital prescribing systems of digital records, providing a complete history of all interactions with the electronic prescription, each recorded and timestamped. Unlike with paper files, where there is no such option, the user can only see the latest version of the document.

The Use of Access Logs

• Transparency: Logs include who accessed a file, what changes were made, and when a script was cancelled or reissued. This helps prevent prescription administration errors.
• Accountability: Regulatory bodies may review these records where required under applicable legislation in response to alleged unauthorised access or the disclosure of confidential information that has resulted in unauthorised disclosure of patient data.
• Integrity: The audit trail supports documentation of compliance with prescribing standards, and the prescription process is followed throughout the prescription lifecycle.

Retention Timelines

Prescribers must comply with the law by retaining their electronic records for a specified period. Although retention rules vary slightly by state, most jurisdictions follow broadly similar national principles.

General Retention Rules (as of 2026)

• Adult patients: Records are usually retained for 7 years from the date of the last health service.
• Minor Patients: For minors, records are retained until age 25.
• Controlled Substances: In some cases, states have stricter record-retention requirements for high-risk medications to ensure ">compliance with medication safety.

Upon expiry of these intervals, the digital files must be securely deleted or de-identified in accordance with applicable record-retention requirements.

Patient Rights to Request Data Summaries

Under the Privacy Act, you are entitled to access the record of your personal data that the doctor holds about you.

How to Get Your Records

• Medication Summaries: You may request and access a medication summary at any time. This summary contains relevant medication information and may include personal identifiers where required.
• Correction of Records: In case you find a discrepancy, such as a wrong spelling of your name in your record, you are entitled to have such an amendment done so that your identity verification before eScript remains accurate.
• Safe Communication: To ensure your safety, this request must always be made via our confirmed patient portal or secure email only, and it must be written and documented.

You can learn more about these topics in the digital prescription consent and data sharing section.

For further reading on your digital health rights, see the Australian Digital Health Agency's My Health Record for Patients.