Can someone else see my eScript if they have my phone?

If your phone is unlocked, someone may be able to view the SMS or email containing the token. Nonetheless, the person cannot view your full medical history or other prescription data. This is why safe handling of eScript tokens is vital.

Where exactly is my eScript stored?

Within the National Prescription Delivery Service, your eScript is stored. Prescription Delivery Services operate within regulated data environments subject to Australian healthcare and privacy legislation. Therefore, the data is subject to Australian law and is not stored on overseas servers without appropriate regulation in place.

What happens to my data if I change pharmacies?

None. Your data is stored in a national repository, so your new pharmacy can access your eScript, provided they have a valid token. There is no need to 'transfer' files; the digital system handles these transitions.

Is my data deleted once the script is dispensed?

Once dispensed, the token is marked as used within the system and cannot be reused for dispensing. However, the transaction record is kept for the legally required period (usually 7 years) in compliance with health record legislation.

Prescription Data Storage & Privacy Rules

Key Takeaways

Electronic prescription storage is regulated under Australian federal and state law.
Prescription data is stored within regulated Prescription Delivery Services.
Encryption protects data during storage and transmission.
Access is restricted to authorised professionals and the patient.
Retention periods typically follow 7-year adult record standards, with extended periods for minors.
Patients have the right to access, correct, and restrict certain uses of their data.

In Australia's digital health ecosystem, electronic prescription storage is governed by a strict framework of federal and state laws. Protecting sensitive health information is both a clinical imperative and a legal requirement under the Privacy Act 1988 and its Australian Privacy Principles (APPs).

Our eScript & Prescription Access Hub operates in accordance with applicable Australian privacy and healthcare legislation to support secure and ethical data storage.

This guide covers the legal obligations, technical safeguards, and your rights related to the long-term storage of digital prescription records.

The Security of Records of eScripts

Electronic prescriptions are not just text files. On the contrary, they are part of a highly secure, encrypted environment, stored within a Prescription Delivery Service (PDS) operating under Australia's electronic prescribing framework. Such a system is designed to restrict access to authorised users in accordance with regulatory requirements, while healthcare providers who need it in real time can do so.

Technical Safeguards

Encryption at Rest and in Transit: All medical prescription data is kept confidential by being encrypted using recognised industry standards appropriate for healthcare systems. In other words, even if data is captured during transmission or accessed from a server, it is of no value without the specific decryption keys required to open it.
Prescription Delivery Services (PDS): An eScript token issued by a GP is just the data that is immediately pushed to a conformant PDS (example eRx or MediSecure). In fact, these services are secure digital repositories that store the legal prescription record until the pharmacist "unlocks" it with your single-use token.
Validation-Only Access: Pharmacist's inability to "browse" the database. They can access the content of a specific record only after scanning a valid eScript Token provided by the patient.

Who Can Access Your Prescription Information Stored

Access to prescription information is limited to authorised healthcare professionals and the patient, in accordance with applicable regulations. The OAIC (Office of the Australian Information Commissioner) guidelines state that "need-to-know" access is the standard.

Authorised Access Circles

As the patient, you have the most direct right to your prescription data.
The Prescriber: The doctor who is registered with AHPRA and who has written the script may be allowed to view the record to check the patient's progress and verify the patient's identity before sending the eScript.
The Dispensing Pharmacist: Upon your token being shown, the pharmacist is temporarily authorised to view the information and dispense the medication.

In most cases, no one outside these persons can get their hands on such data unless it is specifically requested by law (for example, real-time prescription monitoring to prevent drug abuse). Whenever an individual accesses your data, an audit trail is created. This enhances data privacy and patient access to documents.

How Long Can Data Be Kept in Australia?

Health records are subject to retention schedules to ensure continuity of care and serve as legal evidence. Retention requirements are governed by both federal and state legislation, and specific timeframes may vary by jurisdiction.

Typical Time Limits

Medical records of adults: General health laws require that adult medical records (including prescription information) be retained for at least 7 years from the date of the latest entry.
Minors: The patient's medical records must be retained until age 25 if the patient is under 18 years old.
Legal Compliance: These retention periods are intended to support continuity of care and meet legal record-keeping requirements. At the end of these time frames, data must be securely disposed of or permanently de-identified in accordance with Legal Compliance. requirements

Measures for Keeping Data Away from Unauthorised People

Cybersecurity is essential for any company today. Relevant Australian privacy and digital health frameworks require organisations to take reasonable steps to protect personal information.

Security Protocols

Multi-Factor Authentication (MFA): Many healthcare systems implement multi-factor authentication (MFA) to strengthen access controls and to access prescribing and dispensing systems, so that even if a password is stolen, it alone will not be sufficient to access patient data.
Regulated Operational Procedures: All access records in the eScript system are stored. Such audit trails help regulators determine exactly who accessed a record or document, thereby preventing fraud and deterring potential misuse.
Secure Backups: Data is replicated to multiple secure servers in Australia to prevent data loss from hardware failure or cyberattacks.

Prime Medic's Digital Record Keeping for Prescribers policy aligns with these protocols.

How to Request Access to Your Prescription Data

The right to access the personal information that is held about you is one of the rights that the Privacy Act gives you. Prescription history is part of that information.

Understanding Your Rights

Access and Review: You have the right to request a prescription summary from your doctor or to access it through the My Health Record portal.
Correction of Information: If you find that there is something incorrect in the records (e.g., if the address or initials are wrong), then under such circumstances, you can ask for a correction.
Restriction of Sharing: You can withdraw your consent to certain data-sharing features, such as the Active Script List (ASL), which grants your scripts only "token-only" access.

You may also contact the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with the response. For more on these protections, consult the official Australian Government prescription regulations or the Healthdirect guide to eScripts.

Need Medical Advice?

Consult with our experienced doctors from the comfort of your home. Available 24/7 for your convenience.

Book Appointment

1300 090 252

Access eScripts via Online Doctor Consultation

Speak with an Australian-registered doctor. If clinically appropriate, an eScript may be issued following a clinical assessment.

Request to Access eScripts

Privacy Rules for Storing Prescription Data in Australia: What You Need to Know