Clinical records exist for several overlapping reasons: clinical continuity of care, regulatory accountability, billing evidence, and legal protection. Each reason has slightly different retention implications. The minimum-defensible record looks a lot like the maximum-useful record — hold to that and you are usually safe.
This guide is operational. Specific retention durations vary by jurisdiction (especially for paediatric clients) and registration body. Confirm the specifics with your peak body and your indemnity insurer.
What to capture per client
- Identifying information (name, DOB, contact details, NDIS number if applicable).
- Service agreement and consent record.
- Initial assessment / intake record.
- Goals (current and historical — the trail matters).
- Session notes for every session held.
- Reports and correspondence sent or received (referral letters, school reports, GP communications).
- Discharge summary if the client has been discharged.
Retention periods
Most Australian jurisdictions require allied health records to be retained for at least 7 years after the last clinical contact — longer for paediatric clients (commonly until 25 years of age, but check the specific rule that applies to you). NDIS providers may have additional record-keeping obligations under their registration. When in doubt, keep longer rather than shorter.
Storage discipline
All records on one system, accessible to the right roles, encrypted, backed up. Hybrid storage — some records on a clinical system, some in email folders, some in personal Google Drive — is how records get lost or breached. Pick one home and put everything there.
When a clinician leaves
The practice owns the clinical records, not the individual clinician. When a clinician leaves, their access goes; the records stay. This needs to be documented in their employment terms before they start, not negotiated when they resign.
When a client requests their record
Australian privacy law gives clients a right to access their own personal information. Have a process: who handles the request, in what timeframe, with what review for sensitive content. Most requests are routine; the process matters when one is not.