Home > Physiotherapy Standards Framework > Physiotherapy Standards > Physiotherapy health records standard

Physiotherapy health records standard

A PDF version of this Standard can be downloaded here.


Health records are essential for the provision of quality health care services and support enhanced outcomes for health consumers.  Health records include all forms of documentation irrespective of the medium, i.e. paper or electronic, held by private practices or organisations.

Documenting and maintaining an appropriate patient health record is important for the following reasons:

  • to ensure patient safety
  • to provide continuity of care
  • to provide a standardised way of communicating between physiotherapists and other health professionals
  • to provide an accurate record of the care the patient received. In the event of a dispute or investigation, health records provide vital information.


New Zealand law

Physiotherapists must be familiar with the law governing this area of practice including the Health Information Privacy Code 2020 and Health (Retention of Health Information) Regulations 1996. A practical guide to the interpretation of health information privacy ‘On the Record’ is available on the website of the Privacy Commissioner (See link in Related Resources below).

The Health Information Privacy Code (HIP): Rule 5 outlines requirements and suggests guidelines for transmission of health information and pertains to cloud storage; Rule 6 outlines the requirements for access of health information; Rule 7 pertains to the correction of health information; Rule 9 outlines the requirements for retention of all health information related to an individual patient.

All electronic documentation should comply with the Archives New Zealand Digital Record Keeping Standard August 2010.

Legal access to patient records is outlined in the Privacy Act 2020.

The Public Records Act (2005) applies to most records held by government agencies.

New Zealand Standards Health Records 8153:2002 provides requirements for all physiotherapists practising in New Zealand.

The Ministry of Health’s cloud computing policy was revised in June 2017 and applies to all health providers.


1.     Creation and content of health records

1.1. Patients should feel confident that their health information will be recorded with their appropriate informed consent (see Board’s Informed Consent Standard), respectfully, with regard to their cultural needs, and be kept confidential (except where legally required to do otherwise).

    • Patient health records will be kept in a document or file specific to that individual and contain:
    • key demographic data such as full name, NHI number (if available), date of birth, gender, ethnicity, contact details, and, where needed, residency status and name of the General Practitioner.
    • the date (and in some instances time)
    • the principal/primary diagnosis
    • relevant associated conditions or additional diagnoses
    • relevant family or personal history
    • medications
    • a comprehensive subjective and objective assessment
    • analysis of the patient’s signs and symptoms
    • relevant outcome measurements
    • patient goals and management plan
    • information given to the patient
    • a record of consent given or refused
    • all treatment and other interventions, with the date they took place
    • progress made and discharge plan
    • letters and reports to, or from, referring health professionals or other involved parties, and any clinical photographs and/or digital images. These need to be dated.
    • note of risks and/or problems that have arisen and the action taken to rectify them
    • electronic authentication or printed name, signature and designation of the physiotherapist responsible.

1.2. Information must be added to patient records after every physiotherapy encounter, including when the patient contacts the physiotherapist by telephone or other means, does not attend, or another person contacts the physiotherapist about the patient or on the patient’s behalf. Receipt of reports (diagnostic procedures, letters from other professionals) should be acknowledged or electronically recorded and stored with the patient records. The use of ‘copy and paste’ or ‘auto-population’ as a method of documenting in an electronic system is discouraged. Each patient record is unique, and patient records must be verified and updated accordingly.

1.3. Abbreviations or acronyms: Abbreviations or acronyms within patient records have the potential to cause confusion and threaten patient safety when care is transferred to another physiotherapist or another health professional. Care should be taken only to use those abbreviations or acronyms that are clear and widely understood. A list of approved abbreviations used by the clinic/physiotherapist should be available on request.

1.4. Timing: Patient records must be filled out at the same time as the events you are recording or as soon as possible afterwards.

1.5. Additions and alterations: Alterations to patient records must be identifiable. The person amending the patient record must date and initial or sign the correction – or authenticate electronically, so they are identifiable. If altering a record, the original statement should be struck through (making clear that it has been corrected) leaving it able to be read. Efforts to obliterate original statements may appear as an attempt to cover up errors in care in the event of a dispute. Patients can request a correction and/or ask for the addition of information.

1.6. Physiotherapists supervising students must ensure all student notes are sighted and countersigned.

2.     Storage and security of health records

2.1. Patient records must be stored securely to protect the information from loss, theft, tampering, and unauthorised access or disclosure.

2.2. Patient records should be reproducible without loss of content and accessible for the duration of storage time required.

2.3. Patient records should be kept away from public areas, and access should only be possible by appropriate members of staff.

2.4. Electronic records must be password protected and not shared, and a system for regular back-up should be in place.

2.5. All health providers wanting to store personal health information in a cloud service may do so provided they first undertake a formal risk assessment.[1]


3.     Access and retrieval

3.1. All access and retrieval of health records should be undertaken by identifiable authorised personnel.

3.2. Patients have a right of access to information in their records. The practice is acting as the custodian of individual patient health records.

3.3. Third party access to health records/information can only be provided:

    • with the patient’s written consent (except when permitted or required by law)
    • by Court Order
    • as part of an existing signed arrangement with funder or insurer.

The physiotherapist should seek organisation/legal advice if there are concerns regarding the right to access.


4.     Transportation and transfer of information

4.1. Every effort must be made to ensure safe physical or electronic transportation/transmission of patient information in order to minimise the risk of loss or damage.

Steps may include:

    • secure storage of patient health records during transport between clinical sites
    • password protection or encryption on all electronic transfers of information
    • using authorised encrypted electronic record sharing services, such as HealthLink
    • having published guidelines for the use of mail, faxes and email for transmitting health records, which protect the privacy of the health information.

4.2. Transfer of patient documentation.

Planning should take place to ensure responsibility for patient documentation is transferred, with the patient’s consent, if the practice closes for any reason, in keeping with their risk management policies and procedures:

    • if a practice is sold, there will be a contractual negotiation between the proprietor and the purchaser for the transfer of the health records
    • in the case of planned closure, such as retirement, the physiotherapist needs to make arrangements for another practitioner to accept responsibility or for patients to pick up their own records
    • in the case of unexpected closure due to such causes as illness, incapacity, suspension, deregistration, bankruptcy, or death, the physiotherapist should have arrangements in place for another physiotherapist or an attorney to take responsibility for the safe transfer of patient documentation in the best manner to maintain continuity of care
    • in the case of unexpected closure, such as natural disaster, every practical action should be taken to ensure security and retention of patient documentation.


5.     Retention and disposal of health records

5.1. All health records must be retained for a minimum of 10 years from the day following the last day of the patient consultation.

5.2. Retention of records for longer than the minimum 10 years is recommended for children with significant problems or patients with conditions likely to persist in the long-term.


6.     Disposal of patient documentation

Documentation must be disposed of in a manner which ensures its confidentiality. Privacy and security requirements must be met, and everything necessary and practicable must be done to ensure that the destruction of records is complete.


7.     Disputes or complaints

In the event of a dispute or a complaint, the patient record may be the key source of information about what occurred in the physiotherapy/patient encounter, and a copy may be requested by disciplinary bodies. It is, therefore, imperative to maintain high-quality records to recall why decisions were made, whether consent was obtained and what treatment was undertaken. Appropriate, and high-quality patient records are therefore important for the safety of the patient and the physiotherapist.


Related resources

Aotearoa Physiotherapy Code of Ethics and Professional Conduct (2018). Principle 3 and Principles 2.12 and 5.7

Archives New Zealand Digital Record Keeping Standard August 2010

Cloud Computer Checklist for Small Business. Guidelines for ‘cloud’ storage.

Cloud computing and health information, Ministry of health (2017)

Government Chief Information Officer website, Assess the risks of cloud services (2017)

Health Records 8153:2002. Standards New Zealand.

Health Information Privacy Code

On the Record. A practical guide to health information privacy. Office of the Privacy Commissioner (2011)

Physiotherapy Informed Consent Standard

Physiotherapy practice thresholds in Australia & Aotearoa New Zealand Role 1and Key competencies 2.1, 2.11, 3.2, 4.3, 4.4, 4.5, 5.1, 6.1, 6.2 and 7.2.



May 2018
This standard is scheduled for review in 2023. Legislative changes may make this standard obsolete before this review date.
This document has relied on the Medical Council of New Zealand’s Standards and resources, as these Health Professionals face similar issues. We acknowledge The Medical Council of New Zealand for their generosity in allowing us to use and appropriately amend their document. 


[1] Guidance on how to manage risk assessments can be found at ICT.govt.nz