Access To Health Records

This policy has been updated to reflect the General Data Protection Regulation.

Introduction

The General Data Protection Regulation (GDPR) is an EU Regulation which is directly applicable in the UK from 25 May 2018. The GDPR should be read alongside the forthcoming UK Data Protection Act 2018 (DPA 2018). The GDPR and the DPA 2018 replace the Data Protection Act 1998.

This guidance sets out a range of circumstances in which health professionals may receive, and respond to, requests for access to health records. It reflects the common enquiries received by the BMA. The guidance is divided into the following areas:

  • Defining a health record
  • Advice on record-keeping
  • Subject access requests
  • Who may apply for access?
  • Requests for access made on behalf of others
  • Deceased patients
  • Supplementary Information under SAR requests
  • Who must give access
  • Can access be refused?
  • In what format should access be provided
  • Must data controllers permit patients to inspect original records if they do not request copies of the data?
  • Can a fee be charged for accessing health records
  • Information that should not be disclosed
  • Should medical terms be explained?
  • Can records be amended or can information be deleted from records?
  • Records retention
  • Power of attorney
  • If you believe your health records are incorrect
  • Health record complaints procedure

Defining a health record

A health record exists to provide an account of a patient’s contact with the healthcare system. Health records consist of information relating to the physical or mental health or condition of an individual made by a health professional in connection with the care of that individual.

The information is most commonly recorded in electronic form, however, some records are in a manual form or a mixture of both. ‘Information’ covers expressions of opinion about individuals as well as facts. Health records may include notes made during consultations, correspondence between health professionals such as referral and discharge letters, results of tests and their interpretation, X-ray films, videotapes, audiotapes, photographs, and tissue samples taken for diagnostic purposes.

They may also include reports written for third parties such as insurance companies.Advice on record-keepingHealth records must be clear, accurate, factual, legible and should be contemporaneous.

They must include all relevant clinical findings, the decisions made, information given to patients, and drugs or treatment prescribed. Personal views about the patient’s behaviour or temperament should not be included unless they have a potential bearing on treatment or it is necessary for the protection of staff or other patients.

Health records should not be altered or tampered with, other than to remove or correct inaccurate or misleading information. Any such amendments must be made in a way that makes it clear what has been altered, who made the alteration and when it took place.

Doctors should ensure that their manner of keeping records facilitates access by patients if requested. It may be helpful to order, flag or highlight records so that when access is given, any information which should not be disclosed, (such as those which identify third parties) is readily identifiable.

If patients express views about future disclosure to third parties, this should be documented in the records. Doctors may wish to initiate discussion about future disclosure with some patients if it seems foreseeable that controversial or sensitive data may be the issue of a future dilemma, for example after the patient’s death.

Subject Access Requests

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a Subject Access Request (SAR).

If you would like to request to view or have a copy of your entire medical records from birth, please submit an online consultation through Engage Consult and select “Request a Copy of your Medical Records”.

You don’t have to give a reason for wanting to see your records and there is no charge for this service. The Practice has up to 28 days to respond to your request. If additional information is needed before copies can be supplied, the 28-day time limit will begin as soon as the additional information has been received.

The 28 day time limit can be extended for two months for complex or numerous requests where the data controller (usually your Practice) needs more time to collate and supply the data. You will be informed about this within 28 days and provided with an explanation of why the extension is necessary.

When writing / calling, you should say if you:

  • want a copy of your healthcare records as well as to see them (if you wish to see them your Doctor or member of staff will be present to assist you and explain any medical terms to you)
  • request to online have access through online services
  • want all or just part of them
  • would like your records to be given to you in a specific format that meets your needs, and we will endeavour to accommodate your request

If you request your records to be emailed, then we will secure you or your representative’s agreement (in writing or by email) that they accept the risk of sending unencrypted information to a non-NHS email address.

You may also need to fill in an Application Form and give proof of your identity. The Practice has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient can be verified.

Please note we never send original medical records because of the potential detriment to patient care should these be lost.

Who may apply for access?

Patients with capacity

Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a Solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for them to give reasons as to why they wish to access their records.

Children and young people under 18

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR.

However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records.

In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below).

Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.

Solicitors

You can authorise a Solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your acting Solicitors. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings.

Where there is any doubt, we may contact you before disclosing the information. (England and Wales only – should you refuse, your Solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for Solicitors to use the form, it is hoped it will improve the process of seeking consent).

The Practice may also contact you to let you know when your medical records are ready. If your Solicitor is based within our area, then we may ask you to uplift them and deliver them to your Solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your Solicitor if they can uplift your medical records.

Requests for access made on behalf of othersThe GDPR and forthcoming Data Protection Act 2018 do not provide subject access rights to third parties when they are acting on behalf of an individual who is lacking competence or capacity. Subject access rights lie only with the individual who is the subject of the record. However, those acting on their behalf may still be able to access information as set out below.

Parents

Parents may have access to their children’s records if this is not contrary to a child’s best interests or a competent child’s wishes. For children under 18 or, in Scotland under 16, any person with parental responsibility may apply for access to the records.

Not all parents have parental responsibility. In relation to children born after 1 December 2003 (England and Wales), 15 April 2002 (Northern Ireland) and 4 May 2006 (Scotland), both biological parents have parental responsibility if they are registered on a child’s birth certificate. In relation to children born beforethese dates, a child’s biological father will only automatically acquire parental responsibility if the parents were married at the time of the child’s birth or at some time thereafter.

If the parents have never been married, only the mother automatically has parental responsibility, but the father may acquire that status by order or agreement. Neither parent loses parental responsibility on divorce. Where more than one person has parental responsibility, each may independently exercise rights of access.

A common enquiry to the BMA concerns a child who lives with his or her mother and whose father applies for access to the child’s records. In such circumstances there is no obligation to inform the child’s mother that access has been sought.Where a child has been formally adopted, the adoptive parents are the child’s legal parents and automatically acquire parental responsibility.

In some circumstances people other than parents acquire parental responsibility, for example by the appointment of a guardian or on the order of a court. A local authority acquires parental responsibility (shared with the parents) while the child is the subject of a care or supervision order. If there is doubt about whether the person seeking access has parental responsibility, legal advice should be sought.

The holder of the record is entitled to refuse access to a parent, or an individual with parental responsibility where the information contained in the child’s records is likely to cause serious harm to the child, or another person (see paragraph 4.9).

Individuals on behalf of adults who lack capacity

Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults.

The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also appoint Deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

Requests from the police.

A common enquiry to the BMA is the rights of access to health records by the police. If the police do not have a court order or warrant they may ask for a patient’s health records to be disclosed voluntarily under section 35 of the DPA 2018. However, while health professionals have the power to disclose the records to the police, there is no obligation to do so. In such cases health professionals may only disclose information where the patient has given consent, or there is an overriding public interest.

In this context a disclosure in the public interest is a disclosure that is essential to prevent a serious threat to public health, national security, the life of the individual or a third party, or to prevent or detect serious crime. This includes crimes such as murder, manslaughter, rape, treason, kidnapping and abuse of children or other vulnerable people. Serious harm to the security of the state or to public order and serious fraud will also fall into this category. In contrast, theft, minor fraud or damage to property, where loss or damage is less substantial, would generally not justify the breach of confidence necessary to make the disclosure.

Health professionals should be aware that they risk criticism, and even legal liability, if they fail to take action to avoid serious harm being caused to others. Guidance should be sought from the Caldicott guardian, or defence body where there is any doubt as to whether disclosure should take place in the public interest.

Requests from insurers

SARs from insurance companies to GP practices for the disclosure of full medical records is the subject of separate advice available on the BMA website. The position of the ICO is that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights and the processing of full medical records by insurance companies risks breaching the GDPR.

This does not mean, however, that GP data controllers can refuse to respond to a SAR from an insurer outright. When a SAR from an insurance company is received, the GP should contact the patient to explain the extent of the disclosure that has been sought. GPs can then, if requested, provide the patient.

themselves with their medical record rather than providing them directly to the insurance company. It is then the patient’s choice as to whether, having reviewed the record, they choose to share it with the insurance company.

There is a clear distinction between the use of SARs by a solicitor, who can be seen as an agent of the patient and who is acting on the patient’s behalf, and the use of SARs by insurance companies.

Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek a GP report.

Deceased records

The law allows you to see records of a patient that has died as long as they were made after 1st November 1991.

Records are usually only kept for three years after death (in England and Wales GP records are generally retained for 10 years after the patient’s death before they are destroyed).

Who can access deceased records?

You can only see that person’s records if you are their personal representative, administrator or executor.

You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.

Accessing deceased records

Before you get access to these records, you may be asked for:

  • proof of your identity
  • proof of your relationship to the person who has died

Viewing deceased records

You won’t be able to see information that could:

cause serious harm to your or someone else’s physical or mental health

identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission

If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.

Are relatives entitled to information about the deceased’s last illness?

While there is no legal entitlement other than the limited circumstances covered under the Access to Health Records legislation, health professionals have always had discretion to disclose information to a deceased person’s relatives or others when there is a clear justification. A common example is when the family requests details of the terminal illness because of an anxiety that the patient might have been misdiagnosed or there might have been negligence.

Disclosure in such cases is likely to be what the deceased person would have wanted and may also be in the interests of justice. Refusal to disclose in the absence of some evidence that this was the deceased patient’s known wish exacerbates suspicion and can result in unnecessary litigation. In other cases, the balance of benefit to be gained by the disclosure to the family, for example of a hereditary or infectious condition, may outweigh the obligation of confidentiality to the deceased.

GP health records for un-registered or deceased individuals

NHS England is only the data controller for GP health records where an individual is currently not registered with a GP or is deceased. These records are held by Primary Care Support England (PCSE) on behalf of NHS England. To request access to GP health records in these circumstances please visit the PCSE website.

You can find more information about accessing health records on the NHS website.

Supplementary Information under SAR requests

  • The purposes for processing data

The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.

  • The categories of personal data

The category of your personal data is healthcare data.

  • The organisation with which the data has been shared

Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual.

Other organisations will receive your confidential health information, for example Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our Practice privacy notices).

  • The existence of rights to have inaccurate data corrected and any rights of objection

For example, a national ‘opt-out’ model such as SPIRE etc.

  • Any automated decision including the significance and envisaged consequences for the data subject 

For example, risk stratification.

  • The right to make a complaint to the information commissioners office (ICO)

Who must give access?

Responsibility for providing access to records lies with the ‘data controller’. The data controller will usually be an organisation. Organisations should have a policy for handling subject access requests which makes it clear which member(s) of staff are responsible for managing these requests.

Can access be refused?

If a request is ‘manifestly unfounded or excessive’, for example, because it is repetitive, access can be refused (or a fee can be charged, see below). There is little further explanation as to when a request might be considered as ‘manifestly unfounded or excessive’. However, it would be prudent to assume that the threshold set here is fairly high and that accordingly requests should be refused on this basis only where the facts are particularly extreme.

Where access has been refused on this basis, the patient must in any event be given an explanation as to why access has been refused and they must also be informed that they have the right to complain to the ICO.

In what format should access be provided?

If the request is made electronically access should normally be given in electronic format. Where patients request the medical record to be emailed to them it is strongly recommended that the practice secures the patient’s agreement (in writing or via email) that they accept the risk of sending unencrypted information to a non-NHS email address. If the patient agrees a USB stick or a CD can be used as alternative electronic formats if these are supplied by the patient.

For requests which are not made electronically a paper copy should be provided.

Must data controllers permit patients to inspect original records if they do not request copies of the data?

The GDPR does not expressly require a data controller to permit a patient access to their data by inspecting original records where no copy is requested. However, depending on the circumstances a data controller may take the view that it should in any event permit inspection of the original records. Patients sometimes become distressed when reading their records. It is therefore advisable for a member of staff to be present with them to provide support, as well as to explain any clinical terms (see paragraph 4.10). It is also important for staff to be present to ensure that records are not altered.

Can a fee be charged for accessing health records?

Initial access must be provided free of charge, however postal costs may be charged. Charges should be reasonable and justifiable.

For further requests for the same information, a ‘reasonable fee’ can be charged to cover administration costs.

A ‘reasonable fee’ can also be charged where the request is ‘manifestly unfounded’ or ‘excessive’.

The circumstances when a fee can be charged for access to health records are likely to be rare and further advice should be sought on specific cases where it is believed that charging might be justifiable.

Health professionals may charge a professional fee to cover the costs of giving access to the records of deceased patients that is not covered by legislation.

Information that should not be disclosed

The GDPR read together with the forthcoming Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. In summary, information can generally be treated as exempt from disclosure and should not be disclosed, if:

  • it is likely to cause serious physical or mental harm to the patient or another person; or
  • it relates to a third party who has not given consent for disclosure (where that third party is not a health professional who has cared for the patient) and after taking into account the balance between the duty of confidentiality to the third party and the right of access of the applicant, the data controller concludes it is reasonable to withhold third party information; or
  • it is requested by a third party and, the patient had asked that the information be kept confidential, or the records are subject to legal professional privilege or, in Scotland, the records are subject to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation. In such cases, the information will be exempt if after considering the third party’s right to access and the patient’s right to confidentiality, the data controller reasonably concludes that confidentiality should prevail; or
  • It is restricted by order of the courts; or
  • It relates to the keeping or using of gametes or embryos or pertains to an individual being born as a result of in vitro fertilisation; or
  • in the case of children’s records, disclosure is prohibited by law, e.g. adoption records.

The data controller must redact, or block out any exempt information. Depending on the circumstances, it may be that the data controller should take steps to explain to the applicant how it has applied the relevant exemption. However, such steps should not be taken if, and insofar as, they would in effect cut across the protections afforded by the exemptions. Indeed, in some cases even confirming the fact that a particular exemption has been applied may itself be unduly revelatory (e.g. because it reveals the fact that the information sought is held where this revelation is itself unduly invasive of relevant third party data privacy rights). There is still an obligation to disclose the remainder of the records.

While the responsibility for the decision, as to whether or not to disclose information, rests with the data controller, advice about serious harm must be taken by the data controller from the appropriate health professional. If the data controller is not the appropriate health professional, then the appropriate health professional needs to be consulted before the records are disclosed. This is usually the health professionalcurrently or most recently responsible for the clinical care of the patient in respect of the matters which are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another health professional who has suitable qualifications and experience.

Circumstances in which information may be withheld on the grounds of serious harm are extremely rare, and this exemption does not justify withholding comments in the records because patients may find them upsetting. Where there is any doubt as to whether disclosure would cause serious harm, the BMA recommends that the appropriate health professional discusses the matter anonymously with anexperienced colleague, their Data Protection Officer, the Caldicott Guardian, or a defence body.

Should medical terms be explained?

Copies of medical records which are supplied under subject access rights must be accompanied by an explanation of any terms that might be unintelligible to the patient or the person requesting access to the records. Even in cases where permanent copies cannot be supplied, an explanation of such terms must be given.

Can records be amended or can information be deleted from records?

No. Records should not be amended because of a request for access. Indeed, it is a criminal offence under the forthcoming Data Protection Act 2018 to amend or delete records in response to a SAR. If amendments are made between the time that the request for access was received and the time at which the records were supplied, these must only be amendments that would have been made whether or not the request for access was made. When dealing with a SAR the most up-to-date information should be provided.

Information which is clinically relevant must not be deleted from medical records. (For electronic records, information can be removed from display but the audit trail will always keep the record complete.) Amendments to records can be made provided the amendments are made in a way which indicates why the alteration was made so that it is clear that records have not been tampered with for any underhand reason.

Patients may also seek correction of information they believe is inaccurate. The health professional is not obliged to accept the patient’s opinion, but must ensure that the notes indicate the patient’s view. Health professionals are advised to provide the patient with a copy of the correction or appended note.

Patients also have the right to apply to the ICO or a court to have inaccurate records amended or destroyed.

Records retention

The health departments give detailed advice about the minimum retention periods applicable to NHS records. The recommendations apply to both electronic and manual records, and the BMA advises private practitioners to follow the same rules.

Hospital records should be kept for a minimum of eight years following the end of treatment, and GP records for 10 years, although certain types of records, such as children’s records, obstetric records, and mental health records are kept for longer.

When health professionals are responsible for destroying health records, they must ensure that the method of destruction is effective, and does not compromise confidentiality. Incineration, pulping, and shredding are appropriate methods of destroying manual records. Electronic data should be destroyed using appropriate data destruction software.

Power of attorney

Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney.

A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used.

  • If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990. You can only apply if you:
  • are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person),
    have the permission of the next of kin or have obtained written permission from the deceased person before they died.
  • to access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the Hospital where the records are stored.

If you believe your health records are incorrect

If you think that information in your health records is incorrect, or you need to update your personal details (name, address, phone number), approach the relevant health professional informally and ask to have the record amended. Some Hospitals and GP Surgeries have online forms for updating your details. If this doesn’t work, you can formally request that the information be amended under the NHS complaints procedure.

Health record complaints procedure

All NHS trusts, NHS England, CCGs, GPs, Dentists, Opticians and Pharmacists have a complaints procedure. If you want to make a complaint, go to the organisation concerned and ask for a copy of their complaints procedure.

Alternatively, you can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:

The Information Commissioner’s Office (ICO)

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 545745

If your request to have your records amended is refused, the record holder must attach a statement of your views to the record.