Access to Medical Records
The law states that NHS organisations must, when requested by an individual, give that person access to their personal health information, and occasionally, certain relevant information pertaining to others. In order to do this, they must have procedures in-place that allow for easy retrieval and assimilation of this information.
There are three main areas of legislation that allow the right of the individual to request such personal information, and they are:
· The Data Protection Act 2018
· The Access to Health Records Act 1990
· The Medical Reports Act 1988
Where the request for information by an individual falls under the legislation of any of these areas, access must be granted. Patients requesting information about their own personal medical records would usually have their request dealt with under the provisions of the Data Protection Act 2018.
Changes to Data Protection Regulations
In May 2018 the General Data Protection Regulations (GDPR) were introduced by the EU for all member states – these rules have been incorporated into British law and now referred to as the Data Protection Act 2018.
Requests from Solicitors
A patient can authorise their solicitor or another 3rd party to make a Subject Access Request. As long as the solicitor has provided the patient’s written consent to authorise access to the records, the SAR process should be followed as usual. The purpose for making the SAR bears no relation to the amount of information that can be provided.
If the request is to create a medical report or to interpret the information in a medical record or report, then this would be a request under the Access to Medical Reports Act (AMRA). This is because both of these requests will need new material to be created, which is not included under a Subject Access Request, which is to access existing information about a patient. This would mean that a fee is payable.
As long as the solicitor has provided the patient’s written consent to provide the information to them, then they can (if requested) have access to the full medical record of that patient.
Requests from Insurers
The ICO has said that insurance companies using SARs to obtain full medical records are an abuse of the request process. The have stated that if a SAR is received, GPs should contact the patients to explain the implications and the extent of the disclosure, and provide the information to the patient themselves instead of directly to the insurance company.
If you suspect that a SAR from an insurer is doing this then it should be reported to the ICO and the Association of British Insurers.
A health record could include, and not exhaustively, hand-written clinical notes, letters between clinicians, lab reports, radiographs and imaging, videos, tape-recordings, photographs and monitoring printouts. Records can be held in both manual and digital formats.
What type of request is being made?
Under the DPA, patients have the right to apply for access to their health records. Provided that a written application is made by one of the individuals referred to below, the practice is obliged to comply with a request for access subject to certain exceptions. However, the practice also has a duty to maintain the confidentiality of patient information and to satisfy itself that the applicant is entitled to have access before releasing information.
For deceased persons, applications are made under sections of the 1990 Access to Health Records Act, which has been retained. These sections provide the right of access to the health records of deceased individuals for their personal representative and others having a claim under the estate of the deceased.
The Data Protection Act 2018
The scope of this Act includes the right of patients to request information on their own medical records. Requests for information under this Act must:
· Be in writing to the data controller Dr Lidia Kostuch-Bush is the data controller at ST STEPHENS HOUSE SURGERY. (E-mail requests are allowed. Verbal requests can be accepted where the individual is unable to put the request in writing – this must be noted on the patient record);
· Be accompanied with sufficient proof of identity to satisfy the data controller and to enable them to locate the correct information (where requests are made on behalf of another, the data controller must satisfy themselves that correct and adequate consent has been given);
· Be accompanied with the correct fee where applicable (see below for guidance on fees);
The data controller should check whether all the individual’s health record information is required or just certain aspects.
Where an information request has been previously fulfilled, the data controller does not have to honour the same request again unless a reasonable time-period has elapsed. It is up to the data controller to ascertain what constitutes a reasonable time-period.
Requests for health records information under a Subject Access Request (a request from the person that the data relates to) should be recorded internally and fulfilled within 30 calendar days (unless under exceptional circumstances – the applicant must be informed where a longer period is required). Information given should be in a manner that is clear and intelligible to the individual.
Anyone making such a requested is entitled to be given a description of:
- Which data (categories) are being processed
- Details of the data controller, including contact details
- Contact details of the Data Protection Officer
- Why the practice is processing that data, the applicable legal basis and whether there is a statutory or contractual requirement to process data
- Other organisations that data may be shared with
- Whether there is any data processing taking place outside of the European Union
- The retention period for the data categories
- Individual rights to rectification, erasure, withdraw consent/object/opt out, data portability, ability to take complaints to the ICO
The General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018 only apply to living persons, but there are limited rights of access to personal data of deceased persons under the Access to Health Records Act 1990.
Access Request Fees
Under the new Data Protection Act 2018 (which incorporates the GDPR requirements), this removes the charge fees for fulfilling an SAR unless the Practice determines that the request is “manifestly unfounded or excessive”, and it tightens the statutory timescales to 30 days to complete the request.
If a Practice finds that the request is unfounded or excessive, they can deny the request for information (and state in clear terms to the requestor why they consider it to be so) or charge a fee for the information. The person requesting information should be advised of any relevant fees as soon as possible after the Practice has received the request, and this should be paid before the information is processed.
The fee must be based on the administrative cost of providing the information only. The practice will need to be prepared to justify their reason for deeming the request 'manifestly unfounded or excessive'.
Which clinician should be consulted for information?
It is the GP’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before the practice discloses or provides copies of medical records the patient’s GP must have been consulted and he / she checked the records and authorised the release, or part-release.
The Data Protection (Subject Access Modification) (Health) Order 2000 specifies the appropriate health professional to deal with access matters should be:
· The clinician who is currently, or was most recently, responsible for the clinical care of the individual in connection with the information which is the subject of the request; or
· Where there is more than one such clinician, the one who is the most suitable to advice on the information which is the subject of the request.
Third Party Requests for Access to Personal Data
Many external organisations may request information on patients and have a right to request certain information for selected reasons;
- law enforcement
- crime prevention
- fraud and taxation
Certain organisations will have a right to request information from practices under the provisions of General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018. These requests should be dealt with on an individual basis and take into account the public interest against the confidentiality rights of the subject.
Under the Data Protection Act, individuals are entitled to make a SAR via a third party, such as solicitors who are acting in civil litigation cases for patients. These parties should obtain consent from the patient using the form in that has been agreed with the BMA and the Law Society in the document below:
Consent form (England & Wales)
(copy and paste the below URL into your internet browser bar)
The ICO Code of Practice states that ‘In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney’.
Any request from one of these types of organisations should include an authorisation from an appropriately senior enforcement officer (e.g. an Inspector of Police or equivalent rank in other services) and should be accompanied by sufficient information to enable the practice to make an informed decision that takes into account the principles under the Caldicott guidance for patient data as well as the Data Protection Act 2018. To state that the information is required for “serious crime” will not be sufficient and more detail will be required before sharing any information.
Requests for Insurance Purposes
Insurance companies may contact the practice to request a patient’s full medical records through the use of Subject Access Requests (SAR) under the Data Protection Act 2018. On the advice of ICO, the BMA advises that upon receiving a SAR from an insurance company, practices should get in contact with the patient to explain the implications of such a request and the extent of the disclosure. The ICO also makes it clear that GPs should provide the SAR information directly to the patient themselves, rather than sending it to the insurance company.
The ICO’s Subject Access Code of Practice states that ‘If you think an individual may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.’
It is expected that insurance companies will stop requesting SARs and instead revert to requesting medical reports. Practices are able to apply a fee for completion of these reports, in line with the work associated, and should seek to agree the fee with the requestor in advance of completion.
Requests made by the police
In all cases the practice can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statute (e.g. Road Traffic Act).
The practice does, however, have a power under the DPA and Crime Disorder Act to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:
· to protect the patient or another person’s vital interests, or
· for the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g. where the seriousness of the crime means there is a pressing social need for disclosure).
Only information which is strictly relevant to a specific police investigation, should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.
Denial or Limitation of Information
The data controller may deny or limit the scope of information given where it may fall under any of the following:
· The information released may cause serious harm to the physical or mental health or condition of the individual or any other person, or
· The disclosure would also reveal information relating to or provided by a third person who has not consented to that disclosure unless:
Ø The third party is a clinician who has compiled or contributed to the health records or who has been involved in the care of the individual;
Ø The third party, who is not a clinician, gives their consent to the disclosure of that information;
Ø It is reasonable to disclose the information without that third party’s consent.
A reason for denial of information does not have to be given to the individual, but must be recorded.
Former NHS Patients Living Outside the UK
Patients no longer resident in the UK still have the same rights to access their information as those who still reside here, and must make their request for information in the same manner.
Original health records should not be given to an individual to take abroad with them, however, the Practice may be prepared to provide a summary of the treatment given whilst resident in the UK.
Parental Requests for Information pertaining to their Children
Children over the age of 13 are generally considered to have the capacity to give or withhold consent to release medical records, but those under 16 should demonstrate that they have the capacity to make these decisions.
Individuals with parental responsibility for an under 18 year old will have a right to request access to those medical records. Access may be granted if access is not contrary to the wishes of the competent child. Not all parents have parental responsibility - a person with parental responsibility is defined as either:
- the birth mother, or
- the birth father (if married to the mother at the time of child’s birth or subsequently) if both are on the birth certificate, or,
- an individual given parental responsibility by a court.
It is important to be aware that children under 16 who have capacity and understanding for decision-making should also have their confidence respected.
Access Requests from Minors
A child may make a Subject Access Request to view their own personal data that is recorded by the practice, as from the age of 13 they are normally considered competent enough to do so.
Those with parental responsibility for a child under 13 years may make an access request on their behalf but the information holder must consider whether it is in the best interests of the child to disclose information held.
ST STEPHENS HOUSE SURGERY has procedures in place to enable complaints about access to health records requests to be addressed.
The following channels are used to field any complaints regarding the access of health records at the Practice:
· Firstly, the clinician involved should arrange to have an informal meeting with the individual to try to resolve the complaint locally;
· If the issue remains unresolved, the patient should be informed that they have a right to make a complaint through the NHS complaints procedure (further information is available at: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/what_to_do.aspx
Sometimes the patient may not wish to make a complaint through the NHS Complaints Procedure and instead, take their complaint direct to the Information Commissioner’s Office (ICO) if they believe the Practice is not complying with their request in accordance with the Data Protection Act.
Alternatively, the patient may wish to seek legal independent advice.
Online Access to Medical Records
By March 31, 2016, it will be a contractual obligation to allow patients to gain online access to coded information held in their medical records, including data on medication, allergies, illnesses, immunisations and test results. As of April 2014, practices have been obliged to offer patients the opportunity to view online information equating to a Summary Care Record (SCR).
Patients will need to register online with the practice to be able to gain access to this information. The following checks must be undertaken to ascertain the patient’s identity before they are able to access records:
- Checking photo ID and proof of address, for example, a passport or driving licence and a bank statement or council tax statement.
- If the patient has no ID but is well known to the surgery, a member of staff may be able to confirm their identity.
- If the patient has no ID and is not well known to the surgery, the ability to answer questions about the information in their GP record may confirm that the record is theirs.
GP software will be configured to offer all coded data by default, but GPs will be provided with the tools to withhold coded information where they judge it to be in the patient's interests or where reference is made to a third party.
It is permissible for the practice to offer patients online access to their comprehensive medical records. However, in some circumstances a GP may believe it is not in the best interests of the patient to share all information in the record, e.g. where it could cause harm to the patient’s physical or mental health, or in cases where it contains information about a third party.
The practice is only expected to meet the above requirements for patient online access to their record when they have been provided with the GPSoC-approved and funded IT systems. Where systems are not yet available, the practice will publish a statement of intent to provide this facility.
Making services such as access to medical records available online carries with it the risk of users being subject to coercion. Patients may be vulnerable to being forced into sharing confidential information from their records against their will. Where this is believed to be a possibility, online access to medical records can be denied. This action should be discussed privately with the patient before a final decision over whether to deny access is taken.
As part of their request to access their medical records online or allow proxy access to a third party, the person submitting the request should provide a statement confirming that they have not been coerced into doing so.
Proxy Access refers to allowing a third party to gain access to online services on another patient’s behalf and is the recommended alternative to sharing login details.
A patient’s family members or carers can only be granted access to a patient’s medical records online in circumstances where the patient has consented to this, or if the patient lacks capacity AND the applicant can provide evidence that they have been granted the power to manage the patient’s affairs. Patients will be advised about the risks associated with agreeing to this as part of their access application.
A person with parental responsibility for a child aged under 12 normally has automatic rights to access a child’s records - although not all parents have parental responsibility. Proxy access for people with parental responsibility to a child’s record is a practice-level decision.
A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf. The practice may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation.
You may be ordered by a court of law to disclose all or part of the health record if it is relevant to a court case (for example by a Guardian ad litem). A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
Children and Family Court Advisory and Support Service (CAFCASS)
Where CAFCASS has been appointed to write a report to advise a judge in relation to child welfare issues, [insert practice name] would attempt to comply by providing factual information as requested.
Before records are disclosed, the patient or parent(s) consent (as set out above) should be obtained. If this is not possible, and in the absence of a court order, the practice will need to balance its duty of confidentiality against the need for disclosure without consent where this is necessary:
- to protect the vital interests of the patient or others, or
- to prevent or detect any unlawful act where disclosure is in the substantial public interest (e.g. serious crime), and
- because seeking consent would prejudice those purposes.
The relevant health professional should provide factual information and their response should be forwarded to a member of the Child Protection Team, who will approve the report.
Amendments to or Deletions from Records
GDPR gives individuals stronger rights to control their data, including the right to erasure, the right to rectification, the right to object to processing and the right to restrict processing. The practice will deal with each such request on its individual merits.
If a patient feels information recorded on their health record is incorrect then they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended. If this avenue is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased. The patient has a right under the DPA to request that personal information contained within the medical records is rectified, blocked, erased or destroyed if this has been inaccurately recorded.
He or she may apply to the Information Commissioner but they could also apply for rectification through the courts. The GP practice, as the data controller, should take reasonable steps to ensure that the notes are accurate and if the patient believes these to be inaccurate, that this is noted in the records. Each situation will be decided upon the facts and the practice will not be taken to have contravened the DPA if those reasonable steps were taken. In the normal course of events, however, it is most likely that these issues will be resolved amicably.
Further information can be obtained from the Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone number 0303 123 1113 or 01625 545745.