Access to Records

The General Data Protection Regulation (“GDPR”) came into force in 2018. All applications for access to medical records of living persons are now made under the GDPR.

For deceased persons applications are made under sections of the 1990 Access to Health Records Act. These sections provide the right of access to the health records of deceased individuals for their personal representative and others having a claim under the estate of the deceased.

A patient has the right to apply for access to their health records. This is called a Subject Access Request (“SAR”). A SAR can mean viewing or having a copy of the record. Provided an appropriate SAR is made the Practice is obliged to comply with SAR subject to certain exceptions (see below) within 30 days. However, the Practice also has a duty to maintain the confidentiality of patient information and to satisfy itself that the applicant is entitled to have access before releasing information.

We cannot charge for a SAR. We can charge for multiple requests for the same information where these are deemed to be onerous. Remember a SAR relates to the subject. If two parties make a SAR for the same record then we can charge for the second of these.

Applications for health record of a living person

An application for access to health records may be made in any of the circumstances explained below.

The patient:

  • Requests may be made by letter, email, telephone or in person.

Children aged 16 years or over:

  • Provided the child is mentally competent then they are entitled to request or refuse access to their records in the same way as an adult.

Children Under 16 Years:

  • Individuals with parental responsibility for someone under 16 years of age will have the right to request access to those medical records.
  • A person with parental responsibility is either:
    • The birth mother, or
    • The birth father (if married to the mother at the time of child’s birth or subsequently) or,
    • An individual given parental responsibility by a court.
      (This is not an exhaustive list but contains the most common circumstances).

If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.

If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, its mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.

In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.

Patient Representatives:

  • A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf. The Practice may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. In this situation the Practice will check with the patient. Where a solicitor or other representative is making the request, ensure that you have patient signed consent and sufficient information to clearly identify the patient. Where a solicitor has asked for a patient’s entire medical record Farnham Road Practice will contact the patient to confirm that this is the patient’s wish.

Court Representatives:

  • A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.

Children and Family Court Advisory and Support Service (CAFCASS):

  • Where CAFCASS has been appointed to write a report to advise a judge in relation to child welfare issues, Farnham Road Practice will attempt to comply by providing factual information as requested. Before records are disclosed, the patient’s or parent’s consent (as set out above) should be obtained. If this is not possible, and in the absence of a court order, the Practice will need to balance its duty of confidentiality against the need for disclosure without consent where this is necessary:
    • To protect the vital interests of the patient or others, or
    • To prevent or detect any unlawful act where disclosure is in the substantial public interest (e.g. serious crime), and
    • Because seeking consent would prejudice those purposes.

The relevant health professional should provide factual information and their response should be forward to the Child Protection Team who will approve the report.

Amendments to or Deletions from Records:

  • If a patient feels information recorded on their health record is incorrect then they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended. If this is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased. The patient has the ‘right’ under the DPA to request that the personal information contained within the medical records is rectified, blocked, erased or destroyed if this is inaccurately recorded. Medical information should not be deleted. If information is factually incorrect, or has changed, then the new information should be added and a note included explaining that this supersedes the original information.

Application for Access to a Deceased Patient’s Medical Records

  • Where a patient has died, the patient’s personal representative or any person who may have a claim arising out of the patient’s death may make an application.

The personal representative (Executor) does not need to provide any explanation for a request and may request a copy of the entire medical record.

A person who was a claim arising out of a patient’s death needs to explain the nature of the claim and specify the medical information required. Access shall not be given to any part of the record which, in the GP’s opinion, would disclose information which is not relevant to the claim. The timeline for a response commences when the GP is satisfied that the information supplied by the claimant is sufficient.

Grounds for refusing disclosure to health records

The GP should refuse to disclose all or part of the health record if they are of the view that:

  • Disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person;
  • The records refer to another individual who can be identified from that information (apart from a health professional). This is unless that other individual’s consent is obtained or the records can be anonymised or it is reasonable in all circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party; or if
  • The request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and the:
    • Information was given by the patient in the exception that it would not be disclosed to the person making the request, or
    • The patient has expressly indicated it should not be disclosed to that person

Informing of the decision not to disclose

If a decision is taken that the record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating that disclosure would be likely to cause serious harm to the physical or mental health of the patient, or to any other person. The general position is that the practice should inform the patient if records are to be withheld on the above basis.

If however, the appropriate health professional thinks that telling the patient:

  • Will effectively amount to divulging that information, or
  • Is likely to cause serious physical or mental harm to the patient or another individual

Then the GP can decide not to inform the patient, in which case an explanatory note should be made in the file.

Although there is no right of appeal to such a decision, it is the Practice’s policy to give the patient the opportunity to have their case investigated by invoking the complaints procedure.

The patient must be informed in writing that help will be offered to them if they wish to do this. In addition, the patient may complain to the Information Commissioner for an independent ruling on whether non-disclosure is proper.

Disclosure of a Deceased Patient’s Medical Records

The same procedure used for disclosing a living patient’s records should be followed when there is a request for access to a deceased patient’s records. Access should not be given if:

  • The appropriate health professional is of the view that this information is likely to cause serious harm to the physical or mental health of any individual; or
  • The records contain information relating to or provided by an individual (other than the patient or a health professional) who could be identified from that information (unless that individual has consented or can be anonymised): or
  • The record contains a note made at the request of the patient before his/her death that she/he does not wish access to be given on application. (If while still alive, the patient asks for information about his/her right to restrict access after death, this should be provided together with an opportunity to express this wish in the notes);
  • The holder is of the opinion that the deceased person gave information or underwent
    investigations with the expectation that the information would not be disclosed to the applicant.
  • The practice considers that any part of the record is not relevant to any claim arising from the death of the patient.

Practices should treat all requests as potential claims for negligence. Farnham Road Practice will keep a central record of all requests to ensure that requests are cross-referenced with any complaints or incidents and that the deadlines for the response are monitored and adhered to.
Before the Practice discloses or provides copies of medical records the patient’s doctor must have been consulted and he or she must check the records and authorised the release, or part-release.

Disclosure of the record

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be sent to the patient or their representative in a sealed envelope by recorded delivery. The record should be sent to a named individual, marked confidential, for addressee only and the sender’s name should be written on the reverse of the envelope. Originals should not be sent.

Confidential information should not be sent by fax and only by e-mail if an encrypted service is available. A written consent from the patient to have the information transmitted by email must be obtained. A note should be made in the file of what has been disclosed to whom and on what grounds.

Charges and Timescales

Copies of records should be supplied with 21 days of receiving a valid and complete access request. Where further information is required by the practice to enable it to identify the record or validate the request, this must be requested within 14 days of receipt of the application and the timescale for responding begins on receipt of the full information.

PST will provide information on charges for patients to access their medical records.

Patients Living Abroad

Former patients living outside of the UK have the same rights to apply for access to their UK health records. (Same process applies)

Requests made by telephone

No patient information may be disclosed to members of the public by telephone. If staff need to provide information to other health providers the person requesting the information must be called back and the identity of the person requesting the information must be confirmed.

Requests made by the police

In all cases the practice can release confidential information if the patient has given his/her consent and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statute, or there is a risk to the patient or other members of the public that is deemed sufficient to breach confidentiality.