- Educational products
- Case reports
- Casebook
- Factsheets
- Mental Capacity Act 2005 factsheets
- Confidentiality factsheets
- Consent factsheets
- GMC Fitness to Practise Procedures - change to civil standard of proof
- Access to health records
- Medical records
- Removing patients from the practice list
- Parental responsibility
- Reporting deaths to the coroner
- Removal of medical equipment after death
- NHS complaints procedure - Local Resolution
- NHS complaints procedure - Independent review and the Health Service Ombudsman
- Safe prescribing
- Report writing
- Giving evidence in court
- Booklets
- Courses and events
- GP Registrar
- Latest news
- New Doctor
- Your Practice
- A guide to MPS membership
- MPS Risk Consulting
- Request a speaker
- Podcast
Access to health records
Summary
Providing access to medical records is essentially a confidentiality issue; therefore, the starting point is whether or not the patient has consented to disclosure. If not, access should be denied, unless there is some other clear justification for allowing access.
Disclosure with consent
Before allowing access to anyone other than the patient or colleagues involved in the patient’s care, generally speaking, you will need to confirm that the person making the request has the patient’s consent. You need to be clear about exactly what part of the record the consent applies to.
Disclosure without consent
Occasionally, there will be circumstances where you have to disclose a patient’s records without their consent (and, rarely, in face of the patient’s clear objection to disclosure). There are three possible justifications for this:
- Disclosure would be in the best interests of a minor or a mentally incapacitated adult. Examples of this might be where you suspect that the patient is being abused and must inform social services,
- You believe that it is in the wider public interest, or that it is necessary to protect the patient or someone else from the risk of death or serious harm. Examples of this might be to inform the DVLA if someone may be unfit to drive, or to assist the police in preventing or solving a serious crime, or informing the police if you have good reason to believe that a patient is a threat to others,
- Disclosure is required by law – for example, in accordance with a statutory obligation, or to comply with a court order or a disclosure notice from the NHS Counter-Fraud Service.
In any of these cases, you should only provide the minimum amount of information necessary to serve the purpose, and you should carefully document your reasons for making the disclosure.
Access to a child or young person's medical records
If the child or young person is Gillick-competent you will need his/her consent before disclosing his/her records, even to someone with parental responsibility. In Scotland anyone aged over 12 is legally presumed to have capacity. If a child or young person is not Gillick-competent you should allow the parents access to the child’s medical records, provided that it is in the child’s best interest.
Fathers with parental responsibility have a right to access a child’s medical records, but you may consider that it would be in the child’s best interests to allow a father access to the notes, even if he does not have parental responsibility. If the child’s parents are divorced or separated parental responsibility is not affected. You may, however, wish to inform the other parent of the application for access to records, so that they can seek their own advice. The fact that someone is a healthcare professional does not in itself entitle him/her to access any patient’s medical records. Doctors, nurses, physiotherapists, midwives, etc, have a professional ethical duty to respect patients’ confidentiality and should only access records if they are involved in the patient’s care.
Access to the medical records of an incapacitated patient
Healthcare professionals can disclose information from the records of an incapacitated patient, either when it is in the patient’s best interests, or where there is some other lawful reason to do so. Disclosure would usually be related to the ongoing care of the patient. Information should not be disclosed, if it is judged that doing so would cause serious mental or physical harm to the patient or anyone else.
An attorney (who is a person nominated by the patient) for the patient, acting either under a valid Lasting Power of Attorney (LPA) or Enduring Power of Attorney (EPA), can ask to see information about the person they are representing, provided that it is relevant to the decisions the attorney has a legal right to make. Before disclosing any information, the holder of the information should make sure that the attorney has the official authority.
The NHS Code of Practice on Confidentiality sets out examples of when disclosure would be in the public interest, including what to do in situations when it may not be in the patient’s best interests. There is an increasing requirement for non-clinical staff to access patients’ records for administrative purposes, and this raises serious concerns about preserving patient confidentiality. It is essential that all such staff be given training on confidentiality and record-security issues and that a confidentiality clause be included in their contracts. Their access to patient information should, as far as is possible, be restricted only to what they need in order to carry out their specific duties.
Access to a patient’s records after death
The duty of confidentiality remains after a patient has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient’s death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question.
The records should not be disclosed if it is thought that they may cause mental or physical harm to anyone, if they identify a third party or if the deceased gave the information on the understanding that it would remain private.
Sharing information with other health professionals
Doctors, nurses, physiotherapists, midwives etc, have a professional ethical duty to respect patients’ confidentiality and should only access records if they are involved in the patient’s care.
It is assumed that patients consent to their personal information being shared among the clinical team for the purposes of their care. They should be made aware that this is the case and told that they have the right to withhold consent. Sometimes, patients may ask for certain – usually extremely sensitive – information to be kept private and you should respect this. However in certain circumstances this information may need to be released if failure to disclose would place others at risk of death or serious harm. A patient’s HIV, or similar status should not be disclosed without the patient’s consent, as this does not normally fall within the ‘risk of death or serious harm’ exception.
Administrative staff
Non-clinical staff are increasingly required to access patients’ records for administrative purposes, and this raises serious concerns about preserving patient confidentiality. It is essential that all such staff be given training on confidentiality and record-security and that a confidentiality clause is included in their contracts. Their access to patient information should be restricted to what they need for carrying out their specific duties.