Patients have a right to request access to their own medical records and can also provide consent for disclosure to third parties. You have a duty to protect the confidential data of your patients under the Data Protection Act (1998) and civil monetary penalties can be imposed for serious contraventions of the act.
Disclosure with consent
Before allowing access to anyone other than the patient or colleagues involved in the patient’s care, generally speaking, you will need to confirm that the person making the request has the patient’s consent. You need to be clear about exactly what part of the record the consent applies to.
Disclosure without consent
Occasionally, there will be circumstances where you have to disclose a patient’s records without their consent (and, rarely, in the face of the patient’s clear objection to disclosure). There are three possible justifications for this:
- If you believe that a patient may be a victim of neglect or abuse, and that they lack capacity to consent to disclosure, you must give information promptly to an appropriate person or authority, if you believe disclosure is in the patient’s best interests.
- You believe that it is in the wider public interest, or that it is necessary to protect the patient or someone else from the risk of death or serious harm. Examples of this might be to inform the DVLA if someone may be unfit to drive, or to assist the police in preventing or solving a serious crime, or informing the police if you have good reason to believe that a patient is a threat to others. You should follow GMC guidance (Confidentiality) on disclosure within the wider public interest.
- Disclosure is required by law – for example, in accordance with a statutory obligation, or to comply with a court order or a disclosure notice from the NHS Counter-Fraud Service.
In any of these cases, you should only provide the minimum amount of information necessary to serve the purpose, and you should carefully document your reasons for making the disclosure.
Access to a child or young person's medical records
The Information Commissioner’s Office states that parents can make subject access requests on behalf of their children who are too young to make their own request. A young person aged 12 or above is generally considered mature enough to understand what a subject access request is, however, each case must be judged on its own merits.
They can make their own request and would need to provide their consent to allow their parents to make the request for them. You must use your judgment to decide whether a young person aged 12 or above is mature enough to make their own request as they do not always have the maturity to do so. Any parental access to a child’s records must be in the child’s best interests.
Fathers with parental responsibility may exercise a child’s right to make a subject access request, as outlined above. In some cases you might also consider that it would be in the child’s best interests to allow the father access to the notes even if he does not have parental responsibility. If the child’s parents are divorced or separated, parental responsibility is not affected.
However, if this is the case, although there is no absolute obligation to do so, you may wish to consider informing the other parent that an application for access has been made, so that they can seek their own advice.
Access to the medical records of an incapacitated patient
Healthcare professionals can disclose information from the records of an incapacitated patient (following the Mental Capacity Act 2005), either when it is in the patient’s best interests, or where there is some other lawful reason to do so. Disclosure would usually be related to the ongoing care of the patient. Information should not be disclosed, if it is judged that doing so would cause serious mental or physical harm to the patient or anyone else.
An attorney (who is a person nominated by the patient) for the patient, acting as a Lasting Power of Attorney (LPA), can ask to see information about the person they are representing, provided that it is relevant to the decisions the attorney has a legal right to make. Before disclosing any information, the holder of the information should make sure that the attorney has the official authority.
Online medical records
Since 1 April 2015 all GP practices in England have to provide online services to patients, including access to summary medical records. Issues of confidentiality will arise in relation to children (under 16) and incapacitated patients. The principles explained above should be followed when considering requests for ‘proxy’ access.
Access to a patient’s records after death
The duty of confidentiality remains after a patient has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient’s death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question. This should be considered in conjunction with GMC guidance Confidentiality (paragraphs 70-72).
The records should not be disclosed if it is thought that they may cause mental or physical harm to anyone, if they identify a third party or if the deceased gave the information on the understanding that it would remain private.
Sharing information with other health professionals
Doctors, nurses, physiotherapists, midwives etc, have a professional and ethical duty to respect patients’ confidentiality and should only access records if they are involved in the patient’s care. This is on a ‘need-to-know’ basis.
Whilst it is assumed that patients generally consent to their personal information being shared among the clinical team for the purposes of their care, they should be made aware that this is the case and told that they have the right to withhold consent. Sometimes, patients may ask for certain – usually extremely sensitive – information to be kept private and you should respect this. However, in certain circumstances this information may need to be released if failure to disclose would place others at risk of death or serious harm.
A patient’s HIV, or similar, status should not be disclosed without the patient’s consent, as this does not normally fall within the “risk of death or serious harm” exception. For more information see the GMC’s Confidentiality – Supplementary guidance: Disclosing information about serious communicable diseases.
Non-clinical staff are increasingly required to access patients’ records for administrative purposes, and this raises serious concerns about preserving patient confidentiality. It is essential that all such staff be given training on confidentiality and record-security and that a confidentiality clause is included in their contracts. Their access to patient information should be restricted to what they need for carrying out their specific duties.