Membership information 0800 225 677
Medicolegal advice 0800 982 766

On the record

Professor Selma Smith provides practical tips to help ensure you record what is necessary and helpful in patient notes – and that you store records safely

What makes a comprehensive medical record? A good place to start is the HPCSA’s Guidelines on the Keeping of Patient Records (Booklet 14).

Recording an “assessment of the patient’s condition” might seem straightforward. Yet often, when patient records are examined in response to a clinical negligence claim, this detail is interpreted in many different ways. Interpretations vary from detailed notes on history, examination and diagnosis, to just the noting of a diagnosis, eg, “tension headache”.

The latter version is not of much help if a doctor needs to defend him/herself against a complaint of negligence for missing a slow growing meningioma. On the one hand is the need to write concise notes to save time, whilst on the other hand, doctors need to be able to justify their clinical actions and diagnoses, which necessitates more elaborate note keeping.

When defending doctors against negligence claims, it is very valuable if notes reflect findings that influenced diagnostic and management decisions. These findings do not have to be described in detail. A comment of “no meningial irritation/ no ↑ cranial pressure” in the notes of a patient with headache is helpful in illustrating that due consideration was given to so called “red flag” conditions at the time of consultation.

Problems can also arise with information that is noted, but gets “lost” within the patient file

If patients were given information on their condition, or possible danger signs, a note “advised on condition” is very helpful in defending against the complaint of a patient that s/he was not informed. The use of written leaflets is even more valuable.

Problems can also arise with information that is noted, but gets “lost” within the patient file. An example of this is the note of “blood tests taken”, which can easily be overlooked. Although all practices should have a system by which new results are evaluated as they are received this is not always fail proof.

A useful tip, as a backup, is to write all special investigations requested in a contrasting colour ink such as red ink, or to use highlighters. This is very easily seen when paging through a file before a consultation. The doctor can then ensure that tests are appropriately reacted on during the consultation.

Correcting an error as described by the above guidelines is specific to paper records: an error or incorrect entry discovered in the record may be corrected by placing a line through it with ink and correcting it. The date of change must be entered and the correction must be signed in full. The original record must remain intact and fully legible. Additional entries added at a later date must be dated and signed in full. The reason for an amendment or error should also be specified on the record.

When considering electronic patient records, the HPCSA instructions on retention of records on CD-ROM gives some indication of principles to follow: electronic records need to be captured in a format that permits once only writing, so that old information cannot be overwritten, but new information can be added. Previous notes kept in the rooms must be in read-only format. A backup copy must be kept and stored in a physically different site in order that two discs/sources can be compared in the case of suspicion of tampering.

What not to write is as important as what to write

What not to write is as important as what to write. Disparaging comments indicating the doctor’s irritation or dislike of a patient must never be reflected in a patient’s notes. Remember, notes may be read in open court.

Medical records should include:

  • Personal (identifying) particulars
  • Bio-psychosocial history of the patient, including allergies and idiosyncrasies
  • Time, date and place of every consultation
  • Assessment of the patient’s condition
  • Proposed clinical management of the patient
  • Medication and dosage prescribed
  • Patient’s reaction to treatment or medication, including adverse effects
  • Test results
  • Imaging investigation results
  • Information on the times that the patient was booked off from work and the relevant reasons
  • Written proof of informed consent, where applicable.

Keeping patient records safe

Simply put, the storage and safekeeping of patient records is about access control and protecting data against loss or corruption. All systems that handle personal information are subjected to security and privacy issues.

The Protection of Personal Information Bill (POPI) – soon to be passed as an Act – endeavours to establish and formalise minimum requirements to be adhered to in the handling of personal information. POPI affects all private and public organisations that process personal information.

The Bill places an extra responsibility on doctors to monitor, preserve and self-report the flow of personal information in their practices to help protect patient privacy. Access control ensures confidentiality; one of the cornerstones on which the doctor–patient relationship is built.

A duty of confidentiality relates not only to sensitive health information, but to all information that is held about patients

Because the patient is assured that information disclosed during a consultation is confidential, intimate information about his/her life can be shared with his/her medical practitioner. The privilege to have access to such information comes with great responsibility to the practitioner, who has an ethical and legal duty to keep accurate records and to keep this information confidential as stated in the National Health Act (no 61 of 2003).

Such a duty of confidentiality relates not only to sensitive health information, but to all information that is held about patients. This information includes demographic detail and even the fact that the patient is registered as a patient of the practice. Electronic data needs virus protection. Electronic clinical records need to be encrypted and password protected to prevent unauthorised access.

All employees need to sign confidentiality agreements and must be trained in security awareness as part of the induction process, eg, access control also entails not letting patient records lie around, face up or open and not having computer monitors display information to all passing by. Access to electronic data must be gained by a personal password – do not share passwords. Local networks need to be protected by firewalls. Beware of unsecured memory sticks and mobile devices carrying patient information.

When sharing data electronically outside the local office network, data needs to be encrypted. Doctors need to look closely at the security practices of contractors and service providers, and contracts with contractors need to have data protection clauses.

Disclosing information

Doctors are only permitted to release information about their patients in certain circumstances:

  • With consent of the patient 
  • When disclosure is required by statute, for example the requirement to notify certain communicable diseases
  • At the instruction of a court 
  • When it is in the public interest, for instance when there is a risk of death or serious harm to a patient or others 
  • In the case of a deceased patient, with the written consent of the next of kin or the executor of the deceased’s estate. Whether or not consent was legally required, the patient/next of kin must be informed that information was released.

Storing patient records

The HPCSA requires patient information to be stored in a safe place for at least six years from the date it becomes dormant. Under some circumstances, such as the records of minors, mentally incompetent patients and in terms of the Occupational Health and Safety Act (Act No 85 of 1993) this period can be even longer.

Records must be kept physically secure: records need to be stored in rooms or cabinets that can be locked and preferably are fireproof. All data critical to running the practice has to be archived safely and backed up if electronic.

The HPCSA requires patient information to be stored in a safe place for at least six years from the date it becomes dormant

In summary

  • Notes should reflect findings that influenced diagnostic and management decisions.
  • Records must be protected against unauthorised access by passwords, firewalls and encryption.
  • Electronic clinical records need to be captured in a format that permits once only writing.
  • Contracts with employees and contractors must include confidentiality and data protection clauses.
  • Employees need to be trained to ensure security awareness.
  • All records need to be kept in a safe place – dormant records should be kept for six years or more.
Download a PDF of this edition