Ask the expert: online patient records

What should practices expect?

NHS Digital summarises the situation as follows:

“Patients with online accounts such as through the NHS App will be able to read new entries in their health record. This applies to patients whose practices use the TPP and EMIS systems. Arrangements with practices which use Vision as the clinical system are under discussion.”

Changes therefore currently only apply to new entries in the record and to practices using either TPP or EMIS. If your practice uses Vision, you will need to await further announcements. It is important for practices to check the type and functionality of their system – if in doubt, discuss any concerns with your IT system provider.

NHS Digital also plans to enable patients to request their historic coded records in 2022 through the NHS App but no precise date for this is yet available.

What should practices consider and what preparations can they make?

• GPs will need to consider the impact of each entry, including documents and test results, as they add them to a patient’s record. Patients will not see personal information – such as positive test results – until they have been checked and filed, giving GPs the chance to contact and speak to patients first. Consideration should be given, where possible, to explaining any abbreviations, and diagnoses and treatments, more fully – which may facilitate understanding and help take pressure off practices.
• It will be the practices’ responsibility to redact sensitive and third party information.
• If sensitive/third party information cannot be redacted, it should not be shared with the patient – if you cannot redact do not share.
• Practices should draw up a record keeping policy detailing how to record and redact new entries of potentially harmful and confidential third-party data, even if patients do not currently have online record access. Roles and responsibilities should be made clear within the policy.

• Patients should be able to contact practices if clarification of any aspect of their record is required or to report factual inaccuracies. Patients must not be able to alter the content of their medical record. Any potential corrections should be checked by a GP and any amendments made promptly and documented clearly (usually there will also be a digital audit trail). If a patient disagrees with an entry in their record that is considered to be accurate by the GP, a note can be added to state that the patient disagrees with what is recorded. Patients should be made aware that if they encounter information they do not understand or find troubling, they can discuss this with a GP.

• Patients may wish to grant access to their online record to a family member, friend or carer (proxy access). This is best done via separate personal login details, if the practice’s clinical system has this facility. If a request is made on behalf of the patient by a third party, evidence of authority to act for the patient must be provided. This authority could be the patient's written consent or legal authority (such as a certificate of Lasting Power of Attorney), if the patient does not have capacity to consent. Patient consent to proxy access must be recorded and they must be warned of the risks. Patients should also be reminded of their responsibility to protect their own login details and keep this information secure.
• Practices should be alive to and discuss the possibility of abuse of proxy online access including coercion with patients, and ensure that they understand and accept the risks. Considerations should be included in the online services registration form for patients. It is not necessarily easy to know if a patient is being coerced but if there is any concern, patients should not be registered for online services or access should be limited to transactional services until concern has been allayed. Any decision to restrict access should be assessed by the doctor responsible for the patient’s care and discussed with the patient.
• There is a duty to inform the patient of restrictions. The Royal College of General Practitioners (RCGP) offers helpful guidance on the issue of coercion.¹
• If someone with parental responsibility requests access to a child’s records, the child's consent should be sought and/or the child’s best interests considered. Those with parental responsibility should be kept under regular review. The RCGP recommends that full access for those with parental responsibility be switched off automatically when a child reaches the age of 11 but that this be communicated beforehand and discussed appropriately with those concerned. The RCGP provides detailed guidance on online patient access for children and young people as a pdf document in its Online Patient Access Toolkit (under the section Registering new applicants for Patient Online).
• Practices should keep a register of patients with online access, and whether access has been limited for any reason. Once online access has been granted, it should only be withdrawn for good reason. If access is withdrawn, this should be documented.
• Patient identity must be verified in all new requests for online access. The RCGP also offers comprehensive guidance to identity verification.

What guidance is there on redaction?

NHS England and the BMA General Practitioners Committee (GPC) has put together guidance in anticipation of fuller online patient access.² On the question of sensitive and third-party information, the guidance states:

“Patient access to any element of their record is subject to appropriate safeguards. These are designed to ensure that access to records

• does not cause harm to the patient

• that legal confidentiality obligations for the non-disclosure of third-party information are adhered to

Sensitive information
If based on clinical judgement, it is considered that some information could be harmful to the patient, this information should not be shared with them. This information can be redacted from the patient view and must not be deleted from the record. If system functionality to redact information is not available, the record should not be shared with the patient.

 Third party information
Legal confidentiality requirements require that where the information is not already known to the patient, any information contained must be redacted, but not deleted from the record. If system functionality to redact information is not available, the record should not be shared with the patient.”

The RCGP also gives the following guidance:

“All GP systems have a method of preventing data being visible to patients with online record access. This is generally known as data redaction. Before record access is switched on all the data (detailed coded or full record access) that the patient will see should be checked for sensitive data that needs to be redacted. It is helpful to establish a practice record keeping policy about recording and redacting new entries of potentially harmful and confidential third-party data even if they do not currently have online record access."

What about training?

Practice staff should receive appropriate training. Key aspects will include:

• Redaction of sensitive and third-party data
• Accuracy
• Making each entry readily understandable to the patient, such as explanations, abbreviations and acronyms
• Keeping data secure and communicating this to patients
• Potential abuse of online access and coercion.

NHS England is offering guidance and training to practices via some online events. You can find more details and register via events.england.nhs.uk/getting-ready-for-all-patients-to-have-access-to-their-future-data.

NHS England is also providing support to GP practices through a network of locally based implementation leads and digital clinical champions. Practices are invited to email [email protected] for details of who to contact in the area.

The appointment of a practice champion or super-user for online patient services is recommended to troubleshoot and assist patients registering for online services.

What information can we provide to patients?

Existing online information for patients about online patient access can be viewed here and may be subject to further updates. There are also explanatory patient leaflets, which can be viewed on the NHS Choices website. These leaflets can be downloaded by practices or ordered free from the NHS order line. You can find details and how to do this at GP online services and GP online services support and resources guide.

Is there an official summary of the rollout and necessary actions?

NHS Digital provides an overview of the planned rollout and necessary actions at Access to patient records through the NHS App.