Providing access to medical records is essentially a confidentiality issue; therefore, the starting point is whether or not the patient has consented to disclosure. If not, access should be denied, unless there is some other clear justification for allowing access.
Disclosure with consent
Before allowing access to anyone other than the patient or colleagues involved in the patient’s care, generally speaking, you will need to confirm that the person making the request has the patient’s consent. You need to be clear about exactly what part of the record the consent applies to.
Disclosure without consent
Occasionally, there will be circumstances where you have to disclose a patient’s records without their consent (and, rarely, in face of the patient’s clear objection to disclosure). There are three possible justifications for this:
- Disclosure would be in the best interests of a minor or a mentally incapacitated adult. An example of this might be where you inform social services about the suspected abuse of a child or young person
- You believe that it is in the wider public interest, or that it is necessary to protect others from the risk of death or serious harm. Examples of this might be to inform the Driver and Vehicle Agency Licensing Northern Ireland (DVAN) if a patient continues to drive, against medical advice, when they may not be fit to do so; or informing the police if you have good reason to believe that a patient is a threat to others. In such cases, you should still seek the patient's consent, unless it is not practicable to do so (eg. you have reason to believe that seeking consent would put you or others at risk of serious harm)
- Disclosure is required by law – for example, in accordance with a statutory obligation, or to comply with a court order
- As a general rule, you should only provide the minimum amount of information necessary to serve the purpose. In addition you should carefully document your reasons for making the disclosure.
Access to a child or young person's medical records
The Information Commissioner’s Office states that parents can make subject access requests on behalf of their children who are too young to make their own request. A young person aged 12 or above is generally considered mature enough to understand what a subject access request is.
A young person with capacity has a right to make their own request and can allow or prevent access by a parent. You must use your judgement to decide whether a child or young person has capacity in this regard. Any parental access to a child’s records must be in the child’s best interests.
Fathers with parental responsibility may exercise a child’s right to make a subject access request, as outlined above. In some cases you might also consider that it would be in the child’s best interests to allow the father access to the notes even if he does not have parental responsibility. If the child’s parents are divorced or separated, parental responsibility is not affected.
However, if this is the case, although there is no absolute obligation to do so, you may wish to consider informing the other parent that an application for access has been made, so as to obtain a balanced view when considering the child's best interests.
Access to the medical records of an incapacitated patient
Healthcare professionals can disclose information from the records of an incapacitated patient, either when it is in the patient’s best interests, or where there is some other lawful reason to do so. Disclosure would usually be related to the ongoing care of the patient. Information should not be disclosed, if it is judged that doing so would cause serious mental or physical harm to the patient or anyone else.
The GMC has set out a number of factors to consider when deciding whether to disclose information about a patient who lacks capacity to consent, for example when a patient's incapacity is temporary, whether the decision could reasonably wait until they gain capacity.
Access to a patient’s records after death
The duty of confidentiality remains after a patient has died, although there are circumstances in which you should disclose relevant information about a patient who has died (eg. to help a coroner with his inquiry.) Under the Access to Health Records (Northern Ireland) Order 1993, the personal representative of the deceased and people who may have a claim arising from the patient’s death may be permitted access to the records. Disclosure should be limited to that which is relevant to the claim in question.
The records should not be disclosed if the deceased gave the information on the understanding that it would remain private. Likewise, third party information and information that is likely to cause serious harm to the physical or mental health of anyone should not be disclosed.
Sharing information with other health professionals
Doctors, nurses, physiotherapists, midwives, etc, have a professional ethical duty to respect patients’ confidentiality and should only access records if they are involved in a patient’s care.
It is assumed that patients consent to their personal information being shared among the clinical team for the purposes of their care. They should be made aware that this is the case and told that they have the right to withhold consent. Sometimes, patients may ask for certain – usually extremely sensitive – information to be kept private, and you should respect this. However, in certain circumstances, this information may need to be released if failure to disclose would place others at risk of death or serious harm. Additionally, the GMC advises that if a patient objects to a disclosure that you consider essential to the provision of safe care, you should explain that you cannot refer them or otherwise arrange for their treatment without also disclosing that information.
Non-clinical staff are increasingly required to access patients’ records for administrative purposes, and this raises serious concerns about preserving patient confidentiality. It is essential that all such staff be given training on confidentiality and record security and that a confidentiality clause is included in their contracts. Their access to patient information should be restricted to what they need for carrying out their specific duties.