Access to records

In accordance with the Data Protection Act 1998 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager and may be subject to an administration charge. No information will be released without the patient consent unless we are legally obliged to do so.

Access to health records policy

Introduction

The Access to Health Records Act 1990 gave individuals the right of access, subject to certain exceptions, to health information recorded about themselves and, in certain circumstances, about others, within manual records. The Data Protection Act 1998 cam into force in March 2000 and repealed most of the 1990 Access to health Records Act. All applications for access to records, whether paper based or electronic, of living persons are now made under the DPA 1998. For deceased persons, applications are made under sections of the 1990 Access to health Records Act which have been retained. These sections provide the right of access to the health records of deceased individuals for their personal representative and others having a claim under the estate of the deceased.

The right of access

Under section seven of the DPA, patients have the right to apply for access to their health records. Provided that the fee has been paid and a written application is made by one of the individuals referred to below, the practice is obliged to comply with a request for access subject to certain exceptions. However, the practice also has a duty to maintain the confidentiality of patient information and to satisfy itself that the applicant is entitled to have access before releasing information.

Applications

An application for access to health records may be made in any of the circumstances explained below:

The patient

Pennine Medical Centre has a policy of openness with regard to health records and health professionals are encouraged to allow patients to access their health records on an informal basis. This should be recorded in the health record itself. The Department of health’s code of practice on Openness in the NHS as referred to in HSG(96) 18 Protection and Use of Patient Information, will still apply to informal requests.

Such requests are usually made for a reason. The patient may have concerns about treatment that they have received, how they have been dealt with or may be worried that something they have said may have been misinterpreted. Staff, are encouraged to try to understand and allay any underlying concerns that may have contributed to the request being made and offer an opportunity of early resolution.

Parental responsibility

Children of 16 years or over

If a mentally competent child is 16 years or over, then they are entitled to request or refuse access to their records. If any other individual requests access to these the Practice should first check with the patient that he or she is happy for them to be released.

Children under 16 years

Individuals with parental responsibility for an under 16 year old will have a right to request access to those medical records. A person with parental responsibility is either:

  • The birth mother, or
  • The birth father (if married to the mother at the time of the child’s birth or subsequently) or
  • An individual given parental responsibility by a court.

This is not an exhaustive list but contains the most common circumstances.

If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure or their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.

If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with e.g. its mother and the father applies for access to the child’s records, there is no ‘obligation’ to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.

In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions. Again medical records should not be disclosed unless the process set out in Section 2 is adhered to.

Patient representative

A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf. The practice may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. Records should not be disclosed unless the process set out in section 2 is adhered to.

Court representatives

A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.

Access to a deceased patient’s medical records

Where the patient has died, the patient’s personal representative or any person who may have a claim arising out of the patient’s death may make an application. Access shall not be given (even to the personal representative) to any part of the record, which in the GPs opinion would disclose information which is not relevant to any claim which may arise out of the patient’s death. The effect of this is that those requesting a deceased person’s records should be asked to confirm the nature of the claim which they say they may have arising out of the person’s death. If the person requesting the records was not the deceased’s spouse or parent (where the deceased was unmarried) and if they were not a dependent of the deceased, it is unlikely that they will have a claim arising out of the death.

Children and family court advisory and support service (CAFCASS)

Where CAFASS has been appointed to write a report to advise a judge in relation to child welfare issues, Pennine Medical Centre would attempt to comply by providing factual information as requested.

Before records are disclosed, the patient or parent’s consent (as set out above) should be obtained. If this is not possible, and in the absence of a court order, the practice will need to balance its duty of confidentiality against the need for disclosure without consent where this is necessary:

  • To protect the vital interests of the patient or others, or
  • To prevent or detect any unlawful act where disclosure is in the substantial public interest (e.g. serious crime) and
  • Because seeking consent would prejudice those purposes.

The relevant health professional should provide factual information and their response should be forwarded to a member of the Child Protection Team who will approve the report.

Chapter 8 review

All Chapter 8 Review requests for information should be immediately directed to the Health Authority Child Protection manager, who will co-ordinate the Chapter 8 Review in accordance with national and local Area Child Protection Committee Guidance.

Amendments to or deletions from records

If a patient feels information recorded on their health record is incorrect then they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended. If this avenue is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased. The patient has a right under the DPA to request that personal information contained within the medical records is rectified, blocked, erased or destroyed if this has been inaccurately recorded. He or she may apply to the Information Commissioner, but they could also apply for rectification through the courts. The GP practice, as the Data Controller, should take reasonable steps to ensure that the notes are accurate and if the patient believes these to be inaccurate, that this is noted in the records. Each situation will be decided upon the facts and the Practice will not be taken to have contravened the DPA if those reasonable steps were taken. In the normal course of events, however, it is most likely that these issues will be resolved amicably. Further information can be obtained from the Commissioner at Wycliffe House, Water lane, Wilmslow, Cheshire, SK9 5AF, telephone number 01625 545700.

Process

Co-ordination

GP practices receive applications for access to records via a number of different sources:

  • Medical Insurance Companies
  • Patient Solicitors
  • Patients
  • Patients Carers
  • Parents of under 16-year-old patients.

Notification of requests

Practices should treat all requests as potential claims for negligence. Good working practice would be to keep a central record of all requests in order to ensure that requests are cross-referenced with any complaints or incidents and that the deadlines for response are monitored and adhered to.

Inspecting and withholding of records

Requirement to consult appropriate health professional

It is the GPs responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before the practice disclosed medical records the patient’s GP must have been consulted and he/she checked the records.

Grounds for refusing disclosure to health records

The GP should refuse to disclose all or part of the health record if he/she is of the view that:

  • Disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person.
  • The records refer to another individual who can be identified from that information (apart from a health professional). This is unless that other individual’s consent has been obtained or the records can be anonymised or it is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party, or if:
  • The request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and the:
  • Information was given by the patient in the expectation that it would be disclosed to the person making the request, or
  • The patient has expressly indicated it should not be disclosed to that person.

Informing of the decision not to disclose

If a decision is taken that a record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating that disclosure would be likely to cause serious harm to the physical or mental health of the patient, or to any other person. The general position is that the practice should inform the patient if records are to be withheld on the above basis. If however, the appropriate health professional thinks that telling the patient:

  1. Will effectively amount to divulging that information, or this
  2. Is likely to cause serious physical or mental harm to the patient or another individual.

Then the GP could decide not to inform the patient, in which case an explanatory note should be made in the file.

That decision can only be taken by the GP and an explanatory note should be made in the file. Although there is no right of appeal to such a decision, it is the practice’s policy to give a patient the

opportunity to have their case investigated by invoking the complaints procedure. The patient must be informed in writing that every assistance will be offered to them if they wish to do this. In addition, the patient may complain to the Information Commissioner for an independent ruling on whether non-disclosure is proper.

Disclosure of a deceased patient’s medical records

The same procedure used for disclosing a living patient’s records should be followed when there is a request for access to a deceased patient’s records. Access should not be given if:

  • The appropriate health professional is of the view that this information is likely to cause serious harm to the physical or mental health of any individual, or
  • The records contain information relating to or provided by an individual (other than the patient or a health professional) who could be identified from that information (unless that individual has consented or can be anonymised), or
  • The record contains a note made at the request of the patient, before his/her death that he/she did not wish access to be given on application. (If while still alive, the patient asked for information about his/her right to restrict access after death, this should be provided together with an opportunity to express this wish in the notes),
  • The holder is of the opinion that the deceased person gave information or underwent investigations with the expectation that the information would not be disclosed to the applicant.
  • The practice considers that any part of the record is not relevant to any claim arising from the death of the patient.

Disclosure of the record

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be sent to the patient or their representative in a sealed envelope by recorded delivery.

The record should be sent to a named individual, marked confidential, for address only and the senders name should be written on the reverse on the envelope. Originals should not be sent. Confidential information should not be sent by fax and never by email unless via an encrypted service such as NHS mail account to another NHS mail account.

A note should be made in the file of what has been disclosed to whom and on what grounds. Where information is not readily intelligible an explanation (e.g. of abbreviations or medical terminology) must be given.

Charges and timescales

Once the request has been received and verified, the individual should be provided with a copy of their data by 28 days from the date of receipt. The 28 day time limit can be extended for two months for complex or numerous requests where the data controller needs more time to collate and supply the data. The individual will be informed within 28 days if this is the case.

Where further information is required by the practice to enable it to identify the record required or validate the request, this must be requested within 14 days of receipt of the application and the timescale for responding begins on receipt of the full information.

To provide copies of electronic patient health records a maximum charge of £10.00 can be requested to cover photocopying. For manual records or a mixture of electronic and manual there can a maximum charge of £50.00 but Pennine Medical centre will charge a standard fee of £10.00 unless there are exceptional circumstances, such as when a GP is asked to formally inspect a record that does not belong to him, where a fee of £50.00 will be charged. NO fee can be charged for allowing a patient to directly inspect their record where no copy is requested. The practice is not required to provide all the information requested if this would involve disproportionate effort and can refuse to provide copies if no fee is paid. At the same time, however, the GP has discretion not to charge for copies should he/she choose not to do so.

Safe haven

Confidential medical records should not be sent by fax unless there is no alternative. If a fax must be sent, it should include the minimum information and names should be removed and telephoned through separately.

All staff should be aware that safe haven procedures apply to the sending of confidential information by fax, for whatever reason. That is, the intended recipient must be alerted to the fact that confidential information is being sent. The recipient then makes a return telephone call to confirm safe and complete receipt. A suitable disclaimer, advising any unintentional recipient to contact the sender and to either send back or destroy the document, must accompany all such faxes.

Patients living abroad

For former patients living outside the UK and whom once had treatment for their stay here, under DPA 1998 they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.

Requests made by telephone

No patient information may be disclosed to members of the public by telephone. However, it is sometimes necessary to give patient information to another NHS employee over the telephone. Before doing so, the identity of the person requesting the information must be confirmed. This may best be achieved, by telephoning the person’s official office, and asking to be put though to their extension.

Requests made by the police

In all cases the GP practice can release confidential information if the patient has given their consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation, to disclose information to the police unless there is a court order or this is required under statute (e.g. Road Traffic Act).

The practice does, however, have a power under the DPA and Crime Disorder Act, to release confidential health records without consent for the purpose of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:

  • To protect the patient or another person’s vital interests, or
  • For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g. where the seriousness of the crime means there is a pressing social need for disclosure).

Only information, which is strictly relevant to a specific police investigation, should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.

Requests from solicitors

Solicitors who are acting in civil or litigation cases for patients should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society.

Court proceedings

You may be ordered by a court of law to disclose all or part of the health record if it is relevant to a court case (for example by a Guardian ad litem).