Patients may be able to view their medical records online by 2015 under proposals in the DH’s Information Strategy published in May 2012.
The strategy emphasises the importance of improving access to personal information to give people more control over their care. However, patients’ right to access their medical records is already enshrined in the Data Protection Act 1998 (DPA) and only the technology involved is new.
Nevertheless, this is an area with the potential to cause confusion if, for example, a request is made on behalf of a patient. It can also lead to complaints if access requests are not managed properly.
The MDU’s advice is to have a practice policy on access to medical records. This will not only ensure a consistent approach but is also something inspectors from the Care Quality Commission (CQC) may expect to see when they begin visiting practices from April 2013.
The CQC’s Essential Standards of Quality and Safety on page 172 calls for effective procedures on records and states that those using a service should be confident that 'they, or others acting on their behalf...are aware of and can access, and where appropriate, contribute to the record'.
It is a good idea to address these aspects of data access in your policy:
- Applying for access
- Third party requests
- Children under 16
- Requests to amend records
Applying for access
While patients over 16 have a right to access their paper and computer records under Section 7 of the DPA, they do not own them and are not entitled to take possession of the originals. Rather, they can apply in writing to view their original records and to have copies of them. This is known as a 'subject access request' (SAR) and some practices have a standard form which captures all the information necessary to locate the record and confirm the identity of the person making the request, eg name of patient, NHS number and address.
In line with the Disability Discrimination Act 1995, a reasonable adjustment should be made for disabled patients who find it impossible or unreasonably difficult to make a subject access request in writing, such as accepting a verbal request.
Under the DPA GPs are obliged to disclose a patient’s medical records on the patient’s written request within 40 days, or sooner if possible. Access can only be limited or denied if it would:
- Be ‘likely to cause serious harm to the physical or mental health or condition of the data subject or any other person’. You cannot withhold information under this exception if it is information of which the patient is already aware.
- Give information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents.
Third party requests
Third parties submitting access requests on behalf of a patient need to provide evidence of their authority to act for the patient, such as the patient’s written consent or have the necessary legal authority (such as a certificate of lasting power of attorney).
Children under 16
Those with parental responsibility can apply for access on behalf of children under 16 but if the child is able to consent to their own medical treatment, without the need for parental permission or knowledge their consent should be sought.
If the child does not have capacity, the practice will usually provide access to an individual with parental responsibility unless there is reason to think this would not be in the child’s best interests (for example) if there is a child protection concern.
The Information Commissioner’s Office (ICO) says it should be free for patients to inspect medical records held manually if they have been updated in the last 40 days. If the patient wants copies, a fee can be charged – currently up to a maximum of £50 for hard copy records (or a combination of hard copy and electronic) or £10 for electronic records. You should ensure patients are aware of charges before proceeding.
Requests to amend records
Patients are entitled to challenge the validity of records and to have factual errors corrected. However, an entry in the patient’s records should not be amended simply because the patient does not like it.
Hard copy errors should be scored with a single line so that the original writing is still visible, and the correct entry should be written alongside with the time, date and your signature. If making an entry or correction to a computer record, ensure there is an audit trail identifying the date and time of the change and the person who made it. It should be immediately obvious that an amendment has been made.
It is essential to protect patient confidentiality when dealing with access requests. You may want to set out the steps necessary to confirm the identity of the person making the request; and the secure means by which copies are sent to the patient, eg by recorded delivery.
Contact your medical defence organisation if you have specific queries on SARs. Also, the Information Commissioner’s Office has produced a technical guidance note called 'Subject access to health records by members of the public.'
- Dr Sally Barnard is a medico-legal adviser at the MDU