[DAYS_LEFT] days left of your Medeconomics free trial

Subscribe now

Your free trial has expired

Subscribe now to access Medeconomics

Online access to patient records

Growing public awareness about the rights to access data as the GDPR is introduced means practices may be faced with more requests from patients to access medical records online, explains the MDU's medico-legal adviser, Dr Carol Chu.

Patients should ideally have read-only access to their records (Picture: iStock)
Patients should ideally have read-only access to their records (Picture: iStock)

With greater awareness of the rights of ‘data subjects’ among the public, practices may receive more requests for records access from patients.

Educating patients about how to access their online records and improving the amount of information that can be accessed in this way may be one way of avoiding the administrative burden this may cause. However, it’s important to be aware of the potential issues raised about security, confidentiality and record accuracy.

The right of patients to seek access to their medical records was enshrined in the Data Protection Act 1998 (DPA) and will soon be covered by the General Data Protection Regulation (GDPR) which will come into force on 25 May 2018. The new Data Protection Bill 2017-19, which is currently before parliament, will replace the DPA 1998 when enacted. GMS and PMS contracts in England say practices must promote and offer registered patients online access to all coded data in their GP records.

Information security

Patients accessing online records, along with other services such as appointment booking and repeat prescriptions do so with a personalised login ID and passwords.

NHS England and the RCGP have produced model forms and leaflets for patients within their guidance (see below for links to these). The practice should:

  • keep a register of patients who have online access, and whether it has been limited for any reason. The RCGP has specific guidance on identity verification (see below).
  • tell patients about their own responsibilities to protect their login details and keep their information secure, as well as the risks of sharing information.

Limits of patient access

If someone wants to see their records, the Data Protection Bill 2017-19 says access can only be limited or denied if:

  • it would be 'likely to cause serious harm to physical or mental health of the data subject or  another individual' – except for information of which the patient is already aware
  • it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party's consent.

Practices might sometimes consider limiting access so that sensitive information isn't disclosed. If you're considering this, there must first be an assessment by the doctor responsible for the patient's care. Make a record of this.

Some coded entries will pre-date the switching on of online access for the individual patient, so records should be checked carefully and any sensitive data redacted before online access is switched on.

Once a practice has decided to offer online access to patients, it should only be refused with good reason.


It is not advisable to register a patient for online access if you suspect they're being coerced into making the request - if they are at risk of abuse by a family member or partner, for example.

In this situation, you will need to discuss your decision with the patient, and you can refer to the RCGP and NHS England's joint guidance on the topic (see below).

Who else can access a patient's record?

If someone requests access to online records on the patient's behalf, they should be asked for evidence of their authority to act for the patient. This might be the patient's written consent or the necessary legal authority (such as a certificate of Lasting Power of Attorney) if the patient does not have capacity to consent.

Parental access

The age at which a child becomes competent will vary and it is important to keep any access by those with parental responsibility under regular review.

The RCGP's guidance sets out the position in relation to children under 16, and suggests that full access for those with parental responsibility should automatically be switched off when a child reaches age 11.

If someone with parental responsibility requests access to the records of a competent child, the child's consent should be sought and you should consider whether such access is in the child’s best interests. When the Data Protection Bill 2017-19 is enacted, children aged 13 (rather than 16) or over will be able to provide their own consent.

Correcting or changing records

It's a GP’s responsibility to make sure records are accurate. Patients should be able to report factual inaccuracies or question the content of the records but patients should not be able to alter the content.

Any corrections usually need the GP's agreement to check the record is complete and accurate. If factual corrections are made, it should be obvious who made the amendment and when (computerised records usually create an audit trail).

If a patient disagrees with the content of their record but the GP considers it to be accurate, a note can be added to highlight the patient's disagreement.

Explaining patients' records

Patients should be able to understand their records to get the most out of them. Taking the time to help them may reduce patient contact in the long run as they gain a greater understanding of their conditions.

  • Encourage patients to contact the practice if they need clarification.
  • Spell out acronyms.
  • Explain diagnoses and treatments in more detail.

Training the team

It's important to train the practice team in patient online access to records.  Those involved in creating the record need to be aware that it can be viewed by patients. Think carefully about the purpose of the records and the impact they may have on patients reading them. For example, training can highlight data accuracy, the need to minimise the use of abbreviations and the potential issues surrounding third party data.

Registering patients for online access

Staff need to understand the registration process, and be able to explain to patients the importance of keeping their information secure.

Patients need to understand that they may see information they don't understand or find upsetting and that they can discuss their records with a GP if this happens.

NHS England has published a Patient Online guide which includes resources to provide to patients.

Useful resources

Read more on the GDPR

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Sign up now
Already registered?
Sign in

Database of GP Fees

Latest Jobs