Access to patient records

Document Sample
Access to patient records Powered By Docstoc
					                  Access to patient records
                  Standard Note:    SN/SP/4925
                  Last updated:     7 January 2009
                  Author:           Jo Roll
                  Section           Social Policy Section

This note aims to help Members answer enquiries from constituents about access to health
records. It outlines the right that patients have to access their own health records and also
provides brief information about access by third parties. This note replaces SN/SP/1661 and
SN/SP/1952. It focuses on England although much of the content is also relevant to the rest
of the UK.

This information is provided to Members of Parliament in support of their parliamentary duties
and is not intended to address the specific circumstances of any particular individual. It
should not be relied upon as being up to date; the law or policies may have changed since it
was last updated; and it should not be relied upon as legal or professional advice or as a
substitute for it. A suitably qualified professional should be consulted if specific advice or
information is required.

This information is provided subject to our general terms and conditions which are available
online or may be provided on request in hard copy. Authors are available to discuss the
content of this briefing with Members and their staff, but not with the general public.

1      Which legislation?                                                                                    2

2      Sources of information                                                                                3

3      The right of access                                                                                   3

4      Exemptions to the patient’s right of access to his or health record                                   4

5      Access on behalf of patients                                                                          4
              Lack of capacity                                                                               4
              Instructing someone else e.g. a Member of Parliament                                           5
              Where a patient has died                                                                       5

6      Third party access                                                                                    6

7      Retention periods                                                                                     7

8      Complaints and corrections                                                                            8

1       Which legislation?
NHS health records are public records 1 and therefore in principle accessible under the
Freedom of Information Act 2000. However, section 21 of the Freedom of Information Act
exempts from the Act the provision of information that is available by other means, and
section 7 of the Data Protection Act 1998 gives living individuals (and only living individuals)
a qualified right of access to personal data, including health records, of which they are the

For living patients it is therefore generally the Data Protection Act 1998 that is relevant to
their requests for information from their own health records. For access to the records of
dead patients the Access to Public Records Act 1990 makes some provision for records
created since 1 November 1991; and a range of other legislation may be relevant where
access is desired in other circumstances.

Nevertheless, the possibility remains that the Freedom of Information Act 2000 could be
relevant in some situations 2 and it is in any case relevant to the management of health
records. 3

The Data Protection Act applies UK-wide. Athough the Access to Public Records Act applies
to Great Britain only, there are parallel provisions for Northern Ireland in Regulations. 4 Much
of this note will therefore be relevant to all the countries of the UK. However, most NHS

    Schedule 1 of the Public Records Act 1958 as amended.
    See Library Standard Note SN/PC/2950 for information about making freedom of information requests. The
    Information Commissioner’s website has more information about the difference between the two Acts.
    Schedule D of the Department of Health’s NHS records management code of practice.
    The Access to Health Records (Northern Ireland) Order 1993, SI 1993/1250 (NI 4).

issues, including the management of health records, and some of the surrounding legislation
are devolved matters. The main focus of this note is therefore on the position in England. 5

2       Sources of information
The website of the Information Commissioner describes an individual’s general right of
access, under section 7 of the Data Protection Act, to personal data of which she or he is the
subject. 6 The Library has also produced a range of standard notes on different aspects of the
Act, which are available on the Library’s web pages.

As far as health records in particular are concerned, the Department of Health’s website
contains a range of information, such as a set of FAQs, which may be of use to constituents
wanting to make an application. The Department of Health’s website also contains guidance
to NHS staff, Guidance for Access to Health Records Requests and Confidentiality, NHS
code of practice , both of which contain information that is relevant to patient records. The
NHS Choice website also contains information about accessing health records that may be
useful to constituents. 7

3       The right of access
Access to a health record under section 7 is not restricted to NHS records. It also includes
private sector health care. A health record for the purposes of the Act is one which relates to
the physical or mental health of an individual which has been made by or on behalf of a
health professional in connection with the care of that individual. The Act also includes a
definition of health professional that would cover those registered with certain statutory
regulatory bodies (eg doctors, dentist, nurses) as well as one or two others. Unlike some of
the earlier legislation, the Act covers both manual and electronic records and applies to
records whenever they were made.

What section 7 means is that the record holder (data controller) must supply the information
to the patient, subject to any relevant conditions and exemptions. Who the record holder is
will depend on the circumstances e.g. it might be an NHS Trust, a GP Practice, or the
Primary Care Trust (where the patient has died) or some other person or body.

Conditions relating to the application procedure are set out in sections 7 and 8 of the Act and
in Regulations. 8 The Information Commissioner’s website provides guidance about how to
apply, including a model letter. It also contains specific guidance about accessing health
records (although some of this is now out of date). 9 For example, requests must be made in
writing and the patient should supply enough information for the record holder to identify the
patient’s records. The record holder is generally required to reply within 40 days. There may

    There is, for example, a separate Freedom of Information (Scotland) Act 2002 although all NHS organisations
    are similarly public authorities under Schedule 1 of that Act, and the records they create are subject to the
    Public Records (Scotland) Act 1937 (as amended). See: Records Management: NHS Code of Practice
    (Scotland) Version 1.0, July 2008.
    under section 7 of the Data Protection Act
    For Scotland, see the NHS Scotland leaflet, How to see your health record
    The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations SI 2000/191, as
    Information Commissioner, Subject Access and Health Records

be a fee to pay, up to a maxium of £50 where a permanent copy of the record is provided. In
some circumstances access rather than a permanent copy may be provided. Data controllers
are required to provide an explanation of unintelligible records, either because of poor
handwriting or because of the use of technical jargon or abbreviations.

4        Exemptions to the patient’s right of access to his or health record
There are general provisions and provisions specific to health records that may modify
patients’ right of access to their health records under the Data Protection Act. Apart from
conditions relating to procedure, such as making applications in writing and enabling the
imposition of a fee, the two main exemptions to a patient’s right of access relate to:

          information about identifiable third parties

          information likely to cause someone serious physical or mental harm

The first of these is contained in section 7 (4) of the Act. It means that those who hold the
information (known as data controllers in the legislation) may refuse to release it if it would
reveal information about another person unless that person has given consent or it is
reasonable to comply with the request without that person’s consent. (The Act lists various
factors to be taken into account when deciding whether consent is necessary.) This
exemption to the right of access does not apply to health professionals who have compiled or
contributed to the health record or been involved in the care of the patient. 10

The second exemption relates specifically to health records and is contained in
Regulations, 11 which provide that access may be refused in so far as disclosure would be
likely to cause serious harm to the physical or mental health or condition of the data subject
or any other person. In this case “any other person” could include a health professional so
that information might be refused if, for example, it was considered likely to put a health
professional in danger.

Before this second exemption can be invoked, data controllers (i.e. whoever is responsible
for holding the record) are required to consult an appropriate health professional if they are
not health professionals themselves. There are certain exceptions to this, for example, if the
patient already knows the information.

5        Access on behalf of patients
The Data Protection Act 1998 applies to a patient’s own health record; it does not give others
a right of access to the patient’s record. However, there are various circumstances where
someone may be able to act on behalf of the patient who is the subject of the record.

Lack of capacity
One of these is where the third party has a legal entitlement to act on behalf of a patient who
is not legally competent and, as a consequence of that entitlement, may be able to obtain
access to the patient’s record. The Data Protection Act legislation does not make such
     Regulation 8 of the Data Protection (Subject Access Modification) Health Order SI 2000/413 says that the Act
     is to be read as if this extra provision is included.
     The Data Protection (Subject Access Modification) Health Order SI 2000/413.

provision. It is contained in other legislation (eg the Children Act 1989), which may be
different in different parts of the UK.

The data protection legislation does, however, recognise that such provision exists in that it
provides for the patient’s wishes to limit the right of access where a parent is acting on behalf
of a child or someone has been appointed by a court to act for someone who is incapable.
This would be where the patient provided the information in the expectation that it would not
be disclosed to that third party; or the information was obtained as a result of any
examination or investigation to which the patient consented in the expectation that the
information would not be disclosed to that third party; or the patient had expressly indicated
that it should not be disclosed to the third party. 12

Instructing someone else e.g. a Member of Parliament
It is also possible for someone to act on a patient’s behalf where the patient has consented
or requested it, for example, by instructing a solicitor. Within Parliament there has been
particular concern about the right of Members to make enquiries on behalf of their
constituents both in general and in relation to information contained in their constituents’
health records. 13

In order to facilitate the work of MPs and other elected representatives acting on behalf of
constituents, in 2002 the Data Protection Act was amended by order 14 to allow the disclosure
to elected representatives of certain types of data, known as “sensitive” data under the Act.
(“Sensitive” data includes data relating to an individual’s health. 15 ) The Department of Health
has issued guidance to NHS bodies, which briefly mentions the role of MPs:

             …Careful consideration of any written authorisation and prompt action are key,
             e.g. where an MP states, in writing, that s/he has a patient’s consent for
             disclosure this may be accepted without further resort to the patient. 16

Where a patient has died
The Data Protection Act only applies to living patients but where a patient has died, section 3
of the Access to Health Records Act 1990 (as amended by the Data Protection Act 1998)
gives a right of access to the patient’s personal representative 17 and to someone who has
claim arising out of the patient’s death.

Unlike the Data Protection Act, which has no time cut-off, the Access to Health Records Act
only applies to records made after 1 November 1991 (except where earlier information is
necessary to make sense of the information to which access is required). 18

The 1990 Act forbids access made against the expressed wishes of the patient. It says that
access should not be given if the record includes a note, made at the patient's request,

     As above.
     In relation to health records, see, for example, Adjournment Debate 1 April 2004 c1783-4.
     The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 SI
     The House has produced detailed guidance for Members on the implications of the Data Protection Act 1998.
     The Information Commissioner has also produced a technical guidance note about the order, aimed at those
     responding to Members:
     Department of Health document, Confidentiality NHS Code of Practice, November 2003, Annex C, Model B3,
     Example 13.
     When someone dies, the personal representative is the person who administers the deceased person’s
     estate. (See, for example, HMRC website: )
     The Department of Health’s website includes a specific section on accessing the records of a dead person

saying that s/he did not wish access to be given to a personal representative or person
having a claim arising out of his or her death.

The 1990 Act also allows information to be partly excluded where a) in the opinion of the
record holder, disclosure would be likely to cause serious harm to the physical or mental
health of any individual; or b) it relates to an identifiable third party who has not consented to
the disclosure (though this does apply if the individual is a health professional who has been
involved in the care of the patient).

There is also a ban, made in regulations, 19 on access to any part of a health record that
would disclose information showing that an identifiable individual was, or may have been,
born in consequence of treatment services within the meaning of the Human Fertilisation and
Embryology Act 1990.

The FAQs on the Department of Health’s website (mentioned under sources of information
above) have a section on accessing the records of someone who has died.

6        Third party access
The Data Protection Act is not only about access to records; it also provides a framework for
using information about individuals that is designed to protect their privacy. The Human
Rights Act 1998 also contains provisions relating to privacy and the common law duty of
confidentiality generally applies to health records. All these factors, and others, such as the
terms and conditions of NHS employees, professional codes of practice and other ethical
policies, generally have the effect of excluding access by third parties where the patient has
not given consent and the purpose of access is not a healthcare one.

There has been particular concern about confidentiality and access by third parties in relation
to the national electronic database being developed for patient records in England. Library
Standard Note SN/SP/4584, The Spine and Confidentiality, provides some of the background
and there have been numerous Parliamentary Questions and Answers about the issues
raised as the system is being developed. This note outlines the general principles relating to
access by third parties rather than the details relating to this particular project.

Despite the restrictions on access by third parties there may nevertheless be some
circumstances, other than those described in the previous section (about acting on behalf of
a patient), in which access by a third party to information about an identifiable patient, without
the patient’s consent, may be lawful.

The Department of Health has published a code of practice on confidentiality for the NHS,
which describes in detail the situations where this may happen. The chief categories (other
than for healthcare purposes) are:

          where statute law requires or permits the disclosure of confidential patient

          where the Courts have ordered disclosure and,

          as established by case law, where there is an overriding public interest.

     The Access to Health Records (Control of Access) Regulations SI 1993/746.

Further details are in the document. 20

7         Retention periods
Being able to access a health record depends on the record being in existence. The
Department of Health has produced an NHS records management code of practice, which
contains a schedule listing the minimum periods for which various NHS records, including
patient health records, should be kept. 21 It also lists the authority for the various different
retention periods. The accompanying notes say the schedule applies to all the records
concerned, irrespective of the format, e.g. paper, databases, e-mails, x-rays, CD-ROMS), in
which they are created or held; and it covers all medical specialties, including GP records.
(Previously there was separate guidance for GP and hospital records).

The NHS Choices website summarises the position as follows:

             The Department of Health publishes a Code of Practice for Records
             Management. This sets out the minimum period for which different types of
             health records must be kept, either due to legal requirements or because they
             may be needed for your future care. For more information, see the 'further
             information' section.

             Once this minimum period has expired, health records are dealt with in one of
             three ways:

             • The health organisation that created the records may decide that they need
             to be kept for longer than the minimum period. However, the organisation must
             ensure that keeping the records does not contravene the Data Protection Act
             1998, which says that personal data should not be retained longer than is

             • The records will be transferred to an archive. This will happen if the records
             no longer need to be kept for patient care or as a legal requirement, but have
             some long-term historical or research value. The Data Protection Act allows for
             personal data identified as being of historical or statistical research value to be
             kept as archives.

             • The records will be destroyed. This will happen if the records no longer
             need to be kept for patient care or as a legal requirement, and they have no
             long-term historical or research value.

             The minimum periods that the most common types of health record must be
             kept are:

             GP records - until 10 years after the patient's death or after the patient has
             permanently left the country, unless the patient remains within the European
             Union. (Exceptions are patients serving in the armed forces or serving a prison
             sentence, when the records must not be destroyed.)

             GP records relating to children and young people (including paediatric and
             vaccination records) - until the patient's 25th birthday, or 26th birthday if an

     For information about the other countries of the UK, see, for example:
     Northern Ireland:
     Department of Health, NHS Records Management Code of Practice Annex D and D1:

              entry was made when the young person was 17; or 10 years after the patient's
              death, if sooner. 22

              Dental records - 11 years for adults. For children, 11 years or until the patient
              is 25 years old, whichever is the longer.

              Opthalmic (eye) records - 11 years for adults. For children, 11 years or until
              the patient is 25 years old, whichever is the longer.

              Children and young people (all types of records relating to children and
              young people) - retain until the patient's 25th birthday, or 26th if the young
              person was 17 at conclusion of treatment; or 8 years after death if sooner.

              Immunisation and vaccination records - for children and young people,
              retain until the patient's 25th birthday, or 26th if the young person was 17 at
              conclusion of treatment. For adults, retain until 10 years after conclusion of

              Maternity records - 25 years after last birth.

              Records relating to persons receiving treatment for a mental disorder
              within the meaning of the Mental Health Act 1983 - 20 years after the date
              of last contact between the patient and any health care provider, or 8 years
              after the patient's death if sooner.

              The length of time for which health records must be kept is calculated from the
              beginning of the year after the last date on the health record. For example, a
              file in which the last entry is in September 2004, and for which the retention
              period is seven years, will be kept until the beginning of 2012.

As this is a devolved matter, the devolved governments have published or are developing
their own guidance. 23

8         Complaints and corrections
The Department of Health’s FAQ for patients about making a complaint says:

              Complaints about any aspect of an application to obtain access to health
              records should first be made to the person concerned. If this does not resolve
              the matter, a complaint can be made under the NHS Complaints Procedure. If
              a patient follows this procedure and is dissatisfied with the outcome of the
              investigation, they have the right to take their complaint to the Health Service
              Ombudsman or, as a last resort, to court.

              Alternatively, a person has the right to complain to the Information
              Commissioner, formerly the Data Protection Commissioner at Wycliffe House,
              Water Lane, Wilmslow, Cheshire SK9 5AF. Tel 01625 545700

     In effect the first two of these together mean that GP records should be held for a minimum of 10 years after
     death or cessation of treatment, or until a child’s 25th birthday, whichever is the later.
     Scotland:, in particular Annex D:
     Wales:, which is part of the
     Caldicott Manual published in 2008:

The Information Commissioner has the authority to demand the destruction, removal or
blocking of erroneous information. This is part of the Information Commissioner’s broader
role in ensuring that the eight principles set out in the Data Protection Act are properly
applied. The fourth principle may be particularly relevant where a patient wishes to correct
information on a record. It states that: “Personal data shall be accurate and, where
necessary, kept up to date”.

In addition section 14 of the Data Protection Act enables a court to order the rectification,
blocking erasure and destruction of data where it is satisfied that the data is “inaccurate” and
section 10 gives the subject of a record a conditional right to stop the use of information likely
to cause damage or distress.

However, in relation to accuracy, Department of Health guidance suggests that medical
opinions are not the same as questions of fact (such as a date of birth). It says:

             …The Data Protection Act fourth principle also states that information should
             be accurate and kept up-to-date and this provides the legal basis for enforcing
             corrections when appropriate. However, an opinion or judgement recorded by a
             health professional, whether accurate or not, should not be amended
             subsequently. Retaining relevant information is essential for understanding the
             clinical decisions that were made and to audit the quality of care. 24

It is also possible that a medical opinion might at some stage be needed in legal action, such
as a medical negligence case, and that changing it would therefore constitute the destruction
of evidence. In addition, the General Medical Council, which has a statutory role to provide
guidance to doctors on medical ethics, has issued guidance to doctors, which says that
doctors must keep contemporaneous records. Breach of this guidance is not by itself
unlawful but serious abuses could result in a doctor being struck off. The GMC’s core piece
of Guidance is Good Medical Practice (2006). Under the heading Providing good clinical
care, the guidance says that a doctor must:

     • Keep clear, accurate and legible records, reporting the relevant clinical findings, the
       decisions made, the information given to patients, and any drugs prescribed or other
       investigation or treatment;

     • Make records at the same time as the events you are recording or as soon as
       possible afterwards.

However, even if it is not possible for the original opinion to be removed, it may be possible
for a later opinion to be added or for the patient’s views to be included.

     Guidance for Access to Health Records Requests under the Data Protection Act 1998, issued in 2003


Shared By:
Description: Access to patient records