What's new | Site map | Feedback
    You are here: Home > Regulations > Confidentiality > Access to records and patient information

Access to records and patient information

The complainant may find it useful to obtain a copy of the medical records concerned with the incidents giving rise to the complaint.

The Data Protection Act 1998 (external link) requires that people be informed, in general terms, how their information may be used, who will have access to it and the organisations it may be disclosed to. They must also be told who is responsible for their personal information – the ‘data controller’ – and how to contact them. This should take place prior to the information being used, accessed or disclosed. The requirement falls upon both those who provide information and those who receive it.

Under the Data Protection Act they have the right to access their medical records and other personal information held about them.

A health record is defined in the Data Protection Act 1998 as a record consisting of “information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.”

A health record can be recorded in a computerised form or in a manual form or even a mixture of both. They may include such things as hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, photographs, videos and tape-recordings of telephone conversations.

Frequently asked questions about access to records (external link)

Who can access a patient’s Medical Records?

  • the patient
  • the parent or guardian of a patient under 16 with their consent if they are at an age where they are able to understand matters. If consent is not possible the parent or guardian may access the records only if it is considered by the NHS provider involved to be in the best interests of the child
  • a court appointed representative of someone who is not able to manage his or her own affairs
  • where the patient is deceased, the personal representative, usually being the Executor, or anyone with a claim on the estate.

How to Apply

Responsibility for dealing with an access request lies with the "data controller". A data controller is the person who determines the purposes for which and the manner in which any personal data about an individual are, or are to be, processed.

Any request for access to health records must be made in writing or electronically to the data controller, that is

  • the applicant’s local GP or Practice Manager, for GP records
  • the Records Manager at the hospital, for hospital records.

Most NHS Trusts, surgeries and health centres have a special application form to request access to medical records. In some cases the Practice Manager or Records Manager at the Trust may ask them to write a letter requesting access. They should include in the letter any information they think will be helpful to the Practice or Records Manager in finding the correct records.

Two reasons why access could be denied

  • where the information released may cause serious harm to the physical or mental health or condition of the patient, or any other person.
  • where access would disclose information relating to or provided by a third person (this would not be a health professional) who had not consented to that disclosure.

Under the Data Protection Act 1998, these are the only two reasons where access could be denied or limited.

The Practice or Records Manager should be asked to explain anything that has been written in the records which the complainant doesn’t understand. For example there may be a technical term used which they haven’t heard before, or to check their understanding of what has been written.

If within the last 40 days the complainant has had a consultation or contact with the surgery or service resulting in a change being made to their records, then they should be given access within 21 days.

If it has been longer then the complainant should be given access within a maximum of 40 days.

Charges

Following a Department of Health led review it has been agreed that the fees that can be charged for access to health records will continue at their current levels, a maximum of

  • £10 for computerised records
  • £50 for manual records or a mixture of both.

This is set out in “The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) (Amendment) Regulations 2001.

The regulations provide that where a patient requires access to their manual health records but does not require a permanent copy of that information no fee may be charged where the information has been added to the record in the forty days preceding the request.

Where a copy of information contained in a manual health record is provided a maximum of £50 can be levied to cover copying charges.

Record holders should not seek to make a profit when providing any copies of a record and the £50 maximum fee must not be charged in all cases.

Correcting Medical Records

If the complainant believes the medical records are inaccurate, they can ask the Practice Manager to correct them.

If the practice does not agree to this, the patient can request that a note is attached to the records to show they disagree with their content. If they remain unhappy with the action taken they can write to the Data Protection Information Commissioner to complain.

Next: The Freedom of Information Act
ICAS Resources for the complaints journey
April 29, 2007
ICAS Resources for the complaints journey