Medical Records

The following notes have been compiled from information on the Department of Health web site.  The full list of questions and answers can be found at www.doh.gov.uk/ipu/ahr/faq.htm.

The Data Protection Act 1998 gives every living person the right to apply for access to his or her own health records.

Individuals are entitled to apply for access to their total health record as it stands at the time the request was received.  However, the information provided may take account of any amendment or deletion which is made to the record in the period between the request having been received and dealt with, being an amendment or deletion that would have been made regardless of the receipt of the request.  (Unfortunately no explanation of this ambiguous statement is offered.  We have asked for confirmation, but have not received a reply.)

Any request for access to health records must be made in writing or email to the 'data controller' ie. the person holding the information - the GP for GP records, or the Hospital Records Manager for hospital records.  Some NHS bodies to use a standard form for this purpose.  It is advisable to date all correspondence and emails and to keep copies.

There is usually a fee payable for providing copy records.  This fee varies.  Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2001, the maximum fee that can be charged for providing copies of health records is £10 for computer records and £50 for copies of manual records or a mixture of manual and computer records.

The data controller is not obliged to comply with an access request unless they have the information they need to identify the applicant and locate the information, and unless the required fee has been paid.  Once the data controller has all the relevant information and the fee, they must comply with the request promptly and by no later than forty days after the request has been made.  In exceptional circumstances if it is not possible to comply within this period the applicant should be informed.

A patient does not need to give a reason why they are applying for a copy of their medical records, and staff should be ready to assist applicants in making access requests.

On receiving a written request, the data controller should log the application and immediately examine it to confirm its validity (this is important because patients have a right to have their personal health information kept confidential).

Under the Data Protection Act 1998 there are certain circumstances in which the data controller may withhold information.  Access may be denied, or limited, where the information might cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who has not consented to the disclosure.  Data controllers are not obliged to advise applicants that they have withheld information or why.

Where the information disclosed in medical records is not readily intelligible, an explanation (eg. of abbreviations or medical terminology) must be given.

A data controller may refuse to process an application for copy records where a similar request has previously been complied with, unless a reasonable interval has elapsed since the previous compliance.

If a patient feels information recorded on their health record is incorrect, they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended.  If this is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased.  Having followed this procedure and being dissatisfied with the outcome, a patient has the right to take their complaint to the Health Service Ombudsman or, as a last resort, to court.  They could further complain to the Information Commissioner, formerly the Data Protection Commissioner, who may rule that any erroneous information is rectified, blocked, erased or destroyed.  For a copy of a leaflet explaining how to complain go to www.doh.gov.uk/complaints/howtocomplain.htm or phone 0800 555777.  The Information Commissioner is at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone number 01625 545700.

Access to medical records for children
As a general rule a person with parental responsibility will have the right to apply for access to a child's health record.  This includes divorced or separated parents if they have parental responsibility.

Where an older child is considered capable of making decisions about his/her medical treatment, the consent of the child must be sought before a person with parental responsibility can be given access.  Where, in the view of the appropriate health professional, the child patient is not capable of understanding the nature of the application, the data controller is entitled to deny access if it is not felt to be in the patient's best interests.

The law regards young people aged 16 or 17 to be adults for the purposes of consent to treatment and right to confidentiality.  Therefore, if a 16-year-old wishes a medical practitioner to keep the treatment confidential, then that wish should be respected.

Article last edited on Tuesday 28th July 2009                          Printable Version