access to health records of living patients
Last reviewed 01/2018
- The Data Protection Act 1998
- Quick Checklist for Guidance for Access to Health Records Requests
under the Data Protection Act 1998
- This Act gives every living person, or their authorised representative, the right to apply for access to their health records to obtain copies
- Are you satisfied that you have consent from the patient and have
enough information to identify them and locate the information they
require, along with the relevant access fee?
- if no then:
- write back to the applicant, using a consent form, to obtain
the appropriate information
- write back to the applicant, using a consent form, to obtain
the appropriate information
- if yes then:
- log applicant request and comply promptly, within 21 days*
of request
- in exceptional cases it may take longer. If it appears
likely that compliance will take longer than 40 days, the
applicant should be informed and an explanation of the delay
provided
- ensure that the health professional has checked the patient's
health records, as under the DPA 1998, they may limit or deny
access to an individual's health record request under the
following two reasons:
- where the information released may cause serious harm to the physical or mental health or condition of the patient, or any other person
- Or where access would disclose information relating
to or provided by a third person who had not consented
to that disclosure
- deny access or provide the patient or their representative
copies of the relevant parts of the health records or alternatively,
if in agreement with the data controller, set a date for them
to view the relevant records once the relevant fee has been
paid
- if a patient is unhappy with any aspects of the access request, try and resolve locally with the data controller. If this is not an option explain the NHS Complaints procedure or alternatively direct them to the Information Commissioner Office
- log applicant request and comply promptly, within 21 days*
of request
- if no then:
- Quick Checklist for Guidance for Access to Health Records Requests
under the Data Protection Act 1998
* This 21 day requirement is part of a commitment that ministers made to parliament in order to maintain obligations under the superseded Access to Health Records Act 1990
Notes:
- the Data Protection Act 1998 became effective from 1st March 2000, and superseded the Data Protection Act 1984 and the Access to Health Records Act 1990. The exception to this is the records of the deceased persons, which are still governed by the Access to Health Records Act 1990
- the Data Protection Act 1998, gives every living person or their authorised representative, the right to apply for access to their health records irrespective of when they were compiled
- within the Data Protection Act 1998 a health record is defined as a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual
- a health record can be recorded in a computerised form or in a manual form or even a mixture of both. They may include such things as, hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, photographs, videos and tape-recordings of telephone conversations
- the Data Protection Act 1998 is not confined to health records held for the purposes of the National Health Service. It applies equally to the private health sector and to health professionals' private practice records. It also applies to the records, for example, of employers who hold information relating to the physical or mental health of their employees if the record has been made by or on behalf of a health professional in connection with the care of the employee
- responsibility for dealing with an access to health record request lies with the "data controller". A health professional i.e. the patient GP, is known as a data controller. A data controller is defined as a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data about an individual are, or are to be, processed. A data subject would refer to the GP's patient
- the Data Protection Act 1998, also gives patients who now reside outside the UK, the right to apply for access to their former UK health records
- as a general rule a person with parental responsibility will have the right to apply for access to their child's health record
- the Information Commissioners Office is the statutory body which has been established to perform various functions under the Data Protection Act 1998. They have a Website with useful guidance around the Act www.dataprotection.gov.uk or E-mail [email protected]. Alternatively to view the Act please visit the HMSO website www.legislation.hmso.gov.uk