The law states that NHS organisations must, when requested by an individual, give that person access to their personal health information, and occasionally, certain relevant information pertaining to others. In order to do this, they must have procedures in-place that allow for easy retrieval and assimilation of this information.
There are three main areas of legislation that allow the right of the individual to request such personal information, and they are:
- The Data Protection Act 1998
- The Access to Health Records Act 1990
- The Medical Reports Act 1988
Where the request for information by an individual falls under the legislation of any of these areas, access must be granted. Patients requesting information about their own personal medical records would usually have their request dealt with under the provisions of the Data Protection Act 1998.
What Constitutes a Health Record?
A health record could include, and not exhaustively, hand-written clinical notes, letters between clinicians, lab reports, radiographs and imaging, videos, tape-recordings, photographs and monitoring printouts. Records can be held in both manual or computerised medias.
Patient Access to Medical Records Policy?
The Data Protection Act 1998
This scope of this Act includes the right of patients to request information on their own medical records. Requests for information under this Act must:
- Be in writing to the data controller Practice Manager at Queslett Medical Centre. (E-mail requests are allowed. Verbal requests can be accepted where the individual is unable to put the request in writing – this must be noted on the patient record);
- Be accompanied with sufficient proof of identity to satisfy the data controller and to enable them to locate the correct information (where requests are made on behalf of another, the data controller must satisfy themselves that correct and adequate consent has been given);
- Be accompanied with the correct fee where applicable (see below for guidance on fees);
The data controller should check whether all the individual’s health record information is required or just certain aspects.
Where an information request has been previously fulfilled, the data controller does not have to honour the same request again unless a reasonable time-period has elapsed. It is up to the data controller to ascertain what constitutes as reasonable.
Requests for health records information should be recorded internally and fulfilled within 21 days (unless under exceptional circumstances – the applicant must be informed where a longer period is required). Information given should be in a manner that is intelligible to the individual.
Access Request Fees
Viewing Records Only – Free if the records have been updated within the last days. Otherwise, a maximum of £10.
Obtaining Copies of Health Records
- If held on computer – maximum £10;
- If held in another media – maximum £50;
- If held on a combination of computer and other media – maximum £50.
Which clinician should be consulted for information?
The correct clinician to be consulted about an individual’s information should be:
- The clinician who is currently, or was most recently, responsible for the clinical care of the individual in connection with the information which is the subject of the request; or
- where there is more than one such clinician, the one who is the most suitable to advise on the information which is the subject of the request.
Denial or Limitation of Information
The data controller may deny or limit the scope of information given where it may fall under any of the following:
- The information released may cause serious harm to the physical or mental health or condition of the individual or any other person, or
- The disclosure would also reveal information relating to or provided by a third person who has not consented to that disclosure unless:
- The third party is a clinician who has compiled or contributed to the health records or who has been involved in the care of the individual;
- The third party, who is not a clinician, gives their consent to the disclosure of that information;
- It is reasonable to disclose the information without that third party’s consent.
A reason for denial of information does not have to be given to the individual, but must be recorded.
Former NHS Patients Living Outside the UK
Patients no longer resident in the UK still have the same rights to access their information as those who still reside here, and must make their request for information in the same manner.
Original health records should not be given to an individual to take abroad with them, however, the Practice may be prepared to provide a summary of the treatment given whilst resident in the UK.
Parental Requests for Information pertaining to their Children
Parents will normally have responsibility for accessing the health records of their children, however, care must be taken to obtain consent of the child where necessary (16 and 17 year olds are seen as adults in relation to confidentiality, and their consent would be necessary). It is important to be aware that children under 16 who have capacity and understanding for decision-making should also have their confidence respected, however, they should be encouraged to involve parents and guardians in their healthcare matters.
Queslett Medical Centre has procedures in place to enable complaints about access to health records requests to be addressed.
The following channels are used to field any complaints regarding the access of health records at the Practice:
- Firstly, the clinician involved should arrange to have an informal meeting with the individual to try to resolve the complaint locally;
- If the issue remains unresolved, the patient should be informed that they have a right to make a complaint through the NHS complaints procedure (further information is available at: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/what_to_do.aspx
Sometimes the patient may not wish to make a complaint through the NHS Complaints Procedure and instead, take their complaint direct to the Information Commissioner’s Office (ICO) if they believe the Practice is not complying with their request in accordance with the Data Protection Act.
Alternatively, the patient may wish to seek legal independent advice.
The Data Protection Act 1998 gives every living person, or an authorised representative, the right to apply for access to their health records.
A request for your medical health records held at Queslett Medical Centre should be made in writing (e-mails also accepted) to the data controller who is Practice Manager (please contact the Practice for alternative methods of obtaining access if you are unable to make a request in writing).
Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2000, you may be charged a fee to view your health records or to be provided with a copy of them. The maximum permitted charges are set out in the tables below:
To provide you with a copy of your health record the costs are:
Health records held totally on computer: up to a maximum of £10.
Health records held in-part on computer and in-part manually: up to a maximum of £50
Health records held totally manually: up to a maximum of £50
To allow you to view your health record (where no copy is required) the costs are:
Health records held totally on computer: up to a maximum of £10.
Health records held in-part on computer and in-part manually: a maximum of £10.
Health records held manually: up to a maximum of £10 unless the records have been added to in the last 40 days in which case viewing should be free.
All the above maximum charges include postage and packaging costs.
The data controller is not obliged to comply with your access request unless they have sufficient information to identify you and to locate the information held about you.
Once the data controller has all the required information, and fee where relevant, your request should be fulfilled within 21 days (in exceptional circumstances where it is not possible to comply within this period you will be informed of the delay and given a timescale for when your request is likely to be met).
In some circumstances, the Act permits the data controller to withhold information held in your health record. These rare cases are:
- Where it has been judged that supplying you with the information is likely to cause serious harm to the physical or mental health or condition of you, or any other person, or;
- Where providing you with access would disclose information relating to or provided by a third person who had not consented to the disclosure, this exemption does not apply where that third person is a clinician involved in your care.
When making your request for access, it would be helpful if you could provide details of the time-periods and aspects of your health record you require (this is optional, but it may help save Practice time and resources and reduce the cost of your access request).
If you are using an authorised representative, you need to be aware that in doing so they may gain access to all health records concerning you, which may not all be relevant. If this is a concern, you should inform your representative of what information you wish them to specifically request when they are applying for access.
If you have any complaints about any aspect of your application to obtain access to your health records, you should first discuss this with the clinician concerned. If this proves unsuccessful, you can make a complaint through the NHS Complaints Procedure by contacting the Practice formally.
Further information about the NHS Complaints Procedure is available on the NHS Choices website at: http://www.nhs.uk/choiceinthenhs/rightsandpledges/complaints/pages/nhscomplaints.aspx
Alternatively you can contact the Information Commissioners Office (responsible for governing Data Protection compliance). Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Tel 0303 123 1113 or 01625 545 745 or www.ico.gov.uk/