Access to Records

Under the Data Protection Act 1988, patients have the right to see or obtain a copy of their medical records.

There are some exceptions in this ruling:

  • Access may be refused if healthcare professionals believe that information in the records is likely to cause serious harm to the patient or another person.
  • Details about third parties (information which may identify someone else, unless that person gives their permission) might be removed from the records.
  • If applying for access on behalf of someone else, written consent or a power of attorney is required.

The practice does not have to inform the patient if information has been withheld under these categories.


Doctors and other medical personnel and health institutions have a duty to maintain patient’s records in confidence. This is a common law rule- there is no specific legislation on the issue.

There is also an ethical duty as confidentiality is enshrined in the Hippocratic Oath. The Medical Council guidelines say that;

“Confidentiality is a time honoured principle of medical ethics; it extends after death and is fundamental to the doctor/patient relationship. While the concern of relatives and close friends is understandable, the doctor must not disclose information to any person without the consent of the patient.”

“All medical records in what ever format and wherever kept, must be safeguarded. Doctors are responsible for ensuring that other health professionals and ancillary staff working with them maintain confidentiality at all times and are aware of the dangers implicit in the use of computers, electronic processors….”

There are some circumstances in which a health professional may disclose confidential medical records to other- for example, if the patient consents to such disclosure or when it is required by a court. It may also be ethical to disclose medical records if it would be in the patients best interests, if necessary, to protect another person or society generally.

There are certain legal requirements to disclose information, for example, in relation to infectious diseases. Doctors are obliged to report incidences or specified infectious disease to health boards and the Infectious Diseases Surveillance Centre.

This information must be disclosed without identifying the patient.

The confidentiality of personal information such as medical records is protected by both the data protection legislation and the Freedom of Information Act. Under both acts, third parties may not get access to personal information except under exceptional circumstances. These third parties would be parents/guardians and personal representatives.

Where patient information is to be disclosed, an assessment should be made as to the extent of any information to be provided and whether this is wholly necessary.

Where staff are unsure on any disclosure, all staff must take direction from the nominated Information Governance Lead, Dr DNP Singh.

Access Request by a Patient

Patients who request to have access to their medical records should do so formally in writing to the Practice Manager. By law the patient is entitled to receive a response no later than 40 days after their application is received, however in line with NHS guidelines the practice will respond no later than 21 days.

Medical records of patients requesting access (including those requests made on their behalf e.g. by solicitors) are first to be viewed by a doctor. The doctor will screen the records to ensure that if it contains information they believe may cause serious harm to the patient, or other persons, or pertains to third parties it is omitted from the record. They will also ensure that the records are presented in a format, which the patient can understand.

A mutually acceptable time will be offered to patients who wish to read their records in surgery, and this viewing will be done in the presence of a member of the practice team, who will be able to answer any questions arising.

Access Request by Third Party

If the patient is a child, i.e. under 16 years of age, the application may be made by someone with parental responsibilities; in most cases this means a parent or guardian.

If the child is capable of understanding the nature of the application his/her consent should be obtained or alternatively the child may submit an application on their own behalf. Generally children will be presumed to understand the nature of the application if aged between 12 and 16. All cases will be considered individually.

Where the third party is a solicitor, insurance company or similar institution, a written form of patient consent must be provided before the records are made available.

All consent forms must be scanned onto the patient record and a note made on the Record where a copy of the records has been sent. If the record is posted, this must be done by First Class Recorded Delivery and a receipt with a unique tracking number obtained. These unique numbers will be retained by the Practice Manager.

Name: Dr DNP Singh
Date approved: February 2nd 2012
Review date: February 2nd 2013