Access to Medical Records Policy Including Subject Access Requests

Policy Statement
The purpose of this document is to ensure that appropriate procedures are in place at Grosvenor House Surgery to enable individuals to apply for access to information held about them, and for authorised individuals, information held about other people. This policy is written in conjunction with the following government legislation:

  1. The Access to Health Records Act 1990
  2. The Access to Medical Reports Act 1988
  3. The General Data Protection Regulation
  4. The Data Protection Act 2018
  5. The Freedom of Information Act 2000
  6. The Data Protection (Subject Access Modification) (Health) Order 2000

Status
This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.

Training and support
The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

Who it applies to
This document applies to all employees of the practice and other individuals performing functions in relation to the practice, such as agency workers, locums and contractors.

Why and how it applies to them
In accordance with the General Data Protection Regulation individuals have the right to access their data and any supplementary information held by Grosvenor House Surgery; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

This policy will outline the procedure to access health records at Grosvenor House Surgery as follows:

  • For an individual, for information about themselves
  • For access to the health records of a deceased individual
  • Access to health records of an individual by an authorised person (by a court), when the individual does not have the capacity to make such a decision
  • Organisations requesting information about an individual for employment or insurance purposes (governed by The Access to Medical Reports Act 1988)

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.

Right to access
In accordance with the Access to Health Records Act 1990 individuals have the right to access health records held by a healthcare provider that has treated that individual, and/or to access a summary care record (SCR) created by the individual’s GP. The Data Protection Act (DPA 1998) gives individuals the right to ask for a copy of the information an organisation holds about them; this right is commonly known as a Data Subject Access Request (DSAR). In the case of health records, a request for information has to be made with the organisation that holds the individual’s health records, otherwise known as the data controller.

Grosvenor House Surgery has mechanisms in place to inform patients of their right to access the information held about them, and how long it will take for a DSAR process to be completed.

With effect from April 2016, NHS practices are, as part of their contractual obligation, to provide patients with access to coded information held within their health records. Such information includes:

  • Demographics
  • Allergies
  • Immunisations
  • Medication
  • Results
  • Procedures
  • Values
  • Problems/diagnoses
  • Other (ethnicity, QOF, etc.)

NHS England have published an information leaflet Patient Online which provides further detailed information about this obligation and how patients can access their health record online.

There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.

Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally;[1] any such requests should be annotated within the individual’s health record by the clinician dealing with the patient.

Requests
Requests may be received from the following:

Competent patients may apply for access to their own records or authorise third-party access to their records.
Children and young people may also apply in the same manner as other competent patients and Grosvenor House Surgery will not automatically presume a child or young person has capacity under the age of 16. However, those aged 12 or over are expected to have the capacity to consent to medical information being disclosed.[2]
Parents may apply to access their child’s health record so long as it is not in contradiction to the wishes of the competent child.[3]
Individuals with a responsibility for adults who lack capacity are not automatically entitled to access the individual’s health records. Grosvenor House Surgery will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any considerations to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.
Next of kin have no rights of access to health records.
Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at Grosvenor House Surgery may disclose relevant information to the police if the patient has consented or if there is overriding public interest. For detailed information, see section 4.1.6 of footnote 2.
Solicitors and insurance companies in most cases will provide the patient’s signed consent to release information held in their health record. Grosvenor House Surgery will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient. In the case of a solicitor requesting information, the BMA has provided the following templates:

Grosvenor House Surgery will ask solicitors to use the appropriate form when requesting information.
Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990.  Under the terms of this Act, Grosvenor House Surgery will only grant access if you are either:

  • a personal representative (executor of the deceased person’s estate), or
  • someone who has a claim resulting from the death

The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage. Grosvenor House Surgery can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record.

In the cases of any third-party requests, Grosvenor House Surgery will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.

In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, Grosvenor House Surgery will adhere to the guidance provided in the GDPR.    In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.

Under The Data Protection (Subject Access Modification) (Health) Order 2000, Grosvenor House Surgery will ensure that an appropriate healthcare professional manages all access matters. At Grosvenor House Surgery there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

Furthermore, to maintain GDPR compliance, the data controller at Grosvenor House Surgery will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at Grosvenor House Surgery will ensure that the processing of personal data is lawful and at least one of the following applies:

  • The data subject has given consent to the processing of his/her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or another natural person

Procedure for access
A DSAR form (Annex A) must be completed and passed to the data controller; all DSARs should be processed free of charge unless they are either complex, repetitive or unfounded (see GDPR Policy). The GDPR states that data subjects should be able to make access requests via email. Grosvenor House Surgery is compliant with this and data subjects can complete an e-access form and submit the form via email.
Upon receipt of a DSAR Grosvenor House Surgery will record the DSAR within the health record of the individual to whom it relates, as well as annotating the DSAR log (template provided at Annex B).  Furthermore, once processed, an entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual.

Individuals will have to verify their ID[4] at Grosvenor House Surgery and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Data Subject Access Request (DSAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport.

The process upon receipt of a DSAR form is clearly illustrated at Annex C, which is an aide-memoire/flow diagram.

Additional Privacy Information notice
Once the relevant information has been processed and is ready for issue to the patient, it is a requirement, in accordance with Article 15 of the General Data Protection Regulation (GDPR), to provide an Additional Privacy Information notice (APIn), the template for which can be found at Annex E.

Third-party requests
Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.
The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.

Summary
Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns Grosvenor House Surgery.
Please see… https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Access to medical records policy inc SAR – inc. forms

[1] How do I access my medical records (health records)? http://www.nhs.uk/chq/pages/1309.aspx?categoryid=68

[2] Access to health records

https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/access-to-health-records

[3] Parental responsibility

https://www.bma.org.uk/advice/employment/ethics/children-and-young-people/parental-responsibility

[4] Good Practice Guidance on ID Verification

https://www.england.nhs.uk/wp-content/uploads/2015/03/identity-verification.pdf