Access to Health Records
Access to Health Records
Copy of GPC Guidance
access to health records by patients
Revised December 2002
Guidance for doctors on access to health records under the Data Protection Act 1998, and on access to the health records of deceased patients under the Access to Health Records Act 1990, or the Access to Health Records (Northern Ireland) Order 1993 June 2000
The implementation of data protection legislation in early 2000 changed patients' statutory rights of access to their health records. The purpose of this guidance is to set out in some detail the legal requirements on doctors as holders of health records. This summary highlights the main points.
What records are covered?
All manual and computerised health records about living people are accessible under the Data Protection Act 1998.
Does it matter when the records were made?
No, access must be given equally to all records regardless of when they were made.
Does the Act cover all of the UK?
Who can apply for access?
Competent patients may apply for access to their own records, or may authorise a third party, such as their lawyer, to do so on their behalf.
Parents may have access to their child's records if this is in the child's best interests and not contrary to a competent child's wishes. People appointed by a court to manage the affairs of mentally incapacitated adults may have access to information necessary to fulfil their function.
Are there any exemptions?
Yes, the main exemptions are that information must not be disclosed if it:
is likely to cause serious physical or mental harm to the patient or another person; or
relates to a third party who has not given consent for disclosure (where that third party is not a health professional who has cared for the patient).
Must copies of the records be given if requested?
Yes, patients are entitled to a copy of their records, for example a photocopy of paper records or print out of computerised records.
Is it necessary for patients to make a formal application for access to see their records?
No, nothing in the law prevents doctors from informally showing patients their records or, bearing in mind duties of confidentiality, discussing relevant health issues with carers.
Can a fee be charged?
Yes, and the fee varies depending on the type of record and whether the patient wants copies of the records or just to see them.
To provide access and copies:
Records held totally on computer: £10
Records held in part on computer and in part manually: a reasonable fee of up to £50
Records held totally manually: a reasonable fee of up to £50
To allow patients to read their records (where no copy is required):
Records held totally on computer: £10
Records held in part on computer and in part manually: £10
Records held totally manually: £10 unless the records have been added to in the last 40 days when no charge can be made
What about access to the records of deceased patients?
The Data Protection Act 1998 only covers the records of living patients. If a person has a claim arising from the death of an individual, he or she has a right of access to information in the deceased's records necessary to fulfil that claim. These rights are set out in the Access to Health Records Act 1990 or Access to Health Records (Northern Ireland) Order 1993. The provisions and fees are slightly different from those in the Data Protection Act and are covered in section 9 below.
Doctors have always had the discretion to allow patients to see their health records and to share information where appropriate with the carers of children and incapacitated adults. Additionally in recent years Acts of Parliament have given certain statutory rights of access to records. None of the legislation prevents doctors from informally showing patients their records or, bearing in mind duties of confidentiality, discussing relevant health issues with carers. Guidance on confidentiality and on sharing information with relatives and carers is available from the BMA's Medical Ethics Department.
1 Legal rights of access to health records and information
From 1 March 2000 throughout the UK the rights of access by living people to their health records whether computerised or manual are as set out in the Data Protection Act 1998 and its regulations. It applies equally to all records regardless of when they were made. Its provisions supersede the previous rights of access under legislation specific to health records. This document explains patients' rights and doctors' obligations under the Act and the glossary describes the Act's terminology. For the sake of clarity we have used 'patient' in place of 'data subject', although many of the rights under the Act apply similarly to other types of records. Although some aspects of access have been amended, others remain unaltered. Limited statutory rights of access to the records of deceased patients still exist in the Access to Health Records Act 1990 or Access to Health Records (Northern Ireland) Order 1993. This is covered in section 9 below. Specific rights in respect of medical reports written for insurance or employment purposes are covered by separate legislation which applies to reports written by doctors who are or have been involved in the subject of the report's clinical care and treatment. Guidance on access to medical reports is available from the BMA's Medical Ethics Department.
2 Rights under the Data Protection Act 1998
2.1 Patients have a right to be informed whether personal data about them is being processed (including obtained, recorded or held) and if so to be given a description of the data, the purposes for which it is being processed and any recipients to whom it may be disclosed.
2.2 Patients have a right of access to health records which:
are about them and from which they can be identified (either directly or in conjunction with other information the person holding the record has or is likely to have);
consist of information relating to their physical or mental health or condition; and
have been made by or on behalf of a health professional in connection with their care.
It is clear, therefore that most records doctors make about patients fall within this definition of 'health record'. The BMA believes that this includes reports written by doctors who examine patients for the sole purpose of writing a report and who have no other clinical relationship with the patient. This interpretation rests on the definition of 'care' (see glossary), which is said to include examination, investigation, diagnosis and treatment. Thus a doctor who writes a report following an examination does so in connection with that patient's 'care' and as such makes what the Act defines as a 'health record'.
The Act also gives rights of access to information held in a 'relevant filing system' and information which is, or is intended to be, automatically processed (e.g. by computer). It is possible, therefore, that patients could also claim access to independent medical reports if they fall within these categories of data.
This interpretation of the Act is compatible with the BMA's general view that all doctors should be open and honest with patients, and should share information with them whenever possible. It has been challenged, however, and legal opinion varies about whether doctors are obliged to comply with requests for access to independent medical reports.
2.3 Access is available to all records whenever they were made. Unlike previous legislation there is no date restriction. Health records and any information as to the source of information in them (for example the identity of a health professional who has contributed to the record) must be communicated to patients in an intelligible form.
2.4 Patients are also entitled to a permanent copy of the information, for example a print out of computerised records or a photocopy of manual records. The copy must be accompanied by an explanation of any terms which are unintelligible. The Act does not require a permanent copy to be provided if this is impossible or involves disproportionate effort, but the BMA can envisage no circumstances in which this might be the case in relation to health records. Even if providing a permanent copy is impossible, the law still requires the patient to be shown the records and the relevant explanations of terms given.
2.5 When records are requested, those supplied must be those in existence at the time of the request. There can be amendments or deletions between the request and the supply of the records provided these would have been made regardless of the request.
2.6 Both the law and good practice require information in health records to be accurate and up to date (see section 10). Doctors must take steps to ensure that the information they rely on is accurate, and any errors of fact or judgement should be rectified. Patients may also seek correction of information they believe is inaccurate. The doctor is not obliged to accept the patient's opinion, but must ensure that the notes indicate the patient's view. Doctors are advised to provide the patient with a copy of the correction or appended note. Amendments to records must be made in a way which indicates why the alteration was made so that it is clear that records have not been tampered with for any underhand reason. Patients also have the right to apply to court to have inaccurate records amended (and may seek the assistance of the Information Commissioner for this purpose). The courts have the power to require that inaccurate data and any expression of opinion based on them are corrected or removed. A court may also require that the records be supplemented by a statement of the true facts, and that third parties be notified of any corrections.
2.7 Patients are entitled to be informed of the logic involved in any automatic decisions made about them, for example decisions made by a computer system.
3 Applications for access
3.1 Nothing in the Act prevents doctors from giving patients access to their records on an informal and voluntary basis provided no other provisions of the Act preventing disclosure are breached.
3.2 Formal applications for access must be in writing and accompanied by the appropriate fee.
4 Who can apply for access?
4.1 Any patient is entitled to seek access to his or her health records.
4.2 Where the patient is a child (under 18, or, in Scotland, under 16), any person with parental responsibility  may apply for access to the records. Where more than one person has parental responsibility, each may independently exercise rights of access. A common enquiry to the BMA concerns a child who lives with his or her mother and whose father applies for access to the child's records. In such circumstances there is no obligation to inform the child's mother that access has been sought. Access should only be given with the child's consent if the child is capable of giving consent. If the child lacks the capacity to understand the nature of the application but access would be in his or her best interests, access may be granted.
4.3 Competent young people may also seek access to their own health records.
4.4 Where the patient is incapable of managing his or her own affairs, a person appointed by a court to manage those affairs may seek access to the records. Access should be restricted to the information necessary for the appointee to carry out his or her functions.
4.5 A competent patient may authorise a third party to seek access on his or her behalf. Thus, for example, patients may authorise solicitors to seek access to their records under the Act. The third party must provide proof that he or she is acting on the patient's behalf. Where the third party is authorised in writing, doctors should request a copy of this authorisation if it is not supplied at the time of the request. If there is any doubt about the patient's wishes it may be necessary to contact the patient to verify that consent has been given.
5 Who must give access
5.1 Requests for access are made to the person in charge of keeping the records; the data controller. This is usually the health professional responsible for the patient's care, but may in some circumstances be another health professional or, for example, a member of records management staff.
5.2 Irrespective of who is the data controller, decisions about disclosure must be made by the 'appropriate health professional'. This is usually the health professional currently or most recently responsible for the clinical care of the patient in respect of the matters which are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another health professional who has suitable qualifications and experience.
5.3 Where the data controller is not the appropriate health professional, advice must be taken from that person before granting access. If, however, within the previous 6 months the appropriate health professional has provided a written opinion that records may be disclosed, and there is nothing to suggest that it would be reasonable to re-consult the health professional, the data controller may release the records. Similarly, if the data controller is satisfied that the patient is already familiar with the content of the records, there is no need to consult the appropriate health professional.
5.4 The courts have the power to order disclosure or non-disclosure. Patients or other people likely to be affected by disclosure (for example a person likely to suffer serious harm if information is disclosed) can apply to the courts.
6 Time limits for giving access and for making fresh requests
6.1 Access must be given promptly and in any event within 40 days of receipt of the fee and request. If the application does not include sufficient information to identify the person making the request or to locate the information, that information should be sought promptly and the 40 day period begins when it is supplied.
6.2 If access has been given, there is no obligation to give access again until a reasonable time interval has elapsed. What is reasonable depends on the nature of the data, the purposes for which it is processed and the frequency with which it has been altered.
7 Prescribed maximum fees chargeable for access
The maximum fees which may be charged are prescribed by the Secretary of State and set out in Regulations.
7.1 If records are held totally on computer, a maximum of £10 may be charged for providing access to and/or copies of the records.
7.2 No fee may be charged for allowing patients to read their records if all the information requested is held in manual form, no copy is requested, and at least some of the record was made in the 40 days prior to the request  If manual records have not been added to in the 40 days prior to a request to see the records, £10 may be charged.
7.3 If copies are requested, where at least part of the information requested is held manually, a reasonable fee of up to £50 may be charged for providing access and supplying copies. The legislation offers no guidance on scales of charges up to £50. Doctors must therefore assess what charge it is reasonable to make.
7.4 In the past the BMA has suggested copying charges but doctors should look to their actual costs and be able, if asked, to justify any fee charged. Factors which may be taken into account in calculating costs include local labour costs, (including employees' pay and additions for national insurance, superannuation, holiday and sick cover), pro rated overhead costs (for example rent and heat) and machines' hard copy costs (such as lease, repairs, paper and ink). Lack of flexibility in being able to bring in junior staff at short notice and/or the need to use experienced staff to ensure accurate copying and maintenance of confidentiality, may mean labour costs are not at the lowest clerical rates.
8 Information which cannot be disclosed
Certain information, described below, must not be released, and there is no obligation to inform patients if information is withheld on any of these grounds. There is still an obligation to disclose the remainder of the records.
8.1 Third parties
Where records contain information which relates to an identifiable third party, that information may not be released unless:
the third party is a health professional who has compiled or contributed to the health records or who has been involved in the care of the patient (thus there is no requirement to contact other health professionals who have contributed to records, or whose correspondence is part of the records, although this may be helpful in some cases);
that other individual gives consent to the disclosure of that information; or
it is reasonable to dispense with that third party's consent (taking into account duty of confidentiality owed to the other individual, any steps to seek his or her consent, whether he or she is capable of giving consent and whether consent has been expressly refused). Where health records include information from other identifiable sources, it is advisable to distinguish this information in the records to avoid inadvertent disclosure. Doctors must still disclose as much of the information in the records as is possible without revealing the identity of the third party. The Act suggests that this might be done by omitting names and identifying particulars from the records before disclosure, and care should be taken to ensure that the information is genuinely anonymous. Doctors are not required under the Act to approach a third party for consent to disclosure, although may wish to in some circumstances. If consent is sought, doctors should, in the meantime, release the remainder of the records.
Access must not be given to any information which, in the opinion of the appropriate health professional, would be likely to cause serious harm to the patient or another person The decision about likely harm must be taken by the appropriate health professional, usually the treating doctor. Circumstances in which information may be withheld on these grounds of harm are extremely rare. This exemption does not justify withholding comments in the records because patients may find them upsetting.The BMA advises that if harm could arise from providing access, advice from others involved in providing care may be helpful in assessing the nature and extent of the risk. For example it is particularly recommended that psychiatrists and GPs liaise before psychiatric records are released although there is generally no duty to inform or seek advice from any other health professional.
When a third party applies for access on behalf of a patient no information can be disclosed which the patient had provided on the understanding that it would be kept confidential or about which the patient had requested non-disclosure. Similarly, no results of examinations or investigations can be disclosed if the patient had expected the results to be kept confidential. Doctors should clearly mark records where such an expectation exists at the time the information is given or examinations carried out, or where such a request has been made in order to ensure that the wishes of patients are respected.
8.4 Legal privilege
Access may not be given to records which are subject to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation.
8.5 Court proceedings
The courts have the power to restrict access to information as to the physical or mental health or condition of the patient supplied to the court in a report or other evidence from a local authority, Health and Social Services Board, Health and Social Services Trust, probation officer or other person in the course of certain family and children court proceedings.
8.6 Fertility treatment
When disclosing information under the Data Protection Act 1998, no information may be disclosed about the keeping or use of gametes or embryos. Similarly no information may be disclosed which reveals whether an identifiable individual was, or may have been, born as a result of fertility treatment (in vitro fertilisation or the use of donated ova, sperm or embryos).
The Act does not allow disclosure of information whose disclosure is already prohibited in legislation concerning adoption records and reports, statements of a child's special educational needs and parental order records and reports and (for Scotland only) information provided by the principal reporter for children's hearings. Doctors who believe their records may contain such information should seek legal advice.
8.8 Other information
The Secretary of State may make further orders to exclude other types of data if this is necessary to safeguard the interests of patients or the rights and freedoms of others.
None of these exemptions apply where the disclosure is required by law, or is necessary for the purposes of establishing, exercising or defending legal rights. Advice on disclosure in connection with legal proceedings is available from the BMA.
9 Access to records of deceased patients
The Data Protection Act 1998 does not cover the records of deceased patients. Statutory rights of access to these are contained within the Access to Health Records Act 1990 and Access to Health Records (Northern Ireland) Order 1993. The provisions are very similar to those of the Data Protection Act 1998, and are summarised below.
9.1 Any person with a claim arising from the death of a patient has a right of access to information covered by the Act and directly relevant to that claim. No information which is not directly relevant to the claim may be released. Thus a personal representative or executor can access information to benefit the deceased's estate, as can an individual who was a dependant of the deceased and who has a claim relating to that dependency which has arisen from the death.
9.2 The Access to Health Records Act 1990 covers manual health records made since 1 November 1991. In Northern Ireland the corresponding legislation, the Access to Health Records (Northern Ireland) Order 1993, covers manual records since 30 May 1994. Access must also be given to information recorded before these dates if this is necessary to make any later part of the records intelligible.
9.3 There are certain exemptions to this right, and information may be withheld if:
it identifies a third party without that person's consent unless that person is a health professional who has cared for the patient;
in the opinion of the relevant health professional, it is likely to cause serious harm to somebody's physical or mental health; or
the patient gave it in the past on the understanding that it would be kept confidential. Similarly no results of examinations or investigations which the patient thought would be confidential at the time they were carried out can be disclosed. No information at all can be revealed if the patient requested non-disclosure.
9.4 It follows that doctors should counsel their patients about the possibility of disclosure after death and solicit views about eventual disclosure where it is obvious in the circumstances that there may be some sensitivity. Such discussions should be recorded in the records.
9.5 After a patient's death the health records may be held by the Primary Care Trust or Central Services Agency. These bodies are required to take advice before making a decision about disclosure. This is usually from the patient's last GP or, if several health professionals have contributed to the care of the patient, the doctor who was responsible for the patient's care during the period to which the application refers. If no appropriate doctor who has cared for the patient is available, a suitably qualified and experienced health professional must advise.
9.6 Once the person holding the records is satisfied that the person requesting the information is entitled to it, access must then be given within specified time limits. Where the application concerns access to records any of which were made in the 40 day period immediately preceding the date of application access must be given within 21 days. Where the information concerns information all of which was recorded more than 40 days before the date of application, access must be given within 40 days. If the records are held by a health service body access cannot be given before advice has been obtained (see section 9.5).
9.7 Access can be given by allowing the applicant to inspect the records or extract or by supplying a copy if this is requested.
9.8 The courts may enforce compliance with the legislation if access is not given within the required time limits. The court may also require that the records be made available for its own inspection in order to come to a decision.
9.9 An access fee of up to £10 may be charged for providing access to information where all of the records were made more than 40 days before the date of the application. No access fee may be charged for providing access to information if the records have been amended or added to in the last 40 days.
9.10 Where a copy is supplied, a fee not exceeding the cost of making the copy may be charged. The copy charges should be reasonable as the doctor may have to justify them (see section 7.4). If applicable, the cost of posting the records may also be charged.
9.11 There is no statutory right of access to records of deceased patients which fall outwith the time period covered by the legislation (see section 9.2). Doctors asked to release such information should bear in mind that their duty of confidentiality extends beyond the patient's death, and should act in accordance with the deceased's wishes where these are known. If access to these records is being granted, the BMA advises that doctors should apply the safeguards and restrictions of the legislation to prevent harm or breach of confidence.
9.12 Doctors may charge a professional fee to cover the costs of giving access to the records of deceased patients not covered by legislation.
10 BMA advice on record keeping
10.1 Doctors must keep 'clear, accurate, legible and contemporaneous patient records which report the relevant clinical findings, the decisions made, the information given to patients and any drugs or other treatment prescribed'. Records must be legible and factual, and personal views about the patient's behaviour or temperament should not be included unless these have a potential bearing on treatment.
10.2 Doctors should ensure that their manner of keeping records facilitates access by patients if requested. It may be helpful to order, flag or highlight records so that when access is given under the Act, any information which should not be disclosed is readily identifiable (see section 8).
10.3 If patients express views about future disclosure to third parties, this should be documented in the records. Doctors may wish to initiate discussion about future disclosure with some patients if it seems foreseeable that controversial or sensitive data may be the issue of a future dilemma, for example after the patient's death.
10.4 Older entries in health records were often not written in the expectation that patients would see the records or obtain copies of them, and the BMA is aware of some concern about how to deal with giving access to records written in a way which patients might find upsetting. Doctors are not entitled to withhold information if patients exercise their right of access (unless any of the limited exemptions apply, see section 8). They may, however, offer to delete any inappropriate comments (see sections 2.5 and 2.6), and may find it helpful to discuss any potentially distressing entries with patients in advance of access.
11 Further queries
11.1 Doctors with queries about any aspects of charging for access to health records may contact their local BMA office for advice.
Definitions and terminology in the Data Protection Act
Wherever possible, we have avoided using the terminology from the Data Protection Act. The legislation covers a vast range of records, and gives responsibilities to all people who use and control the data in them. Some of the terminology is relevant, however, and some key definitions are given below. Reference to the Act will be necessary for the precise definitions.
Data is defined to mean
information which is processed by computer;
information which is recorded with the intention it should be so processed;
information which is recorded as part of a filing system, which is so structured that information about any individual is readily accessible;
information which does not fall within (a) (b) or (c) but forms part of an accessible record (which health records do).
Personal data means any data relating to a living individual who can be identified from those data or from those data and other information in the possession or likely to come into the possession of the data controller. Personal data includes expression of opinion about the individual.
Processing includes any of the following operations on information or data: obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making available), aligning, combining, blocking, erasing or destroying.
A health record is any record which consists of information:
relating to the physical or mental health or condition of an individual; and
which has been made by or on behalf of a health professional in connection with the care of that individual.
Information includes both fact and opinion. Records may therefore include, such things as correspondence between health professionals, internal memoranda, reports written for third parties such as insurance companies, clinical and operation notes, nursing notes and charts, investigation requests and results, X Ray and other films, photographs and perhaps videos, entries in hospital or department wide registers and records such as theatre lists, booking in registers. Records may also cover certain clinical audit data if the patient is identifiable from these.
The BMA advises doctors not to keep duplicate or personal records. Any such records are covered by the Act and are therefore accessible by patients.
Care is defined in the Data Protection (Subject Access Modification) (Health) Order 2000 as including examination, investigation, diagnosis and treatment. Strictly speaking, the definition covers only the usage of the term in this Order, although the absence of other definitions, and the fact that this repeats the definition still contained in the Access to Health Records Act 1990 suggest that it is appropriate to use in all matters relating to the Data Protection Act 1998. The BMA therefore believes that this definition should be used in connection with the definition of a 'health record'.
Health professional includes a registered medical practitioner as well as a list of other health practitioners.
This includes health professionals working in the NHS, private practice, Crown public service (e.g. prison doctors, doctors in the armed services and civil service occupational physicians) and industry.
Appropriate health professional is the health professional who is currently or was most recently responsible for the clinical care of the patient in respect of the matters which are the subject of the request. If there is more than one it is the one most suitable to advise on those matters. If there is none, then it is another health professional who has the necessary experience and qualifications.
1 British Medical Association. 'Confidentiality and disclosure of health information'. London: BMA, 1999.
2 The Data Protection Act 1998 amended these pieces of legislation, but did not affect access to the records of deceased patients.
3 British Medical Association. 'Guidelines on the Access to Medical Reports Act 1988'. London: BMA, 1988.
4 Access to the manual health records of living patients was previously governed by the Access to Health Records Act 1990 which covered only information since 1 November 1991. In Northern Ireland the relevant legislation was the Access to Health Records (Northern Ireland) Order 1993 which covered records since 30 May 1994.
5 Not all parents have parental responsibility. Both parents have parental responsibility if they were married at the time of the child's conception, or birth, or at some time after the child's birth. Neither parent loses parental responsibility if they divorce. If the parents have never married, only the mother automatically has parental responsibility (although the government has announced its intention to change these rules). The father may acquire that status through a parental responsibility agreement with the mother and registered with the High Court or through a parental responsibility order made by a court if it is satisfied that it is in the best interests of the child to confer parental responsibility on the father. Other people also acquire parental responsibility by being appointed as guardian (the appointment taking effect on the death of the parents) or on the order of a court.
6 Patients may ask for their request for access to be limited in this way so they incur no fee.
7 There is, however, guidance for educational records.
8 British Medical Association. 'Confidentiality and disclosure of health information'. London: BMA, 1999.
9 General Medical Council. 'Good medical practice'. London: GMC, May 2001