In accordance with the Access to Health Records Act 1990 individuals have the right to access health records held by a healthcare provider that has treated that individual, and/or to access a summary care record (SCR) created by the individual’s GP. The Data Protection Act (DPA 1998) gives individuals the right to ask for a copy of the information an organisation holds about them; this right is commonly known as a Data Subject Access Request (DSAR). In the case of health records, a request for information has to be made with the organisation that holds the individual’s health records, otherwise known as the data controller.
West Heath Primary Care Centre has mechanisms in place to inform patients of their right to access the information held about them, and how long it will take for a DSAR process to be completed.
With effect from April 2016, NHS practices are, as part of their contractual obligation, to provide patients with access to coded information held within their health records. Such information includes:
• Other (ethnicity, QOF, etc.)
NHS England have published an information leaflet Patient Online which provides further detailed information about this obligation and how patients can access their health record online.
There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.
Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally; any such requests should be annotated within the individual’s health record by the clinician dealing with the patient.
Requests may be received from the following:
Competent patients may apply for access to their own records or authorise third-party access to their records.
Children and young people may also apply in the same manner as other competent patients and West Heath Primary Care Centre will not automatically presume a child or young person has capacity under the age of 16. However, those age 12 or over are expected to have the capacity to consent to medical information being disclosed.
Parents may apply to access their child’s health record so long as it is not in contradiction to the wishes of the competent child.
Individuals with a responsibility for adults who lack capacity are not automatically entitled to access the individual’s health records. West Heath Primary Care Centre will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.
Next of kin have no rights of access to health records.
Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at West Heath Primary Care Centre may disclose relevant information to the police if the patient has consented or if there is overriding public interest. For detailed information, see section 4.1.6 of footnote 2.
Solicitors and insurance companies in most cases will provide the patient’s signed consent to release information held in their health record. West Heath Primary Care Centre will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient. In the case of a solicitor requesting information, the BMA has provided the following templates:
Consent form to release information to solicitors in England & Wales
West Heath Primary Care Centre will ask solicitors to use the appropriate form when requesting information.
Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990. Under the terms of this Act, West Heath Primary Care Centre will only grant access if you are either:
a personal representative (executor of the deceased person’s estate), or
someone who has a claim resulting from the death
The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage. West Heath Primary Care Centre can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record.
In the cases of any third-party requests, West Heath Primary Care Centre will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.
In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, West Heath Primary Care Centre will adhere to the guidance provided in the GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.
Under The Data Protection (Subject Access Modification) (Health) Order 2000, West Heath Primary Care Centre will ensure that an appropriate healthcare professional manages all access matters. At West Heath Primary Care Centre there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.
Furthermore, to maintain GDPR compliance, the data controller at West Heath Primary Care Centre will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at [West Heath Primary Care Centre will ensure that the processing of personal data is lawful and at least one of the following applies:
The data subject has given consent to the processing of his/her personal data for one or more specific purposes
Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is necessary in order to protect the vital interests of the data subject or another natural person
Procedure for access
A DSAR form(Paper Copies available at the Surgery-Please ask the Reception Staff) must be completed and passed to the data controller; all DSARs should be processed free of charge unless they are either complex, repetitive or unfounded The GDPR states that data subjects should be able to make access requests via email. West Heath Primary Care Centre is compliant with this and data subjects can complete an e-access form and submit the form via email.
Upon receipt of a DSAR, West Heath Primary Care Centre will record the DSAR within the health record of the individual to whom it relates, as well as annotating the DSAR log. Furthermore, once processed, an entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual.
Individuals will have to verify their ID at West Heath Primary Care Centre and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Data Subject Access Request (DSAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport.
The process upon receipt of a DSAR form is clearly illustrated at Annex C, which is an aide-memoire/flow diagram.
Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.
The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.
Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns with Dr G R Arora( Lead GP)