Sharing Your Medical Record
Increasingly, patient medical data is shared e.g. between GP surgeries and District Nursing, in order to give clinicians access to the most up to date information when attending patients.
The systems we operate require that any sharing of medical information is consented to by patients beforehand. Patients must consent to sharing of the data held by a health provider out to other health providers and must also consent to which of the other providers can access their data.
e.g. it may be necessary to share data held in GP practices with district nurses but the local podiatry department would not need to see it to undertake their work. In this case, patients would allow the surgery to share their data, they would allow the district nurses to access it but they would not allow access by the podiatry department. In this way access to patient data is under patients' control and can be shared on a 'need to know' basis.
Summary Care Record
There is a new Central NHS Computer System called the Summary Care Record (SCR). The Summary Care Record is meant to help emergency doctors and nurses help you when you contact them when the surgery is closed. Initially, it will contain just your medications and allergies.
Later on as the central NHS computer system develops, (known as the ‘Summary Care Record’ – SCR), other staff who work in the NHS will be able to access it along with information from hospitals, out of hours services, and specialists letters that may be added as well.
Your information will be extracted from practices such as ours and held on central NHS databases.
As with all new systems there are pros and cons to think about. When you speak to an emergency doctor you might overlook something that is important and if they have access to your medical record it might avoid mistakes or problems, although even then, you should be asked to give your consent each time a member of NHS Staff wishes to access your record, unless you are medically unable to do so.
On the other hand, you may have strong views about sharing your personal information and wish to keep your information at the level of this practice. Connecting for Health (CfH), the government agency responsible for the Summary Care Record have agreed with doctors’ leaders that new patients registering with this practice should be able to decide whether or not their information is uploaded to the Central NHS Computer System.
For existing patients it is different in that it is assumed that you want your record uploaded to the Central NHS Computer System unless you actively opt out.
Subject Access Requests/ Access to Medical Records
What is a Subject Access Request?
A request for copies of the information about you held by us. Once received we aim to complete this request within 30 days.
A request for access to health records in accordance with the GDPR can be made in writing to the Practice by completion of the form available by clikcing here or by emailing CPICB.firstname.lastname@example.org.
All requests should be documented. The documented request should then be passed on to either the Practice Manager or the Information Governance lead. Requests must be recorded in the Subject Access Request Register.
A request does not have to include the phrase “subject access request” or “Article 15 of the GDPR” or “data protection” or “right of access”.
The requester should provide enough proof to satisfy the Practice of their identity (and the Practice is entitled to verify their identity using “reasonable means”). The Practice must only request information that is necessary to confirm who they are. The Practice should request any identity verification as soon as possible after the request has been received.
The default assumption when a requester asks for “a copy of their GP record” is that the information requested by the individual is the entire GP record. However, the Practice may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR permits the Practice to ask the individual to specify the information the request relates to (Recital 63) where the Practice is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely).
A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Practice.
Secure Online Records Access
The Practice can offer, if appropriate, for a requester to be enabled to securely access their full GP electronic record online. This would then allow them to access all information that they might be seeking. Access should follow identify verification, and a review of the record.
Recital 63 of the GDPR states:
“Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
Patients Living Abroad
For former patients living outside of the UK and whom once had treatment for their stay here, under GDPR they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.
A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.
The Practice must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health.
The Practice is entitled to send the information requested directly to the patient if we think that the patient may not understand what information would be disclosed to a third party who has made a request on their behalf.
A next of kin has no rights of access to medical record, unless they have Power of Attorney.
A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
No matter their age, it is the child who has the right of access to their information.
Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
When considering borderline cases, The Practice should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
A person with parental responsibility is either:
- the birth mother, or
- the birth father (if married to the mother at the time of child’s birth or subsequently) or,
- an individual given parental responsibility by a court
(This is not an exhaustive list but contains the most common circumstances).
If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.
If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, their mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.
In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.
Notification of Requests
The Practice will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to.
The Practice must provide a copy of the information free of charge.
However, the practice may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.