06 / 10 / 2015
Accessing and sharing health records and patient confidentiality
House of Commons, October 2015
This briefing from the House of Commons Library reviews how patients’ medical records are shared and accessed. It looks at the safeguarding arrangements that exist for confidential patient information, and what the Government’s future aims are in relation to medical records.
The three pieces of legislation governing access to patient health records are The Data Protection Act 1998, The Access to Health Records Act 1990 and The Medical Reports Act 1998. The first governs the rights of living individuals and authorised persons, the second governs access to deceased patient’s records, and the third outlines the rights of individuals to access reports relating to themselves provided by medical practitioners for employment or insurance purposes. The release of any record is subject to consultation with the health professional. Hospital records are retained for a minimum of eight years, whilst GP records are retained for a minimum of 10 years. There is a charge for access or viewing the records with the Government stating that patients should be given access to their health records within 21 days following a request.
Access may be limited where information could cause harm to the physical or mental health or condition of the patient, or where information would be disclosed relating to a third person who had not consented. An individual with parental responsibility for a child has the right to view the child’s health records, although health professionals must take into account their confidentiality duty. The Access to Health Records Act 1990 allows patient’s personal representatives and any person who may have a claim arising out of the patient’s death access to their record.
The Health and Social Care Act 2012 enabled the Health and Social Care Information Centre (HSCIC) to collect and share confidential information from health records via a “care.data” service in order to improve the delivery of healthcare and to benefit researchers inside and outside the NHS. Six CCGs were chosen as pathfinders with practices planning to communicate with patients in autumn 2015. This scheme will now not be launched until the National Patient Data Guardian is satisfied that adequate proposals and safeguards have been put in place.
The Government has looked to increase patients’ access to their records online. In December they mandated NHS England to ensure all patients have access to their medical records by March 2015; by December 2014, 21 per cent of patients in England could access their medical records online. On 2 September 2015 the Health Secretary outlined his vision to give patients the ability to access and interact with their GP online within 12 months, with full access to their own GP electronic record by 2016 including blood results, appointment records and medical histories. By 2018, this will include all information from the patient’s health and care interactions.
Summary Care Records have been introduced to enable sharing of essential information about a patient, such as medication, allergies and adverse reactions. Access is restricted to medical staff who should only view the information they need in order to do their job. By July 2014, 40 million patients had an electronic summary care record, with all doctors and nurses having access by 2018, and with the social care system following by 2020. There may also be potential for community pharmacies to have access.
The NHS Constitution outlines patients’ rights to privacy, confidentiality, security of their medical records, and to be informed about how their information is used. The Health and Social Care (Safety and Quality) Act 2015 introduced a duty for health and social care commissioners and providers to share patient information where they consider that the disclosure is likely to facilitate the care provided to the individual and is in their best interest. Patient information must be securely safeguarded, although individuals also expect that relevant health information is shared amongst their care team. There are also considerable benefits from sharing patient information more widely although these should be anonymised and untraceable.
The Caldicott Review, published in April 2013 made 26 recommendations (subsequently accepted in principle by the Government) based around seven principles to guide information governance (Caldicott principles):
- Justify the purpose of every proposed use or transfer of personal confidential data
- Don’t use personal confidential data unless it is absolutely necessary
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law in relation to any use of personal confidential data
- The duty to share information can be as important as the duty to protect patient confidentiality.
In September 2015 the Health Secretary announced that a new review of standards of data security for patient’s confidential data across the NHS will be carried out by the CQC, with Dame Fiona Caldicott tasked with developing clear guidelines. The HSCIC produced a code of practice for handling confidential information that was published in September 2013 with recommendations based on the Caldicott principles.
There are a small number of areas where a health professional is required by law to disclose information, for example, specific notifiable diseases including food poisoning. Further laws require health professionals to restrict disclosure of certain information, for example, a person’s gender history. There are exceptional circumstances when disclosure of health information may be in line with the ‘public interest’ such as to prevent a serious or imminent threat to public health.
Deceased patient confidentiality must still be respected, although balanced with other interests, such as the wishes of people close to the deceased. The access to information rules relating to confidentiality are the same as described above for accessing medical records. All patients aged 16 and over are presumed to have capacity to consent in England, Wales and Northern Ireland, while children in Scotland over 12 are deemed to have this capacity. Patients who may have a mental health condition do not automatically lack this capacity.