Access to Medical Records

The purpose of this policy is to provide information on the patient’s rights to view medical records prepared on his / her behalf in connection with insurance or employment.

The rights of patients are governed within the Data Protection Act 1998 will apply.


  • The patient must be aware of, and must give consent to, the preparation and release of a medical report. Reports should not be prepared where a GP becomes aware that the patient is not aware of the request, for example in subsequent requests by insurance companies unrelated to an existing consented application.
  • Anyone applying to the practice for a medical report relating to an individual for employment of insurance purposes must make the person aware and gain his/her consent to do this. They must also inform the individual that they may withhold their consent if they wish and of their other rights under the Act detailed below.
  • Patients may decline consent at any time prior to release of information.
  • Where a patient indicates in the consent to the applicant that he/she wishes to view the report prior to its dispatch to the enquirer, the enquirer/applicant must notify the GP of this fact at the time that the application is made.  At the same time, they must notify the individual that the application has been made.
  • The report must not be released unless the individual has then had access to it or until 21 days have passed since receiving the application and there has been no contact from the individual to make arrangements to see the report.
  • Where an application contains no mention of the individual wishing to have access to the report before it is sent, but the practice subsequently receives a request from the individual to view the report before it is sent, then the wishes of the patient must be met.
  • The practice will advise patients wishing to view their reports that the report is available to view once it has been prepared. The patient will be advised that they have 21 days to make arrangements to view this (from the date of receiving a request to view) before it will be sent.
  • The practice will encourage patients to view reports promptly. A copy will be provided, where requested.
  • Where a patient disagrees with any part of the report because he/she believes it to be incorrect or misleading, he/she can request amendment. The GP will determine whether the amendment can be made. If an amendment is not appropriate the patient may attach a statement of his/her views to the report for dispatch. Requests to amend must be made in writing.
  • Where a patient disagrees with part of the report, and an amendment or an attached note is considered to be inadequate or unacceptable by the patient, then the patient may refuse consent for the report to be sent, and this refusal will be accepted.
  • Copy reports will be retained for 6 months following issue, during which time a copy will be provided to the patient if required.
  • A copy of the report will be scanned onto the patient electronic record or a copy held within the medical record
  • Patients may request access to any medical report relating to him/herself which the GP has supplied for employment or insurance purposes in the previous six months.  Access includes making a copy of the report available for inspection or supplying a copy of the report


A GP is not obliged to give access to a medical report (or any part of it) when disclosure would in the opinion of the practitioner:

  • Cause serious harm to the physical or mental health of the individual or others
  • Indicate the intentions of the medical practitioner towards the individual
  • Identify a third person, who has not consented to the release of that information or who is not a health professional involved in the individual’s care

Access to medical records and data protection

The Access to Health Records Act 1990 and the Access to Medical Reports Act 1988 gave individuals the right of access, subject to certain exceptions, to health information recorded about themselves, and, in certain circumstances, about others, within manual records. The Data Protection Act (DPA) 1998 came into force in March 2000 and repealed most of the 1990 Access to Health Records Act.  All applications for access to records, whether paper based or electronic, of living persons are now made under the DPA 1998. In February 2010 the DoH published amended guidance applicable in England to encompass best practice covering the above legislative process, replacing previous guidelines issued in July 2002 and June 2003. Practices are recommended to refer to these guidelines where an access request is received.

For deceased persons, applications are made under sections of the 1990 Access to Health Records Act which has been retained.  These sections provide the right of access to the health records of deceased individuals for their personal representative and others having a claim under the estate of the deceased. Please refer to separate policy for further details.

The Access to Medical Reports Act 1988 covers the rights of individuals to access medical reports prepared about them for employment or insurance purposes.

Under section seven of the DPA, patients have the right to apply for access to their health records.  Provided that the fee has been paid and a written application is made by one of the individuals referred to below, the practice is obliged to comply with a request for access subject to certain exceptions (see below).  However, the practice also has a duty to maintain the confidentiality of patient information and to satisfy itself that the applicant is entitled to have access before releasing information.

The Access to Health Records Act (AHRA) 1990 provides certain individuals with a right of access to the health records of a deceased individual. These individuals are defined under Section 3(1)(f) of that Act as, ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’. A personal representative is the executor or administrator of the deceased person’s estate.

A form designed for use by patients and their representatives is contained within the document Guidance for Access to Health Records Requests (DoH February 2010). This is accessible from the link within the Resources section below. See also Access to Medical Record Application form below.


An application for access to health records may be made in any of the circumstances explained below.

The patient

Wheatfield Surgery has a policy of openness with regard to health records and health professionals are encouraged to allow patients to access their health records on an informal basis.  This should be recorded in the health record itself. The Department of Health’s Code of Practice on Openness in the NHS as referred to in HSG (96) 18 Protection and Use of Patient Information will still apply to informal requests.

Such requests are usually made for a reason, and will always be in writing. There is no requirement to allow immediate access to a record of any type.  The patient may have concerns about treatment that they have received, how they have been dealt with or may be worried that something they have said has been misinterpreted. Members of staff are encouraged to try to understand and allay any underlying concerns that may have contributed to the request being made and offer an opportunity of early resolution.

Children and young people

Children over the age of 13 are generally considered to have the capacity to give or withhold consent to release medical records. In Scotland, there is a legal assumption that this is the case, but not in England, Wales or Northern Ireland where those under 16 should demonstrate that they have the capacity to make these decisions. Where the child is considered to be capable, then their consent must be sought before access is given to a third party.

The law regards young people aged 16 or 17 to be adults in respect of their rights to confidentiality. Access can be refused by the health professional where they consider that the child does not have capacity to give consent / decline decisions.

Individuals with parental responsibility for an under 18 year old will have a right to request access to those medical records (Scotland under 16). Access may be granted if access is not contrary to the wishes of the competent child.  Not all parents have parental responsibility. A person with parental responsibility is either:

  • The birth mother
  • The birth father (if married to the mother at the time of child’s birth or subsequently) if both are on the birth certificate
  • An individual given parental responsibility by a court

Parental responsibility is not lost on divorce. If parents have never been married only the mother has automatic parental responsibility, however the father may subsequently “acquire” it.

If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.

If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, its mother, and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.

In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.  The data controller may refuse access to the record where the information contained in it could cause serious harm to the patient or another person.

Patient representatives

A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.  The practice may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation.

Court representatives

A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application.  Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.

Children and family court advisory and support service (CAFCASS)

Where CAFCASS has been appointed to write a report to advise a judge in relation to child welfare issues, Wheatfield Surgery would attempt to comply by providing factual information as requested.

Before records are disclosed, the patient or parents consent (as set out above) should be obtained.  If this is not possible, and in the absence of a court order, the practice will need to balance its duty of confidentiality against the need for disclosure without consent where this is necessary:

  • To protect the vital interests of the patient or others
  • To prevent or detect any unlawful act where disclosure is in the substantial public interest (e.g. serious crime)
  • Because seeking consent would prejudice those purposes

The relevant health professional should provide factual information and their response should be forwarded to a member of the Child Protection Team who will approve the report.

Chapter 8 review

All Chapter 8 Review requests for information should be immediately directed to the Primary Care Organisation Child Protection Manager who would co-ordinate the Chapter 8 Review in accordance with national and local Area Child Protection Committee Guidance.  More information on Chapter 8 reviews can be found at: Serious Case Reviews (SCRs) – Every Child Matters

Amendments to or deletions from records

If a patient feels information recorded on their health record is incorrect then they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended. If this avenue is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased. The patient has a ‘right’ under the DPA to request that personal information contained within the medical records is rectified, blocked, erased or destroyed if this has been inaccurately recorded.

He or she may apply to the Information Commissioner but they could also apply for rectification through the courts.  The GP practice, as the data controller, should take reasonable steps to ensure that the notes are accurate and if the patient believes these to be inaccurate, that this is noted in the records.  Each situation will be decided upon the facts and the practice will not be taken to have contravened the DPA if those reasonable steps were taken.  In the normal course of events, however, it is most likely that these issues will be resolved amicably.

Further information can be obtained from the Information Commissioner at:

Wycliffe House,
Water Lane,
SK9 5AF,

Telephone: 0303 123 1113 or 01625 545745.


Online access to medical records (England)

Since April 2014, practices have been obliged to give patients the opportunity to view online information equating to their Summary Care Record (SCR) as part of the 2014-2015 GP contract. From March 31, 2016, it is a contractual obligation to give patients online access to coded information held in their medical records, including medication, allergies, illnesses, immunisations and test results. Patients will need to register online with the practice in order to gain access to this information.

Checks should be carried out to ascertain the patient’s identity, see Appendix B. The following checks should be undertaken:

  • Checking photo ID and proof of address, for example, a passport or driving licence and a bank statement or council tax statement.
  • If the patient has no ID but is well known to the surgery, a member of staff may be able to confirm their identity.
  • If the patient has no ID and is not well known to the surgery, the ability to answer questions about the information in their GP record may confirm that the record is theirs.

GP software will be configured to offer all coded data by default, but GPs will be provided with the tools to withhold coded information where they judge it to be in the patient’s interests or where there is reference to a third party.

The practice has the option to offer comprehensive online patient records. There are circumstances where a GP may believe it is not in the best interests of the patient to share all information in the record, for example where it could cause harm to their physical or mental health, or if it contains information about a third party.

The practice is only expected to meet the above requirements for patient online access to their record when they have been provided with the GPSoC-approved and funded IT systems. Where systems are not yet available, the practice will publish a statement of intent to provide this facility.

Proxy access

Proxy Access refers to giving a third party access to online services on behalf of a patient. Family members or carers can access a patient’s medical records online only in circumstances where the patient has consented to this, or if the patient lacks capacity AND the applicant can provide evidence that they have been granted the power to manage the patient’s affairs. Patients will be advised about the risks associated with doing this as part of their access application.  Proxy access is the recommended alternative to sharing login details.

A person with parental responsibility who wishes to access some or all of the records of a competent child aged between 13 and 16 should only be allowed to do so if the child or young person consents, and it does not go against the child’s best interests. If the records contain information given by the child or young person in confidence you should not normally disclose the information without their consent. For further information about Parental Responsibility, please see the Children and Young People section, found above.

A person with parental responsibility for a child aged under 13 normally has automatic rights to access a child’s records – although not all parents have parental responsibility. Proxy access for people with parental responsibility to a child’s record is a practice-level decision.


The availability of online services carries the risks of users being subject to coercion, as patients could be vulnerable to being forced into sharing confidential information from their record against their will. In cases where this is believed to be a possibility, online access to medical records can be denied. This should be discussed privately with the patient before a final decision over whether to deny access is taken.

As part of their request to access their medical records online or allow proxy access to a third party, the person submitting the request should provide a statement confirming that they have not been coerced into doing so.

Applications for access to medical records

GP practices receive applications for access to records via a number of different sources, for example:

  • Patients’ solicitors
  • Patients & relatives
  • Patient carers
  • Parents of patients under 16 years old

Requests should be in writing, with a patient signature. Email requests are valid for the purposes of the DPA, however the practice will need to be satisfied that a valid signature exists prior to disclosure or release. Where a solicitor or other representative is making the request, ensure that you have patient-signed consent, and sufficient information to clearly identify the patient.

Notification of requests

Practices should treat all requests as potential claims for negligence.  Good working practice would be to keep a central record of all requests in order to ensure that requests are cross-referenced with any complaints or incidents and that the deadlines for response are monitored and adhered to.

Requirement to consult appropriate health professional

It is the GP’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed.  Before the practice discloses or provides copies of medical records the patient’s GP must have been consulted and he / she checked the records and authorised the release, or part-release.

Grounds for refusing disclosure to health records

The GP should refuse to disclose all or part of the health record if he / she is of the view that:

  • Disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person.
  • The records refer to another individual who can be identified from that information (apart from a health professional). This is unless that other individual’s consent is obtained or the records can be anonymised or it is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party.
  • The request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and the:
    • Information was given by the patient in the expectation that it would not be disclosed to the person making the request.
    • The patient has expressly indicated it should not be disclosed to that person.

Informing of the decision not to disclose

If a decision is taken that the record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating that disclosure would be likely to cause serious harm to the physical or mental health of the patient, or to any other person.  The general position is that the practice should inform the patient if records are to be withheld on the above basis.  However, the GP could decide not to inform the patient if the appropriate health professional thinks that telling the patient:

  • Will effectively amount to divulging that information, or;
  • This is likely to cause serious physical or mental harm to the patient or another individual

In either of these cases, an explanatory note should be made in the file.

The decision can only be taken by the GP and an explanatory note should be made in the file.  Although there is no right of appeal to such a decision, it is the practice’s policy to give a patient the opportunity to have their case investigated by invoking the complaints procedure. The patient must be informed in writing that assistance will be offered to them if they wish to do this.  In addition, the patient may complain to the Information Commissioner for an independent ruling on whether non-disclosure is proper.

Disclosure of the record

Once the appropriate documentation has been received and sufficient identification has been produced to satisfy the data controller that disclosure may be made, disclosure may be approved, the copy of the health record may be sent to the patient or their representative in a sealed envelope by recorded delivery.  The record should be sent to a named individual, marked confidential, for addressee only and the sender’s name should be written on the reverse of the envelope.  Originals should not be sent. It may be good practice to check with the patient that all of the information requested is needed, before fulfilling the request, although there is no requirement under the Act to specify the extent of the requested information as part of the application procedure.

Where viewing is requested, a date may be set for the patient to view by supervised appointment. Where parts of the record are not to be released or to be viewed (i.e. they are restricted) an explanation does not have to be given, however the reasons for withholding should be documented. An explanation of terminology, abbreviation etc. must be given if requested. It is good practice for viewings to be supervised by a clinician (e.g. a nurse) who can explain items if needed. Where a non-clinician (e.g. receptionist) does this then no explanation must be offered. Explanation requests should be then referred to a clinical staff member.

Confidential information should not be sent by fax and never by email unless via an encrypted service such as from one NHS Mail account to another NHS Mail account.

A note should be made in the file of what has been disclosed to whom and on what grounds.

Where information is not readily intelligible an explanation (e.g. of abbreviations or medical terminology) must be given.

Where an access request has been fulfilled, a subsequent identical or similar request does not have to be again fulfilled unless a “reasonable” time interval has elapsed.

Charges and timescales

Please note: Under the GDPR, in effect from 25 May 2018, the right to submit a Subject Access Request and receive the information without undue delay is shortened to within 1 month. An extension of 2 months can be allowed if necessary taking into account the complexity of the request. A fee cannot be charged unless the request is “manifestly unfounded or excessive”, in which case a fee may be charged or the request refused.

The DPA states that fees should be paid in advance. Charges are set out in the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000.

Copies of records should be supplied within 21 days of receiving a valid and complete access request. In exceptional circumstances, it may take longer. The original Access to Health Records Act 1990 required requests to be complied with within 21 days where the record had been amended within 40 days, however the new Data Protection Act which replaced this required 40 days for all requests.

Ministers gave a commitment to parliament that 21 days would be retained for the NHS. 21 days is therefore the required standard, 40 days may apply in some exceptional circumstances, and if this is to be the case the patient should be advised prior to expiry of the initial 21 day period.

Where further information is required by the practice to enable it to identify the record required or validate the request, this must be requested within 14 days of receipt of the application and the timescale for responding begins on receipt of the full information.

The practice is not required to provide all the information requested if this would involve disproportionate effort. This however would only apply in very exceptional circumstances and may need to be justified to the Information Commissioner in the event of a dispute.   At the same time, however, the GP has discretion not to charge for copies should he / she choose to do so.

Appropriate health professional

The Data Protection (Subject Access Modification) (Health) Order 2000 specifies the appropriate health professional to deal with access matters is:

  • The current or most recent responsible professional involved in the clinical care of the patient in connection with the information aspects which are the subject of the request.
  • Where there is more than one such professional, the most suitable is to advise on the information which is the subject of the request.

Safe haven

Confidential medical records should not be sent by fax unless there is no alternative.  If a fax must be sent, it should include the minimum information and names should be removed and telephoned through separately.

All staff should be aware that safe haven procedures apply to the sending of confidential information by fax, for whatever reason. That is, the intended recipient must be alerted to the fact that confidential information is being sent. The recipient then makes a return telephone call to confirm safe and complete receipt. A suitable disclaimer, advising any unintentional recipient to contact the sender and to either send back or destroy the document, must accompany all such faxes. A suitable disclaimer is shown below:

Warning: The information in this fax is confidential and may be subject to legal professional privilege.  It is intended solely for the attention and use of the named addressee(s).  If you are not the intended recipient, please notify the sender immediately.  Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it. 

Patients living abroad

For former patients living outside of the UK and whom once had treatment for their stay here, under the DPA 1998 they still have the same rights to apply for access to their UK health records.  Such a request should be dealt with as someone making an access request from within the UK.  Original records should not be given to a patient to take outside the UK. The GP may agree to provide a summary, or otherwise the request is subject to a normal access request under these provisions.

Requests made by telephone

No patient information may be disclosed to members of the public by telephone.  However, it is sometimes necessary to give patient information to another NHS employee over the telephone. Before doing so, the identity of the person requesting the information must be confirmed.

This may best be achieved by telephoning the person’s official office and asking to be put through to their extension. Requests from patients must be made in writing.

Requests made by the police

In all cases the practice can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision.  There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statute (e.g. Road Traffic Act).

The practice does, however, have a power under the DPA and Crime Disorder Act to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders.  The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:

  • To protect the patient or another persons vital interests.
  • For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g. where the seriousness of the crime means there is a pressing social need for disclosure).

Only information which is strictly relevant to a specific police investigation, should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it.  The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.

Requests for insurance purposes

Insurance companies may seek to obtain full medical records through the use of Subject Access Requests (SAR) under the Data Protection Act 1998. After seeking clarification from ICO, the BMA advises that upon receiving a SAR from an insurance company, practices should contact the patient to explain the implications of such a request and the extent of the disclosure.

The ICO is also clear that GPs should provide the SAR information to the patient themselves, rather than directly to the insurance company.

The ICO’s Subject Access Code of Practice states that ‘If you think an individual may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.’

It is however expected that insurance companies will stop requesting SARs and revert to requesting medical reports. Practices are able to apply a fee for completion of these reports, in line with the work associated, and should seek to agree the fee with the requestor in advance of completion.

Requests from third parties for non-insurance purposes

Under the Data Protection Act, individuals are entitled to make a SAR via a third party, such as solicitors who are acting in civil litigation cases for patients. These parties should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society:

The ICO Code of Practice states that ‘In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney’.

Court proceedings

You may be ordered by a court of law to disclose all or part of the health record if it is relevant to a court case (for example by a Guardian ad litem).