This information should not be relied upon as legal or professional advice. Read the disclaimer.

Accessing personal health records

Can a person access their personal health records?

Under the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) individuals have a legal right to apply for access to health information held about them. This is a “Subject Access Request”. It includes NHS or private health records held by a GP, optician or dentist, or by a hospital.

How can a person access their health records?

The NHS Page How to access your health records gives information on accessing medical records. It states there are three main ways for a patient to get their GP record:

  1. A patient can get their GP record by logging into their account using the NHS app or NHS website.
  2. A patient might be able to use other online services or apps. A list is provided of other GP online services and apps.
  3. A patient can ask for their GP record at their GP surgery.

The guidance goes on to state that to access other medical records a patient needs to ask for them at the NHS service they went to. For specific details they should check the website for the NHS service they want records from.

Can a person be denied access to their health records?

Under Schedule 3 of the Data Protection Act 2018 there are certain circumstances in which full access to a patient’s health record may be denied. These include cases where the release is likely to cause serious harm to the physical or mental health of the patient or another individual. Prior to release, the data controller for the records should consult with either a health professional responsible for the individual or someone with the experience and qualifications to advise accordingly.

Can a person edit or destroy their health records?

There are minimum retention periods for which medical records must be maintained. These are clearly set out by the British Medical Association.

It may be possible for a person to get their records amended or updated to reflect their current circumstances. Patients have the right to apply to the Information Commissioner’s Office (ICO) to make a complaint or have inaccurate records amended or destroyed. The ICO provides information pages on how to do this: Your right to get your data corrected and Make a complaint.

It should be noted that while individuals are entitled to have personal data rectified if it is inaccurate or incomplete, even if a medical diagnosis is later proved to be incorrect this may not mean that the records are inaccurate and can be changed. For instance, a misdiagnosis of a medical condition may continue to be held as part of a patient’s medical records even after the diagnosis is corrected because it is relevant for the purpose of explaining previous treatment given to the patient and may help those treating the patient later. There is further information on medical opinions on this ICO webpage.

Can a person access someone else’s health records?

Health and care records are confidential so a person can only access someone else’s records if they are authorised to do so. To access someone else’s health records, a person must:

  • be acting on their behalf with their consent, or
  • have legal authority to make decisions on their behalf (i.e. power of attorney), or
  • have another legal basis for access

Can a parent access the records of a child?

A person with parental responsibility will usually be entitled to access the records of a child who is aged 12 or younger. Children aged 13 or older are usually considered to have the capacity to give or refuse consent to parents requesting access to their health records, unless there is a reason to suggest otherwise.

The British Medical Association (BMA) has produced guidance on the care of children and young people, which includes advice on confidentiality and the disclosure of health records. If a child has capacity to give or withhold consent to the release of their health record information, health professionals should respect their wishes. However, the guidance states that every reasonable effort must be made to persuade the child to involve parents or guardians.

Can a person access the records of someone sectioned under the mental health act?

For the most part, the law on confidentiality applies in the same way to patients detained under the Mental Health Act 1983 as to any other type of patient. However, under the Act, there are some situations where information can be shared without the patient’s consent. These include reports to a Mental Health Act Tribunal or the Care Quality Commission, to manage serious risks or ensure the safe transfer a patient. The Act also requires that those designated as the patient’s ‘Nearest Relative’ are given a copy of any information given to the patient and informed of their discharge from detention. The patient can object to the sharing of all or some of this information.

Can a person access the records of someone who has died?

There is an ethical obligation to respect a patient’s confidentiality after death and access to deceased patients’ health records is governed by the Access to Health Records Act 1990.

Under the terms of the Act, someone will only be entitled to access a deceased person’s health records if they are either:

  • a personal representative (the executor or administrator of the deceased person’s estate)
  • someone who has a claim resulting from the death (this could be a relative or another person)

Access to a deceased person’s health records may not be granted if the patient requested confidentiality whilst they were alive. No information can be revealed if the patient requested non-disclosure.

Is there a charge for accessing health records?

Previously data controllers of health records could charge for an access request, depending on where the records were held. Since new data protection legislation came into force on 25 May 2018, record holders are no longer able to charge for accessing records. The exception to this is where requests are “manifestly unfounded or excessive”. In these cases, the data controller can charge a reasonable fee to cover administrative costs or refuse to act on the request. No specific amount is set out in legislation, but the Data Protection Act 2018 allows for the Secretary of State to make regulations with regards to maximum fee levels.

Further reading

For further background information on this subject please see the House of Commons Library briefing on Patient health records: Access, sharing and confidentiality.