Documents to download

Accessing personal health records

Individuals have a right to access their own health records and in limited circumstances, to access information about other people. Since 25 May 2018 this has been governed by the Data Protection Act 2018. Record holders cannot charge patients for accessing records, the exception to this is where requests are “manifestly unfounded or excessive”. In these cases, the data controller can charge a fee to cover administrative costs or refuse to act on the request. There are also certain circumstances in which full access to a patient’s health record may be denied, such as where the release is likely to cause serious harm to the physical or mental health of the individual or another person.

Accessing someone else’s health records

Children aged 12 or over are generally expected to have capacity to give or withhold consent to the release of information. However, the guidance says every reasonable effort must be made to persuade the child to involve parents or guardians. A deceased patient’s health records are still protected under the Access to Health Records Act 1990 and someone will only be entitled to access a deceased person’s records if they are either a personal representative of the patient or have a claim resulting from the death.

Sharing confidential patient information

Policies on confidential patient data seek to strike a balance between the protection of patient information and the use and sharing of information to improve care, such as for research purposes. Patients have the right to privacy and confidentiality and to expect the NHS to keep their confidential information safe and secure. Patients also have the right to request that their confidential information is not used beyond their own treatment. The Health and Care Act 2022 includes measures relating to the collection and sharing of health and care data.

It should be noted that there are exceptional circumstances in which a health or social care professional may be obliged to share confidential patient information in line with the “public interest” or when they are required by law to disclose medical information, regardless of a patient’s consent.

For the most part, the law on confidentiality applies in the same way to patients detained under the Mental Health Act 1983 as to any other type of patient. However, under the Act, there are some situations, such as to manage serious risks, where information can be shared without the patient’s consent. Also, if a patient lacks mental capacity to give or withhold their consent medical information may need to be shared with relatives, friends and carers to enable health professionals to determine their best interests.

Electronic health records

Since 2014 the NHS has committed to making patient records largely paperless with the introduction of various online records. The initial target for this transition was 2020 but this was pushed back to 2023. In February 2022, the then Secretary of State for Health and Social Care, Sajid Javid, set a target for 90 per cent of NHS trusts to use Electronic Patient Records (EPRs) by the end of 2023, with the remaining 10 per cent needing to be in an ‘implementation phase’. The NHS has created various electronic records, these include:

  • Summary Care Records (SCRs) are electronic health records containing essential information about a patient, such as their medication and allergies.
  • Shared Care Records are the new term for Local Health and Care Records which enable the safe and secure sharing of an individual’s health and care information as they move between different parts of the NHS and social care.

NHS data and cyber security

The National Data Guardian (NDG) for health and care undertook a review of NHS data security in 2016 which set out a number of recommendations to improve cyber security. In the wake of the 2017 WannaCry cyber attack, which impacted on 80 of the 236 NHS Trusts in England and is estimated to have cost the NHS £92 million, the Government accepted the Review’s recommendations. In 2018, the Government launched the Data Security and Protection Toolkit to implement the data security standards.

Patient data, Apps and Artificial Intelligence (AI)

In June 2022 the Government published a strategy, Data saves lives, setting out the Secretary of State’s vision for how patient data should be used “to bring benefits to all parts of health and social care” and to “demonstrate that the health and care system is a trustworthy data custodian”. The strategy also makes reference to patient involvement in AI in health and care.

The NHS App was launched on 31 December 2018 and at 31 December 2021 it had over 22 million users. The Government committed to continue to develop the NHS App so 75% of the adult population will be registered to use it and the NHS website by March 2024. Additionally, individuals can access a digital version of their Covid-19 vaccination status in two ways, either by using the NHS App or the NHS COVID Pass service.

This briefing relates to the NHS in England unless otherwise stated.

Documents to download

Related posts