Your Medical Records

What are medical records?

A medical record exists to provide an account of a patient’s contact with the healthcare system. Medical records consist of information relating to the physical or mental health or condition of an individual made by a health professional in connection with the care of that individual. The information is most commonly recorded in electronic form, however, some records are in a manual form or a mixture of both. ‘Information’ covers expressions of opinion about individuals as well as facts. Medical records may include notes made during consultations, correspondence between health professionals such as referral and discharge letters, results of tests and their interpretation, X-ray films, videotapes, audiotapes, photographs, and tissue samples taken for diagnostic purposes. They may also include reports written for third parties such as insurance companies.

Accessing your records - Subject Access Request (SARs)

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR). Rights of access are not confined to health records held by NHS bodies. They apply equally to the private health sector and to health professionals’ private practice records.

Who may apply for access?

  • Patients have a right to access their own health records via a SAR. Patients may also authorise a third party such as a solicitor to do so on their behalf. It is not necessary for patients to give reasons as to why they wish to access their records but it can help the practice to know to why so that we can ensure the correct parts of the record are released to you.
  • Children 16 years and over are entitled to make or consent to a SAR to access their record.

When will my access request be actioned?

SARs can be made electronically via email or completion of a SAR form. Before access is provided the identity of the person making the request must be verified using ‘reasonable means’. Once the request has been received and verified, the individual will be provided with a copy of their data without undue delay, and at the latest within 28 days from the date of the request.

When would information not be disclosed?

The GDPR read together with the Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR and information should not be disclosed if: –

  • it is likely to cause serious physical or mental harm to the patient or another person
  • it relates to a third party who has not given consent for disclosure (where that third party is not a health professional who has cared for the patient) and after taking into account the balance between the duty of confidentiality to the third party and the right of access of the applicant, the data controller concludes it is reasonable to withhold third party information
  • it is requested by a third party and, the patient had asked that the information be kept confidential, or the records are subject to legal professional privilege
  • it is restricted by order of the courts
  • it relates to the keeping or using of gametes or embryos or pertains to an individual being born as a result of in vitro fertilisation
  • in the case of children’s records, disclosure is prohibited by law, e.g. adoption records

Useful Guides

Your GP Online Records - What you may see

Giving another person access to your online medical records

Protecting your online records