Accessing Health Records

Accessing personal health records Can a person access their personal health records?

Under the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) individuals have a legal right to apply for access to health information held about them, known as a “Subject Access Request”. Individuals can request NHS or private health records held by a GP, optician or dentist, or by a hospital.

How can a person access their health records?

Medical records are not held in one centralised location. To access their medical records, patients must contact each NHS service provider that has provided them with treatment directly such as the GP practice, optician, dentist or hospital.

Accessing GP health records

Guidance from the NHS webpage View your GP health record states there are three main ways for a patient to get their GP record:

1. by logging into their account using the NHS app or NHS website
2. via other GP online services and apps
3. by contacting their GP surgery to ask for a digital or printed copy of their GP record

When accessing their record online via the NHS app or website, patients should be able to view information that has been recently added to their GP record.

Patients may not be able to see older information in their record online. To view older information, the patient should ask their GP surgery to make it available to them. They can do this by emailing or calling their GP surgery, or by asking a receptionist at their next appointment. The NHS guidance recommends that patients should highlight if they want access to something specific in their records, as this can be faster than gaining access to their entire historic record. The surgery will consider the request and identify if there are any problems with making the record available, such as if the information could put the patient or someone else at risk. If there are no such problems, the patient will be able to view their older information online.

Accessing hospital health records

To access hospital records, patients should contact the records manager or patient services manager at the hospital trust that gave them treatment. The NHS provider directory lists contact details of every NHS trust and foundation trust.

Can a person be denied access to their health records?

Under Schedule 3 of the Data Protection Act 2018 there are certain circumstances in which full access to a patient’s health record may be denied. These include cases where the release of a patient’s health record is likely to cause serious harm to the physical or mental health of the patient or another individual. Prior to release, the data controller for the records should consult with either a health professional responsible for the individual or someone with the experience and qualifications to advise accordingly.

How long are records retained?

Hospital records are generally kept for a minimum of 8 years after treatment and GP records for a minimum of 10 years after a patient’s death. NHS organisations should retain records in accordance with the retention schedules outlined in Appendixes II and III of the NHS publication, Records Management Code of Practice.

The British Medical Association sets out national guidance on NHS records management, including UK-wide information on minimum retention periods for medical records.

Can a person edit their health records?

It may be possible for a person to get their records amended or updated to reflect their current circumstances. Patients have the right to apply to the Information Commissioner’s Office (ICO) to make a complaint or have inaccurate records amended or destroyed. The ICO provides information pages on how to do this: Your right to get your data corrected and Make a complaint.

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. However, if a person’s medical diagnosis is later proven to be incorrect, this may not mean that their records are inaccurate. For instance, a misdiagnosis of a medical condition may be relevant for the purpose of explaining previous treatment given to the patient and therefore help those treating the patient later, and so it may continue to be held as part of a patient’s medical records. There is further information on medical opinions on the ICO webpage on UK GDPR accuracy.

Can a person access someone else’s health records?

Health and care records are confidential; a person can only access someone else’s records if they are authorised to do so. A person can access someone else’s health records if they have the necessary level of proxy access.

The NHS webpage on proxy access says that people aged over 16 with capacity can ask someone to be their proxy for any reason. Different types of proxy access can be set up, and an individual can ensure that parts of their record remain hidden from their proxy.

Can a parent access the records of a child?

A person with legal parental responsibility for a child aged under 16 will usually be able to get proxy access to their medical records.

Children aged 11 or older are usually considered to have the capacity to give or refuse consent to parents requesting access to their health records, unless there is a reason to suggest otherwise. GP surgeries will usually stop automatic online parent or guardian access when a child is aged between 11 and 14. At this point, a parent or guardian can ask the GP surgery to restore their access, so long as the child gives their consent.

If a person thinks their child lacks capacity to make an informed decision, they can tell their GP surgery, who will give access based on the child’s best interests.

Parent and guardian access will usually end when a child turns 16.

The British Medical Association (BMA) has produced guidance on the care of children and young people. Advice on confidentiality and the disclosure of health records can be found on pages 17-19.

Can a person access the records of someone sectioned under the mental health act?

For the most part, the law on confidentiality applies in the same way to patients detained under the Mental Health Act 1983 as to any other type of patient. However, under the act, there are some situations where information can be shared without the patient’s consent. These include reports to a Mental Health Act Tribunal or the Care Quality Commission, to manage serious risks or ensure the safe transfer of a patient. The act also requires that those designated as the patient’s ‘Nearest Relative’ are given a copy of any information given to the patient and informed of their discharge from detention. The patient can object to the sharing of all or some of this information.

Can a person access the records of someone who has died?

There is an ethical obligation to respect a patient’s confidentiality after death and access to deceased patients’ health records is governed by the Access to Health Records Act 1990. Requests to access health records of a deceased patient should be sent to the health and care organisation that cared for the patient.

Under the terms of the act, someone will only be entitled to access a deceased person’s health records if they are either:

• a personal representative (the executor or administrator of the deceased person’s estate)
• someone who has a claim resulting from the death (this could be a relative or another person)

Access to a deceased person’s health records may not be granted if the patient requested confidentiality while they were alive. No information can be revealed if the patient requested non-disclosure.

Is there a charge for accessing health records?

Under the Data Protection Act 2018, record holders cannot usually charge individuals for accessing their own health records. The exception to this is where requests are “manifestly unfounded or excessive”. In these cases, the data controller can charge a reasonable fee to cover administrative costs or refuse to act on the request. No specific fee is set out in legislation, but the 2018 act allows for the Secretary of State to make regulations around maximum fee levels.

What types of electronic health records are there in the NHS?

The NHS has committed to making patient records largely paperless with the introduction of various online records and ways to share relevant information across organisations.

NHS England guidance on the purpose of the GP electronic health record emphasises that electronic health records support patient care by allowing patient information to be shared “safely and securely across care settings”.

In October 2024, the government announced plans to create a “single patient record”, bringing together a summary of patient health information, test results and letters in one place through the NHS App. This single patient record would be able to be shared across the NHS to save time and reduce duplication.

Currently, there are various types of electronic records, including Summary Care Records and shared care records.

The Summary Care Record

The Summary Care Record (SCR) is a national database that holds electronic records of important patient information. A patient’s electronic record in the SCR is created from their GP record so that other health and care staff are aware of their medication and allergies. Everyone registered with a GP has an electronic record in the SCR, unless they have opted out.

Patients can agree to add additional information, for example about their significant medical history, to their electronic record in the SCR.

Only staff with the correct level of security clearance can access a patient’s record in the SCR. Other than in emergency situations, staff must ask for a patients permission to view their record in the SCR. Patients can ask for a list of the people that that accessed their record in the SCR by making a subject access request.

Individuals can also opt out of having a record in the SCR by telling their GP or handing an SCR patient consent preference form in to their GP practice.

Shared care records

Shared care records are used locally to share information about patients’ health and care. They are more detailed than Summary Care Records, and may include information such as a patients’ current health issues, medication, appointments, test results, and care plans.

Integrated Care Boards (ICBs) are responsible for delivering shared care records for their local area and different areas may have different systems for sharing data. Some shared care records are available in neighbouring ICBs while others are only available within an individual ICB.

How are health records shared amongst health and care teams who are caring for a patient?

The Health and Social Care (Safety and Quality) Act 2015 introduced a legal duty for health and social care professionals to share patient information where they think disclosure will help facilitate a patient’s care, such as improve its safety or effectiveness, and is in the patient’s best interest.

NHS England guidance on consent to using and sharing patient information states that, under the common law duty of confidentiality, patient consent is required to disclose confidential patient information, but that this consent can be “implied” when sharing is required for individual care.

Patients can object to information about them being shared. The guidance says patient information should not be shared for individual care purposes if the patient objects, unless it is in the “overriding public interest”, such as if not sharing would put other staff members at risk of harm.

NHS England guidance on data and clinical record sharing highlights three requirements for clinical data sharing:

1. Information can be shared only for legitimate purposes, including the provision of care
2. No more information than is necessary for the legitimate purpose should be shared
3. When used for medical purposes, information will be accessible to health professionals, clinical or non-clinical, with a duty of care to keep it confidential

Data sharing opt-out

Where patient health record data is used for research and planning, patients have the option to opt-out of data sharing. Patients can opt-out of their GP surgery, NHS England and other health and care organisations sharing their data for research and planning purposes. Individuals can opt back in to this form of data sharing at any time.

If a patient opts out of data sharing, their health information will still be shared for internal NHS purposes. This includes during hospital referrals and when issuing prescriptions, so that care can be delivered effectively.

About the author: Hannah Burnett is a researcher specialising in health policy at the House of Commons Library.                                                                               

Disclaimer

The Commons Library does not intend the information in this article to address the specific circumstances of any particular individual. We have published it to support the work of MPs. You should not rely upon it as legal or professional advice, or as a substitute for it. We do not accept any liability whatsoever for any errors, omissions or misstatements contained herein. You should consult a suitably qualified professional if you require specific advice or information. Read our briefing for information about sources of legal advice and help.