Online access to records

What you need to know about patients accessing their records online.

GP practices in England are required to give patients online access to their medical records.

The ability for patients to access their records has the potential to raise issues about confidentiality and record accuracy, so it's important you know your obligations and responsibilities.

What to make available

The right of patients to seek access to their medical records is governed by data protection law.

GMS and PMS contracts in England say that all patients should have had access to all prospective data on their record from April 2020. GPs should make online access to patients' full historical digital data available on request, and work is already underway to digitalise the old Lloyd George paper records.

An exception can be made where the record contains data that could, in the opinion of the GP, be seriously harmful to the patient if they saw it, or if it contains confidential information about a third party.

Some coded entries will pre-date the switching on of online access for the individual patient, so records should be checked carefully and any sensitive data redacted before online access is switched on.

Information security

Many patients can already verify their identities for online services (such as appointment booking and repeat prescriptions) with personalised login IDs and passwords. This should be extended to cover access to records.

NHS England and the Royal College of General Practitioners (RCGP) have produced model forms and leaflets for patients within their guidance. The practice should:

  • keep a register of patients who have online access, and whether it has been limited for any reason. The RCGP has specific guidance on identity verification.
  • tell patients about their own responsibilities to protect their login details and keep their information secure, as well as the risks of sharing information.

Limits of patient access

If someone wants to see their records, data protection legislation says access can only be limited or denied if:

  • it would be likely to cause serious harm to physical or mental health of the data subject or another individual - except for information of which the patient is already aware
  • it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party's consent.

Practices might sometimes consider limiting access so that sensitive information isn't disclosed. If you're considering this, there must first be an assessment by the doctor responsible for the patient's care. Make a record of this.

Once a practice has decided to offer online access to patients, it should only be refused with good reason.


It's not advisable to register a patient for online access if you suspect they're being coerced into making the request - if they are at risk of abuse by a family member or partner, for example.

In this situation, you will need to discuss your decision with the patient, and you can refer to the RCGP and NHS England's joint guidance on the topic.

Who else can access a patient's record?

If someone requests access to online records on the patient's behalf, they should be asked for evidence of their authority to act for the patient. This might be the patient's written consent or the necessary legal authority (such as a certificate of Lasting Power of Attorney) if the patient does not have capacity to consent.

Parental access

The RCGP's guidance sets out reasons why proxy access to patient records may be enabled - for example, where consent has been provided by a child, with children aged 16 or over assumed to be competent to give their consent unless otherwise determined.

With regards to younger children, the guidance refers to people with parental responsibility for children under 12 normally having automatic rights to access their children’s records. It is important, however, to check that appropriate parental responsibility exists. The RCGP also reminds practices that proxy access for parents and guardians to a child’s record is a decision for the practice to make.

The age at which a child becomes competent will vary and it will be important to keep any access by those with parental responsibility under regular review.

If someone with parental responsibility requests access to the records of a competent child, the child's consent should be sought, and the doctors should consider whether such access is in the best interests of the child.

For more information see our parental responsibility guide.

Correcting or changing records

It's a GP's responsibility to make sure records are accurate.

  • Patients should be able to report factual inaccuracies or question the content of the records.
  • Patients should not be able to alter the content.

Any corrections usually need the GP's agreement to check the record is complete and accurate. If factual corrections are made, it should be obvious who made the amendment and when (computerised records usually create an audit trail).

If a patient disagrees with the content of their record but the GP considers it to be accurate, a note can be added to highlight the patient's disagreement.

Explaining patients' records

Patients should be able to understand their records to get the most out of them. Taking the time to help them may reduce patient contact in the long run as they gain a greater understanding of their conditions.

  • Encourage them to contact the practice if they need clarification.
  • Spell out acronyms.
  • Explain diagnoses and treatments in more detail.

Training the team

It's important to train the practice team in patient online access to records.

Those involved in creating the record need to be aware that it can be viewed by patients. Think carefully about the purpose of the records and the impact they may have on patients reading them. For example, training can:

  • highlight potential issues surrounding third party data
  • cover the need to ensure data accuracy
  • minimise the use of abbreviations.

Registering patients for online access

Staff need to understand the registration process, and be able to explain to patients the importance of keeping their information secure.

Patients need to understand that they may see information they don't understand or find upsetting and that they can discuss their records with a GP if this happens.

NHS England GP Online services includes resources to provide to patients.

This page was correct at publication on 29/10/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.