Online access to records

GP practices in England are required to give patients online access to their medical records. 

This has the potential to raise issues about confidentiality and record accuracy, so it's important you know your obligations and responsibilities.

What to make available

The right of patients to seek access to their medical records is governed by data protection law.

GMS and PMS contracts in England say practices must promote and offer registered patients online access to all coded data in their GP records, referred to as their detailed coded record.

An exception can be made where the record contains data that could, in the opinion of the GP, be seriously harmful to the patient if they saw it, or if it contains confidential information about a third party.

Some coded entries will pre-date the switching on of online access for the individual patient, so records should be checked carefully and any sensitive data redacted before online access is switched on.

Information security

Many patients can already verify their identities for online services (such as appointment booking and repeat prescriptions) with personalised login IDs and passwords. This should be extended to cover access to records.

NHS England and the RCGP have produced model forms and leaflets for patients within their guidance. The practice should:

  • keep a register of patients who have online access, and whether it has been limited for any reason. The RCGP has specific guidance on identity verification.
  • tell patients about their own responsibilities to protect their login details and keep their information secure, as well as the risks of sharing information.

Limits of patient access

If someone wants to see their records, data protection legislation says access can only be limited or denied if:

  • it would be likely to cause serious harm to physical or mental health of the data subject or another individual  except for information of which the patient is already aware
  • it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party's consent.

Practices might sometimes consider limiting access so that sensitive information isn't disclosed. If you're considering this, there must first be an assessment by the doctor responsible for the patient's care. Make a record of this.

Once a practice has decided to offer online access to patients, it should only be refused with good reason.


It's not advisable to register a patient for online access if you suspect they're being coerced into making the request - if they are at risk of abuse by a family member or partner, for example.

In this situation, you will need to discuss your decision with the patient, and you can refer to the RCGP and NHS England's joint guidance on the topic.

Who else can access a patient's record?

If someone requests access to online records on the patient's behalf, they should be asked for evidence of their authority to act for the patient. This might be the patient's written consent or the necessary legal authority (such as a certificate of Lasting Power of Attorney) if the patient does not have capacity to consent.

Parental access

The RCGP's guidance sets out the position in relation to children under 16, and suggests that full access for those with parental responsibility should automatically be switched off when a child reaches age 11.

The age at which a child becomes competent will vary and it will be important to keep any access by those with parental responsibility under regular review.

If someone with parental responsibility requests access to the records of a competent child, the child's consent should be sought and the doctors should consider whether such access is in the best interests of the child.

For more information see our parental responsibility guide.

Correcting or changing records

It's a GP's responsibility to make sure records are accurate.

  • Patients should be able to report factual inaccuracies or question the content of the records.
  • Patients should not be able to alter the content.

Any corrections usually need the GP's agreement to check the record is complete and accurate. If factual corrections are made, it should be obvious who made the amendment and when (computerised records usually create an audit trail).

If a patient disagrees with the content of their record but the GP considers it to be accurate, a note can be added to highlight the patient's disagreement.

Explaining patients' records

Patients should be able to understand their records to get the most out of them. Taking the time to help them may reduce patient contact in the long run as they gain a greater understanding of their conditions.

  • Encourage them to contact the practice if they need clarification.
  • Spell out acronyms.
  • Explain diagnoses and treatments in more detail.

Training the team

It's important to train the practice team in patient online access to records. 

Those involved in creating the record need to be aware that it can be viewed by patients. Think carefully about the purpose of the records and the impact they may have on patients reading them. For example, training can:

  • highlight potential issues surrounding third party data
  • cover the need to ensure data accuracy
  • minimise the use of abbreviations.

Registering patients for online access

Staff need to understand the registration process, and be able to explain to patients the importance of keeping their information secure.

Patients need to understand that they may see information they don't understand or find upsetting and that they can discuss their records with a GP if this happens.

NHS England has published a Patient Online guide which includes resources to provide to patients.

This guidance was correct at publication 21/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Dr Carol Chu

by Dr Carol Chu MDU Medico-legal adviser

MB, ChB, MSc (Medical genetics), MD, MRCPI, MPhil (Medical Law) DLM

Carol qualified at Sheffield University. She attained her CCST in clinical genetics and spent 13 years as a consultant clinical geneticist, the last six of these also being the Head of Department, managing not only the clinical department; doctors, counsellors and administrative staff (including records) but also the three laboratories. She left the NHS to pursue a longstanding interest in medical ethics and medical law as a medicolegal adviser for the MDU in 2011. She was also chair of a research ethics committee for 10 years.

You may also be interested in


Fit notes

A quick guide on issuing fit notes to patients who have been off sick and your requirements.

Read more

How to respond to a complaint

Writing a good response is a crucial part of successfully resolving a complaint.

Read more

The General Data Protection Regulation and the Data Protection Bill 2017-19

Explaining the changes to data protection law introduced as a result of the GDPR and Data Protection Bill

Read more