Online access to records

What you need to know about online access to patient records.

GP practices in England are required to give patients online access to their medical records.

The ability for patients to access their records has the potential to raise issues about confidentiality and record accuracy, so it's important you know your obligations and responsibilities.

What to make available

The right of patients to seek access to their medical records is governed by data protection law.

GMS and PMS contracts in England say that all patients should have had access to all prospective data on their record from April 2020. GPs should make online access to patients' full historical digital data available on request, and work is already underway to digitalise the old Lloyd George paper records.

An exception can be made where the record contains data that could, in the opinion of the GP, be seriously harmful to the patient if they saw it, or if it contains confidential information about a third party.

Some coded entries will pre-date the switching on of online access for the individual patient, so records should be checked carefully and any sensitive data redacted before online access is switched on.

Information security

Many patients can already verify their identities for online services (such as appointment booking and repeat prescriptions) with personalised login IDs and passwords. This should be extended to cover access to records.

NHS England and the RCGP have produced model forms and leaflets for patients within their guidance. The practice should:

  • keep a register of patients who have online access, and whether it has been limited for any reason. The RCGP has specific guidance on identity verification.
  • tell patients about their own responsibilities to protect their login details and keep their information secure, as well as the risks of sharing information.

Limits of patient access

If someone wants to see their records, data protection legislation says access can only be limited or denied if:

  • it would be likely to cause serious harm to physical or mental health of the data subject or another individual - except for information of which the patient is already aware
  • it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party's consent.

Practices might sometimes consider limiting access so that sensitive information isn't disclosed. If you're considering this, there must first be an assessment by the doctor responsible for the patient's care. Make a record of this.

Once a practice has decided to offer online access to patients, it should only be refused with good reason.

Coercion

It's not advisable to register a patient for online access if you suspect they're being coerced into making the request - if they are at risk of abuse by a family member or partner, for example.

In this situation, you will need to discuss your decision with the patient, and you can refer to the RCGP and NHS England's joint guidance on the topic.

Who else can access a patient's record?

If someone requests access to online records on the patient's behalf, they should be asked for evidence of their authority to act for the patient. This might be the patient's written consent or the necessary legal authority (such as a certificate of Lasting Power of Attorney) if the patient does not have capacity to consent.

Parental access

The RCGP's guidance sets out the position in relation to children under 16, and suggests that full access for those with parental responsibility should automatically be switched off when a child reaches age 11.

The age at which a child becomes competent will vary and it will be important to keep any access by those with parental responsibility under regular review.

If someone with parental responsibility requests access to the records of a competent child, the child's consent should be sought and the doctors should consider whether such access is in the best interests of the child.

For more information see our parental responsibility guide.

Correcting or changing records

It's a GP's responsibility to make sure records are accurate.

  • Patients should be able to report factual inaccuracies or question the content of the records.
  • Patients should not be able to alter the content.

Any corrections usually need the GP's agreement to check the record is complete and accurate. If factual corrections are made, it should be obvious who made the amendment and when (computerised records usually create an audit trail).

If a patient disagrees with the content of their record but the GP considers it to be accurate, a note can be added to highlight the patient's disagreement.

Explaining patients' records

Patients should be able to understand their records to get the most out of them. Taking the time to help them may reduce patient contact in the long run as they gain a greater understanding of their conditions.

  • Encourage them to contact the practice if they need clarification.
  • Spell out acronyms.
  • Explain diagnoses and treatments in more detail.

Training the team

It's important to train the practice team in patient online access to records.

Those involved in creating the record need to be aware that it can be viewed by patients. Think carefully about the purpose of the records and the impact they may have on patients reading them. For example, training can:

  • highlight potential issues surrounding third party data
  • cover the need to ensure data accuracy
  • minimise the use of abbreviations.

Registering patients for online access

Staff need to understand the registration process, and be able to explain to patients the importance of keeping their information secure.

Patients need to understand that they may see information they don't understand or find upsetting and that they can discuss their records with a GP if this happens.

NHS England GP Online services includes resources to provide to patients.

This page was correct at publication on 13/08/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Dr Carol Chu

by Dr Carol Chu MDU Medico-legal adviser

MB, ChB, MSc (Medical genetics), MD, MRCPI, MPhil (Medical Law) DLM

Carol qualified at Sheffield University. She attained her CCST in clinical genetics and spent 13 years as a consultant clinical geneticist, the last six of these also being the Head of Department, managing not only the clinical department; doctors, counsellors and administrative staff (including records) but also the three laboratories. She left the NHS to pursue a longstanding interest in medical ethics and medical law as a medicolegal adviser for the MDU in 2011. She was also chair of a research ethics committee for 10 years.

You may also be interested in

Guide

Disclosure to third parties

Obtain consent to disclose identifiable patient information, unless it is required by law or justified in the public interest.

Read more
Guide

Confidentiality issues in insurance and other reports

A wide range of doctors provide reports about patients to third parties in the course of their work.

Read more
Guide

Confidentiality and disclosing information after death

Your duty of confidentiality to a patient continues after their death.

Read more