- When patients, their representatives, or other third parties ask for copies of their medical records, data controllers should be aware that some information from these notes may need to be redacted ('blanked-out').
- Redaction should be considered for information that relates to third parties, or which could cause serious harm to the patient or others if it were disclosed.
- Identifying what third party information should be removed can be difficult. The extent of redaction will depend on who has asked for the records, who the third party is, and where that information came from.
The MDU does not normally require patient identifiable information when advising you on medico-legal matters, such as complaints. Unless we specifically request otherwise, please provide us with relevant and anonymised information that refers only to the patient's initials and date of birth.
Patients or their representatives have the right to request access to their medical records. This is known as a subject access request (SAR). The Information Commissioner has noted that medical practices have reported a significant rise in SARs since the General Data Protection Regulations (GDPR) came into effect in May 2018, and has issued some practical tips in response.
Information likely to cause serious harm
When complying with an SAR, it's important to understand what information can and can't be released. For example, under the Data Protection Act 2018 schedule 3, part 2, paragraph 2(2), access can be limited or denied if it would be 'likely to cause serious harm to the physical or mental health of the data subject or another individual', unless it is information of which the patient is already aware. In such cases, there must first be an assessment by the doctor responsible for the patient's care, and this should be recorded.
The threshold for serious harm redactions is relatively high and therefore information cannot be excluded simply because it may be harmful to your position or it might upset the patient.
Third party data
Another exemption relates to third party data. In our experience, many doctors are uncertain about what to redact from patients' records when responding to an SAR.
The general starting point is that you should redact part of the record or withhold specific documents that relate to third parties - such as another individual who can be identified - unless you are able to get consent from the third party. An example of this might be information disclosed in confidence from a relative of a patient, without the patient's knowledge.
The Information Commissioner's Office (ICO)'s subject access code of practice, chapter 7, addresses how to manage SARs when some of the information relates to people other than the data subject. This will soon be updated to reflect the Data Protection Act 2018 becoming law.
Each case of third party redaction needs to be considered individually. Below are common questions raised by MDU members about redacting third party information before disclosure of patient notes.
How much to remove?
The ICO advises that data controllers are obliged to communicate as much of the information requested as they can without disclosing the third party individual's identity.
The extent of the redaction will very much depend on how much third party information is in the notes and how easy it is to remove any information that might identify a third party.
Can I just remove names?
The short answer is no, because often the third party will still be identifiable from other information in the records. As such, data controllers may need to redact entire sentences or paragraphs if the third party can still be identified from the context. Sometimes entire documents may need redaction if they primarily relate to a third party.
What about third party information provided by patients?
If information about a third party is in the notes because the patient has provided that information and they are making the SAR, then redacting this won't be necessary. This is because the patient will not be given any new information that is unknown to them.
For example, if a patient tells you that their mother misuses drugs, this does not need redacting. If, on the other hand, the patient's notes show that the patient's mother had confided in the doctor that they thought the patient misuses drugs, then this information may need to be redacted.
If the SAR is made by someone else on behalf of the patient however, then even third party references that originate from the patient would need to be redacted. In keeping with ICO guidance decisions about third party information, redactions should be made on a case-by-case basis.
Is it necessary to remove details of healthcare professionals involved in the patient's care?
Again, the short answer is usually no. Page 40 of the ICO's guidance mentioned above states that, 'special rules govern subject access to health, educational and social-work records. In practice, these rules mean that relevant information about health, education or social work professionals (acting in their professional capacities) should usually be disclosed in response to a SAR.'
However, if the patient's mother happens to be a healthcare professional and has provided information that has been incorporated into the notes, without the patient's knowledge, this would need to be removed before disclosing the records, as she is not acting in her professional capacity.
Do we need to explain redactions?
If redactions have taken place to a record before disclosure, it will usually be obvious that words or lines have been blacked out. But if pages have been removed, it may not be so obvious. According to information provided to the MDU by the ICO, there is no obligation that data controllers need to mark where information has been removed or offer the rationale for redaction.
How do I make redactions?
If you are providing hard copies of the patient notes then we would suggest that you print out the relevant documents, blank out the sections that require redaction with a solid black marker pen or liquid paper, and then photocopy these to send out to the requestor.
This last step is suggested to prevent someone being able to read the redacted information through the back of the paper as words can often still be deciphered if the page is held up to a light source.
It is also important to keep a clear record of exactly what has been disclosed (and what has been redacted) and to whom.
We encourage members to contact us to discuss cases where redactions may be necessary.
This guidance was correct at publication 15/05/2019. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.