Online access to patient records - your FAQs - The MDU
No region set
Customise for: No role selected

If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.

General practice Consultant or specialist FY or training grade Hospital doctor Medical student No customisation

Medico-legal helpline

0800 716 646

Online access to patient records - your FAQs

data cloud

9 April 2015

Dr Beverley Ward

General practices in England are now required to offer patients online access to summary information from their records raising issues about confidentiality and record accuracy.

According to the published figures, 21% of patients in England were able to access their medical records online in September 2014, compared with 2% in September 2013. General practices in England are now required to offer patients online access to summary information from their records.

Here we address the ethical and legal dilemmas GPs and practice managers may have about patients accessing their records online, such as how to protect confidentiality and what to do about patients querying record accuracy.

What information must we make available online?

As of 31 March 2015, practices are required to offer registered patients in England online access to summary information from their medical records (provided the practice has the necessary computer systems in place).

The latest standard GMS and PMS contracts in England say that a practice "must promote and offer to its registered patients… the facility to:

(a) access online any summary information derived from the patient's medical records and any other data which the Contractor has agreed that the patient may access; and
(b) view online, electronically export or print any summary information derived from the patient's medical records and any other data which the Contractor has agreed that the patient may access."

'Summary information' means the data that makes up the patient's Summary Care Record relating to medications, allergies, adverse reactions and other data from the record, subject to the patient’s consent.

Of course, the right of patients to request access to their medical records is already enshrined in the Data Protection Act 1998 (DPA). It is up to the practice to decide how much of the medical record to make available online, over and above the required minimum, and also whether to include retrospective records.

Some practices may decide to offer patients online access to all of their medical records. If this is not feasible, the RCGP suggests that practices might still offer information over and above the summary record such as vaccinations and immunisations history and test results. Incoming test results should usually be reviewed by a clinician and discussed with the patient before they are made available online to avoid causing confusion or distress.

What security measures should we take?

Practices already verify patients' identities and give them login IDs and passwords, which they can personalise, for online services such as appointment booking. This protocol can be extended to cover access to records as this facility becomes available. You should keep a register of patients who have online access and whether you have limited this for any reason. The RCGP has specific guidance on identity verification.

The RCGP also recommends that patients are given advice on registration about their own responsibilities to protect their login details and keep information secure as well as the risks of sharing information. NHS England and the RCGP have produced model forms and leaflets for patients within their guidance.

Can we deny a patient access to their records or limit what they can see?

If someone wants to see their records, the DPA states that access can only be limited or denied if it would:

  • be 'likely to cause serious harm to the physical or mental health or condition of the data subject or any other person' - except information of which the patient is already aware.
  • give information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party's consent.

For example, practices may need to consider limiting access in some circumstances so that sensitive information (e.g. about child protection) is not disclosed. If you are considering this step, there must first be an assessment by the doctor responsible for the patient's care and we advise you to make a record of this. Once a practice has decided to offer online access to patients, it should only be refused to an individual with good reason.

It is not advisable to register a patient for online access if you suspect they are being coerced into making the request, e.g. they are at risk of abuse by a family member or partner. Patients who may be at risk of coercion include children, the elderly, an adult in an abusive relationship, or an otherwise vulnerable adult. In this situation, you will need to discuss your decision with the patient. The RCGP and NHS England have produced joint guidance about this.

Can we offer access to a patient's representative?

If someone submits an access request on behalf of a patient (proxy access) they should be asked for evidence of their authority to act for the patient. This includes the patient's written consent or the necessary legal authority, for example a certificate of Lasting Power of Attorney.

What about parental access to children’s records?

Where someone with parental responsibility submits a request for access to the records of a competent child, the child's consent should be sought. Children aged 16 or over are assumed to be competent unless shown otherwise, but children under 16 may also be assessed as competent. The RCGP has produced detailed guidance, which sets out the position in relation to children under 16 and suggests that full access for those with parental responsibility should automatically be switched off when a child reaches age 11. A discussion could then be arranged with the child and parents to consider the extent of any ongoing parental or guardian access, which could include, for example, a parent or guardian being able to make appointments on the child's behalf. The age at which a child becomes competent will vary and it will be important to keep any access by those with parental responsibility under regular review. 

Should we correct or amend records at a patient’s request?

While it remains the responsibility of GPs to ensure records are accurate, patients might be more likely to notice errors or omissions when records become available online.

It's a good idea to give patients the opportunity to report factual inaccuracies or to question the content of the records. However, they should not be able to alter the content, nor should accurate records be amended because the patient finds them upsetting.

All corrections would usually need the agreement of the GP concerned to ensure the record is complete and accurate. This is in the interests of patient care, as future treatment decisions may have been based upon the opinion a clinician formed at the time of seeing a patient and because the records might be used as evidence in the event of a complaint or litigation. If factual corrections are made, it should be immediately obvious who made the amendment and the time and date it was changed (computerised record systems usually create an audit trail).

If a patient disagrees with the content of their record but the GP considers it to be accurate, a note can be added to highlight the patient's disagreement.

How much explanation should we provide for patients about their records?

For online records to have the most benefit patients will need to be able to understand their contents and they should be encouraged to contact the practice if they need clarification. For example, GPs should aim to spell out acronyms and explain diagnoses and treatments in more detail. Taking the time to do this may reduce patient contacts in the longer run as patients gain a greater understanding of their conditions. 

How can we prepare practice staff for this new initiative?

It's important to train the practice team in patient online access to records so that it can be introduced safely. Those involved in creating the medical record will need to be aware that the record can be viewed by patients, and think carefully about the purpose of the records, and the impact they may have on patients reading them. Training could highlight potential issues surrounding third party data; cover the need to ensure data accuracy and minimise the use of abbreviations.

When registering patients for online access, staff will need to understand the registration process, and be able to explain to patients the importance of keeping their information secure. Patients will need to understand that they may see information that they do not understand, or may find upsetting and that they can discuss their records with a GP if this happens.

NHS England has published a patient online guide which includes resources to provide to patients.


This guidance was correct at publication on 09/04/2015. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


Login to comment

Be the first to comment

We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.

change now Close