Home » Our Care » Patient and Carers Information » Your data and privacy » How to access your health records

How to access your health records

 

 

DATA PROTECTION – ACCESS TO HEALTH RECORDS

  • The General Data Protection Regulation (EU) 2016/679 (GDPR) applies to all personally identifiable information held in manual files, computer databases, videos and other automated media about living individuals. It does not apply to the personal data of deceased person
  • The Regulation dictates that such information should be held and disposed of in a secure manner and only disclosed on a need to know basis. Staff will not disclose information outside their line of duty.
  • Individuals have a right of access to their own information regardless of the media on which this information may be held. Individuals are not entitled to information relating to other people unless the information is also about them or they are acting on behalf of someone.
  • Any request for accessing patient information should be referred to either the Hospice’s Caldicott Guardian or Director of Quality and Improvement.
  • The GDPR does not specify how to make a valid request. Therefore, individuals can make a verbal or written request for a copy of information about them that is held on computerised or manual filing systems. This is called a Subject Access Request. A subject access request is valid if it is submitted by any means and is made to any part of the Hospice. It does not have to be made to a specific person or contact point. However, ALL Subject Access Requests received will ONLY be serviced by the Director of Quality and Improvement and/or the Hospice Caldicott Guardian and such requests should be sent on to them. On receipt of a Subject Access Request, the Director of Quality and
    Improvement will usually require the requestor to complete and return a Data Subject Access Request Form (Appendix B).
  • Routine enquiries in the normal course of work are not Subject Access Requests and it is important to recognise the difference. An enquiry to confirm an appointment would not be. The majority of Access Requests received are either from patient relatives following the patient’s death or are made by or made on behalf of patients for copies of their health records, but they could also include requests from members of staff (past or present), volunteers or business contacts.
  • No fee is to be charged to service a data subject access request unless further copies are requested by the data subject. In such cases, then a reasonable fee based on administrative costs and recorded delivery postal charges may be levied. Any required payment can be made by cash, cheque or postal order only. Cheques should be made payable to St Raphael’s Hospice.
  • The data subject access request will be acted on without delay and at the latest within one month of receipt. The time limit is calculated from the day after the request is received (whether the day after is a working day or not) until the corresponding calendar date in the next month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The requestor shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.
  • All patient records requested are subject to review by the Hospice’s Caldicott Guardian. If the record includes information about other people, it does not have to be provided unless the other people mentioned have given their consent, or it is reasonable to supply the information without their consent. Where necessary, information should be provided with references to other people edited out (redacted) unless the circumstances are such that the people concerned can still be identified in which case there may be an exemption. Further guidance is available from the Information Commissioner’s Office. (www.ico.gov.uk Tel. 0845 630 6060)
  • Any information that is recorded in abbreviations or technical terms must be explained and provided in a form that is easily understandable. Unless there are significant cost or time implications, the information should be provided in hard copy form.
  • Copied information should either be collected and signed for or delivered by courier and signature of receipt obtained.
  • The disclosure of records of deceased persons is dealt with under the Access to Health Records Act 1990.
  • Under that legislation, when a data subject has died their personal representative or executor or administrator or anyone having a claim resulting from the death (this could be a relative or another person), has the right to apply for access to the deceased’s health records.
  • The personal representative is the only person who has an unqualified right of access to a deceased patient’s record and need give no reason for applying for access to a record. Individuals other than the personal representative have a legal right of access under the Act only where they can establish a claim arising from a patient’s death.
  • Health records relating to deceased people do not carry a common law duty of confidentiality but it is Department of Health and General Medical Council policy that records relating to deceased people should be treated with the same level of confidentiality as those relating to living people.
  • If the deceased person had indicated that they did not wish information to be disclosed, or the record contains information that the deceased person expected to remain confidential then it must remain so.