Professional Reference articles are designed for health professionals to use. They are written by UK doctors and based on research evidence, UK and European Guidelines. You may find one of our health articles more useful.
A medical record in paper or electronic format provides a written account of a patient's medical history, containing information about diagnosis, treatment, chronological progress notes and discharge recommendations. A whole raft of legislation, standards and guidance on what has become known as 'Information Governance' has been produced in the last few years to cover issues of access, confidentiality and disclosure.
The electronic patient record appears to have structural and process benefits, but the impact on clinical outcomes is less clear.
The following are the main pieces of legislation covering the creation, storage and sharing of health information
- Common law duty of confidence - confidential patient information may only be disclosed:
- With a patient's consent; or
- Where it is required or permitted by law (statutory instrument or Court Order); or
- Where the public good achieved by disclosure outweighs the individual's right to confidentiality.
- Computer Misuse Act 1990 - identifies a range of offences relating to unauthorised access to, or unauthorised modification of, computer records. This act may apply where an unauthorised third party accesses information being transferred. Enforcement is difficult and prosecutions uncommon but may be relevant where systems are used other than by authorised staff for approved purposes.
- Access to Health Records Act 1990 - provides qualified right of access to the record of a deceased individual where the person seeking access has an interest in the estate of the deceased. Only applies to records created after 1st November 1991.
- The Data Protection Act 1998 - eight principles which define the conditions under which processing (including recording, storage, manipulation and transmission) of personal data can be determined to be legally acceptable. There is a special section in the Act addressing the sensitive nature of health information and the needs of health professionals to communicate that information between themselves. The Act gives patients rights of access to their medical records and applies to electronic and paper-based record systems. The Act requires that patients be made aware of who will see their personal data and for what purpose. It does not prevent clinical data from being shared for NHS purposes but may require other uses to obtain explicit consent from patients (eg, to investigate fraud). The eight principles state that information should be:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Not kept for longer than is necessary.
- Processed in line with subjects' rights.
- Not transferred to countries without adequate protection.
- Freedom of Information Act 2000 - provides public access to information held by public authorities. It does this in two ways:
- Public authorities are obliged to publish certain information about their activities; and
- Members of the public are entitled to request information from public authorities.
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland's own Freedom of Information (Scotland) Act 2002.
- Electronic Communications Act 2000 - allows for the creation and transmission of prescriptions by electronic means in cases where specified conditions are met.
- Human Rights Act 1998 - based on the European Convention of Human Rights. Of the 15 articles, the most relevant for GPs is Article 8 which provides a right to respect for privacy that can only be set aside in accordance with the law when considered necessary in a democratic state. The Government advises that this right be respected fully where there is compliance with the Data Protection Act 1998 and the Common Law duty of confidence.
- Mental Capacity Act 2005 - this was enacted in 2007. It is relevant in situations where a patient who lacks mental health capacity has not appointed a representative with lasting power of attorney. In such circumstances, a senior health professional has the power to act in the patient's best interests and this may include the sharing of information.
- The Access to Medical Reports Act 1988 - this allows patients to see medical reports about them, for employment or insurance purposes, written by the doctor with whom they normally have a patient/doctor relationship. They may see the report before it is supplied or for up to six months afterwards. Access to the report may be denied in two circumstances - if the reporting doctor feels that it contains information which may cause serious mental or physical harm to the patient, or if it contains information from a third party who has not given consent to disclosure. If they disagree with any part of the report they may withdraw consent for it to be supplied, ask for agreed inaccuracies to be altered, or require that a note be added outlining the differences between their view and that of the reporting doctor.
- The Terrorism Act 2000 - Section 19 of this Act places a statutory obligation on health professionals to disclose relevant personal health information where they believe an offence under the Act has been committed. Furthermore, if information is disclosed to the Serious Organised Crime Agency under this guidance, disclosure is exempt from any obligations of confidentiality under Section 34 of the Serious Organised Crime and Police Act 2005.
The facility to record clinical information exclusively on computer became lawful in October 2000.
Information security standards
The world of information security is a complex and fast-changing one and most standards apply to the NHS as a whole, or to individual computer suppliers. However, GPs may need to familiarise themselves with the terminology, particularly as practice-based commissioning develops. The main standards are:
- ISO/IEC 27002: provides guidance on best practices in information security management to ensure compliance with the current information security regulations.
- IEC 61508: sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level. It sets out basic technical safety requirements with which computer suppliers are expected to comply.
GP records and information governance
- Informed consent - the gold standard for the disclosure of information is informed consent, unless there are clear legal reasons why this should be overridden (such as the Mental Capacity Act). The policy endorsed by all relevant bodies is that where information sharing is part of the care process and patients are made aware of the option to refuse disclosure, consent may be implied. In all other cases, specific and expressed consent must be sought. Care must be taken not to disclose information about third parties and an electronic record must be kept about any disclosure. Where patients lack capacity and also in children, guidance should be sought before disclosure (eg from the Clinical Commissioning Group, medical defence organisation, BMA or publications below).
- Anonymisation and pseudoanonymisation - data are not confidential if the individual cannot be identified directly or through linkage with other data. Ethical and policy restrictions still exist - eg, research guidelines. There are two categories of anonymisation:
- Anonymised (unlinked) - stripped of any elements that would allow identification of individuals.
- Pseudo-anonymised (linked) - individual records could be identified by authorised personnel.
- Research - no data should be disclosed without the approval of the relevant patients, clinicians and research ethical committee(s). Extraction of patient-identifiable data, other than for routine care, should only occur, with the knowledge and informed consent of the guardian of the record (eg, the GP), following approval from a Research Ethics Committee and responsible primary care organisation (PCO) and should either be with the informed consent of the patient, or be approved by the Secretary of State.
Entering information via Read coding rather than free text has revolutionised the ability of practices to search and audit their data. Whilst adequate for primary care, the Read code system does have its limitations in the wider environment of the integrated care record and the Systemised Nomenclature of Medicine - Clinical Terms (SNOMED CT) has been selected as the standard terminology scheme for the National Programme for Information Technology (NPfIT - see below). The rights to the production, distribution and development of SNOMED were acquired by the International Health Terminology Standards Development Organisation (IHTSDO) in April 2007. NHS Connecting for Health (NHS CFH) will act as the host organisation of the IHTSDO and the centre responsible for UK activities is known as the UK Terminology Centre (UKTC).[16, 17]
The National Programme for Information Technology
The Government's vision is to establish, through its agency, Connecting for Health, an NHS IT system which will be able to communicate within itself (eg, transfer of information between GPs, the hospital sector and community services), with external agencies such as social services, and with health services globally.
A system of funding for GP computers has been instituted, called the GP Systems of Choice (GPSoC) programme. This encourages system suppliers to develop software which is compatible with the local service provider (LSP) care record. The means of ensuring this compliance is called the Common Assurance Process (CAP).
To deliver the objectives, several components need to be in place, the most significant of which are:
- NHS Care Records Service - aims to develop individual electronic records for every patient in England, securely accessible by the patient and selectively available to those providing care. See 'Summary Care Record', below, for further information.
- Choose and Book - allows GPs and other members of the PHCT to make initial hospital or clinic outpatient appointments. If preferred, patients can make their appointment later - after consulting with family carers or colleagues - either online or through a telephone booking service.
- Electronic Prescription Service - enables electronic transfer of prescriptions from primary care prescribers to dispensers in England. Release 2 is currently being rolled out to some PCOs. This enables paperless transfer of prescription information from GP practice to pharmacist and covers all necessary drugs.
Summary care record
A Summary Care Record (SCR) is stored at a central location. The record will not contain a patient's full medical history but will include essential health information, such as prescribed medication and allergies. Access to a patient's SCR will be restricted to healthcare staff providing care for the patient. Patients can request not to have an SCR by completing an opt-out form.
GP IT systems have the capability to upload SCRs for all registered patients in a GP practice to the national NHS 'spine'. Once uploaded, the records continue to be maintained automatically but there are a few small tasks that GP practices need to perform in order to make sure the SCRs for their registered patients remain accurate and up-to-date. GP practices can access and view SCRs for any non-registered patients, including emergency and temporary patients.
Further reading and references
Information governance; NHS England
Holroyd-Leduc JM, Lorenzetti D, Straus SE, et al; The impact of the electronic medical record on structure, process, and outcomes within primary care: a systematic review of the evidence. J Am Med Inform Assoc. 2011 Nov-Dec18(6):732-7. doi: 10.1136/amiajnl-2010-000019. Epub 2011 Jun 9.
Confidentiality NHS Code of Practice; Dept of Health, November 2003 (archived content)
Terrorism Act 2000; Office of Public Sector Information
ISO/IEC 27002; International Electrotechnical Commission, ed2.0 (2013-09)
IEC 61508; International Electrotechnical Commission
The Good Practice Guidelines for GP electronic patient records; Dept of Health/Royal College of General Practitioners/British Medical Association, version 4, 2011
Snowmed CT; Health & Social Care Information Centre (HSCIC)
Systems; Health & Social Care Information Centre (HSCIC)
Choose and Book Updates; Health and Social Care Information Centre
Electronic Prescription Service (EPS); Health and Social Care Information Centre (HSCIC)