Health professionals often receive requests from people who wish to access health records.

These requests can include requests from patients to view or obtain copies of their own health record using GDPR subject access request rights or the requests might come from third parties, such as the police.

Sometimes the requests are for access to the records of deceased patients.

Access to health records guidance

The BMA guidance covers the following areas:

• defining a health record
• advice on record-keeping
• subject access requests
• requests for access on behalf of others
• requests by the police
• requests by insurers
• requests for access to the records of deceased patients
• records retention.

Requests from the police

A common enquiry to the BMA is the rights of access to health records by the police.  If the police do not have a court order or warrant they may ask for a patient’s health records to be disclosed voluntarily under Schedule 1, Paragraph 10 of the DPA 2018.  However, while health professionals have the power to disclose the records to the police, there is no obligation to do so.  In such cases health professionals may only disclose information where the patient has given consent, or there is an overriding public interest.  For doctors, the threshold for disclosures in the public interest is that set out by the GMC and which reflects the requirements of the common law duty of confidentiality.

In this context a disclosure in the public interest is a disclosure that is essential to prevent a serious threat to public health, national security, the life of the individual or a third party, or to prevent or detect serious crime.  This includes crimes such as murder, manslaughter, rape, treason, kidnapping and abuse of children or other vulnerable people. Serious harm to the security of the state or to public order and serious fraud will also fall into this category.

In contrast, theft, minor fraud or damage to property, where loss or damage is less substantial, would generally not justify the breach of confidence necessary to make the disclosure.

Health professionals should be aware that they risk criticism if they fail to take action to avoid serious harm being caused to others. Guidance should be sought from the Caldicott guardian, or defence body where there is any doubt as to whether disclosure should take place in the public interest.

Access to the health and care records of deceased people

The following guidance has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner's Office (ICO) and National Data Guardian (NDG).

The police may request records of deceased people as part of their investigations.  You may consult your information governance (IG) team or a senior member of staff regarding disclosure to ensure there is a legal basis for any disclosure and that the information shared is relevant to and necessary for the stated purpose.  In most cases, to make a disclosure you will need to be satisfied that the public interest served by disclosure outweighs the public interest served by protecting the confidentiality of the individual and the public interest served by providing a confidential service to the wider public.  You can refuse a request from the police if you are not satisfied that disclosure is relevant or necessary for the stated purpose. The NHS IG portal has detailed guidance about disclosures to the police.