Introduction
From 25.5.18 the General Data Protection Regulation (GDPR) comes into force and this changes patients’ rights around access to their health records.
Patients accessing their records online will normally only have access to their coded record.
Under GDPR patients have the right to submit a Subject Access Request for access to their full records. This can be a printed copy of all or part of their record or online access to their full record.
The Practice no longer has the right to charge a fee for providing the information.
Registration for online services
This Practice accepts applications from patients as well as their proxy. Proxy access refers to access to online services by somebody acting on behalf of the patient with the patient’s consent.
The appropriate application form must be completed prior to any online access being enabled:
• Appendix A for personal access
• Appendix B for proxy access
The Practice reserves the right to review and remove access at any point in the future if it is thought that it is in the best interests of the patient or if the services are being misused.
At the point of application the patient will be provided with an information leaflet (Appendix C)
ID Verification
ID verification is required to ensure access is granted to patients/proxy users that have a legitimate reason to access a record. This will prevent access being granted to the wrong person and support the Practice in adhering to information security guidelines. We will usually ask for photo documentation as evidence of identity. Acceptable documents include passports, photo driving licences.
Timescales
On receipt of an application the patient’s records will be reviewed by a member of the admin team who is trained in summarising. It may be necessary for them to consult with the patient’s GP to grant access. Consequently requests may take up to 14 days and in some circumstances may take longer.
In line with GDPR requests for online access to full records submitted as a Subject Access Request (SAR) will be completed within one calendar month.
Mental Health Problems
Patients within the Practice with a mental illness have as much right as any patient to have access to their records, however if there is a likelihood that access to their record may cause an individual physical or mental harm then it may be necessary to redact some of the information within their record or, in extreme circumstances, refuse access to the whole record. In this circumstance the named GP responsible for the care of the patient will have a conversation with the patient to explain the reasons for refusal of access.
Access for children, parents and guardians
Child access will automatically be disabled when a child reaches the age of 11. If the child requests access to their record a competency assessment will be carried out by the GP. A child deemed competent may have access to their online record or authorise a parent/carer to have proxy access. Where a child is deemed not to be competent, a parent may apply for access but will be registered as a proxy user.
Proxy Access
A competent patient can choose and consent to allow access to relatives and/or carers. The form included in Appendix B must be completed.
Circumstances when the Practice will consider authorising proxy access WITHOUT the patient’s consent will be:
• When a child 11-16 has been assessed and is deemed as not being competent to make a decision on granting proxy access.
• When a patient over the age of 18 has been assessed and is deemed not to have the mental capacity to make a decision on granting access to their carer or next of kin.
Coercion
‘Coercion’ is the act of governing the actions of another by force or by threat, in order to overwhelm and compel that individual to act against their will.
The Practice will include the implications of coercion during the patient application process for online services by way of issuing them with a patient leaflet detailing the implications.
The Practice will consider the risk of coercion on a case by case basis as requests for access are received, and if necessary will decline access.The patient’s named GP will discuss with the applicant the reasons for refusal of access.
If coercion is identified as a risk with regard to a patient previously registered for online services then access will be immediately removed.
Levels of Access for Patients
There are different levels of information available to patients. All requests for online access will be dealt with on a patient by patient basis and the suggested access will be granted within the agreed timescales. All patients must be deemed competent to be granted access to Detailed Coded Data. However, some elements may be marked as sensitive/confidential and will not be shared via online services.
Access levels can be as follows:
• Appointments, Repeat Prescriptions and Summary Information
• Appointments, Repeat Prescriptions and Detailed Coded Record Access
The practice will not automatically grant access to Detailed Coded Data to those patients currently with access to appointments, repeat prescription and Summary Information.
Patients wanting access to their Detailed Coded Information MUST complete and submit an additional Access Request form (Appendix A). This will be considered within the Practice and granted if deemed appropriate normally within 14 days.
Patient online access does not override a patient’s right to submit a Subject Access Request which will be processed following our Practice protocol in line with GDPR. Patients submitting an SAR can choose to have online access to their full medical record instead of printed copies.
The Practice reserves the right to review and remove access at any point in the future if it is thought that it is in the best interests of the patient or if the services are being misused.