NHS Health Record Access tips

I have written and a number of blogs about the trial and tribulations of trying to gain access to my NHS records and the issues many patients face. Only the other week I heard of another major NHS organisation in London operating unlawfully.

With this in mind, I thought I would put together some general pointers to try and provide some outlines to key questions. Please be aware, this is not a comprehensive or legal guide.
  • What is my right of access?
  • Do I have to pay?
  • Who has my health records?
  • Who do I ask?
  • How do I ask?
  • Are there specific forms or processes?
  • How do I prove who I am?
  • What should I ask for?
  • What formats can I get my record in?
  • How long should it take?
  • Are there any privacy or security considerations?
  • Where can I get further information and support?

What is my right of access?

Since 1998 the Data Protection Act has given individuals various rights when it comes to their data not least the Right of Access on which I will focus on for this blog. In May 2018 the law was updated to come in line with EU laws which further enhanced individuals rights.

Organisations are required to understand this and have processes in place for handling your right of access and there are strict rules on what they can and can't do. Unfortunately, many organisations do not know or follow these rules and so it is often left to individuals to roll up their sleeves.

It is also worth noting that NHS GPs have been contracted to provide patients with online access to records including the ability to book appointments and order prescriptions for some years. You can read more about this in my blog about The Problems with Patient Record Access and the NHS App.

Do I have to pay?

No. The first thing to note is that your information must be made available for free, historically organisations were able to charge but this is no longer the case.

Organisations can charge where you ask for the same information again or make excessive requests,  therefore it is best to ask for everything, make a note of the date and for any future requests only ask for new information from this date.

Who has my health records?

The NHS is made up of 1,000s of organisations and so you will need to go to each one separately. A good place to start is your GP. By looking at your GP record you can often find out what other organisations might have information including :
  • Hospitals you have been to.
  • Previous GPs.
  • NHS England.
  • NHS Digital.
  • Public Health England.
  • Local authorities / social care.
  • Private healthcare providers.

Who do I ask?

The good news is you can ask anyone in the organisation and they are obliged to pass on your request to the appropriate person or department to ensure it is fulfilled.

Organisations are also required to publish details of their Data Protection Officers but finding them isn't always easy, however, a good starting point is the organisation's privacy policy.

A quick browse of the organisation's website and some googling usually throws up some contact details. For hospitals, you can sometimes find a page for record access but other contacts you can often find include PAL (Patient Advice and Liaison) and the complaints department.

For GP Practices you can sometimes find general contact details, the practice manager, complaints or perhaps partner details. Your mileage will vary as GP services are very variable.

How do I ask?

A subject access request can be made through almost any channel including verbal in person, on the phone, email, letter and even social media.

My advice is to make sure you are clear about what you want and keep everything auditable so if you do make a verbal request, ensure you obtain the details of the person and follow up in writing to confirm your request to avoid any doubt if you later need to challenge them.

You do not have to state that you are making a Subject Access Request for it to be valid, although it can help if you are clear about this.

When making a request via social media you should be aware that the organisation is required to ensure it is really you making the request and so this may not be the best route to verify your identity.

Social media can be a good starting point as they can be easier to find for some organisations and as part of your request, you can ask for an appropriate correspondence email or similar for any follow up.


Are there specific forms or processes?

No. Not only can an organisation not require you to fill in any forms or follow their particular process, but they are also obliged to tell you that they are optional. All you have to do is make the request and provide enough details to help them ascertain who you are and what information you require.

How do I prove who I am?

I usually provide a summary of my details including name, date of birth, address and a few examples of interactions such as dates of admission to A&E.

Often they will ask for a copy of ID to back this up. Note that some organisations try to require you to "pop in" to prove who you are. This is not a reasonable request as the law is EU wide and therefore they should have alternative means to safely identify you other than in person.

What should I ask for?

This very much depends on your need, but I typically ask for everything including correspondence, notes, pathology data, imaging, etc. For information such as imaging to be useful in the future, you really need it in its original electronic format (a standard known as DICOM).

Imaging data can be quite large but your standard plain x-ray and ultrasound are usually small enough to email. Images such as CAT scans and MRIs can be significantly larger making it harder to transport and store them so you may be offered a download or DVD.

What formats can I get my record in?

When making your request you should try to specify how you want the information returned to you. You have a right to an electronic copy if this is what you desire. It's possible to get some information via online portals but this is often only a subset. You could ask the organisation to extend this access and send the rest via another means.

I usually ask for an export to be emailed to me however in some cases if there is a lot of data this may not be practical. Other choices you may be offered include CD, DVD, USB and paper copies. Again accessibility is an important issue and so alternatives should be available.

Some organisations will resist an electronic copy but you should stand your ground and insist on this if it is what you require.

It is worth asking for things like imaging in its original DICOM format as this will enable reuse, although it will make it harder for you to view your x-ray. Printouts and other formats can be of limited value.


How long should it take?

Organisations are required to complete the request within one month, but good practice recommends 28 days / 4 weeks. In some circumstances organisations can ask for longer if the information requested is particularly complicated however this should be rare.

If I haven't heard from them after 2 weeks I usually follow up to remind them and ensure they are aware of their legal obligation.

Are there any privacy or security considerations?

It's important you understand the issues associated with how the information is sent to you and organisations are supposed to explain the options to you so that you can make an informed choice and meaningfully consent, but in my experience, they do not.

For example, sending paper copies in the post is not secure and they could come open or be misdelivered. If you choose to use email make sure it is an account you trust and keep secure and you understand the risks.

Some organisations offer to send encrypted CDs / DVDs but many people no longer have access to suitable drives and the process can be quite technical and fiddly. Personally, I prefer to use email and store it on my computer as these are secure enough for my purposes and allow me to share more easily.

Some organisations may try to refuse to email you due to "privacy and security" this is not a lawful basis to decline your request and it should be challenged. Informed consent overrides any local policy or misunderstanding.

Where can I get further information and support?

If you are struggling to get a local organisation to comply you can always raise a complaint locally stating your request again, reminding them of your rights and pointing them to the ICO's information or the Data Protection Act itself. This has eventually worked for me when organisations have resisted my request.

In other cases, I have escalated the matter to the ICO, but bear in mind they receive a lot of complaints and it can take them some time to get back to you.

Please feel free to reach out to me on social media and where I will try to point you in the right direction. I hope to produce new blogs and information on this topic so your comments and questions are great for producing new ideas.

Summary

A summary of the key points covered :
  • Individuals have a right to their information for free.
  • You have a right to an electronic copy.
  • You can make a request to anyone in the organisation.
  • You can make a request in almost any format.
  • You cannot be required to fill in particular paperwork.
  • You may be required to prove identify 
  • It is unreasonable to expect you to just "pop in".
  • Organisations must satisfy the request within 1 month.