Medical Director
Head of Health Records
Health Records Manager (Waiting Times Management Access to Health Records)
Medical Director
01 December 2013
01 December 2013
01 December 2016


1.            FUNCTION


1.1.        This procedure exists for patients and employees who wish to view health information held on them, covered by the Data Protection Act 1998 and the Access to Health Records Act 1990. This procedure does not include GP records.



2.            LOCATION

2.1.        This procedure applies to all health information held within NHS Fife excluding GP Practice.



3.            RESPONSIBILITY


  • Medical Director
  • Caldicott Guardian
  • Data Protection Co-ordinator
  • Head of Health Records
  • Delegated operational management by Health Records Manager for Acute Services and Primary Care requests, Administration Services Manager for Mental Health requests, and relevant Clinical Services Managers or CHP Lead





4.1.        The Data Protection Act 1998 gives individuals, or their representatives, the right of access to their health records.  Patients have the right to ask any Health Professional that has treated them to see the records he or she has made about their health. This procedure does not include GP Practice.


4.2.        The Access to Health Records Act 1990 gives individuals the right to see health records of deceased individuals provided they have a valid interest in the record, e.g. the Executor.


4.3.        Requests for Access to Records by a Patient Representative:


4.3.1.    A patient can authorise a representative to access their health records on their behalf.  This must be done in writing, with confirmation of the representative’s identity and relationship to the patient.


4.3.2.    Representatives able to provide evidence that they are acting under Power of Attorney will be granted access to the health records of the patient.


4.4.        Parental Responsibility:


4.4.1.    A parent, or those with parental rights and responsibility, may see a child’s record if the child is under 16 years of age.  However, a child aged 12 or above is generally considered mature enough to understand what a subject access request is and should therefore be asked to provide their consent to allow their parents to make the request for them.  Parental responsibility is defined in the Children’s Act 1989 as “all the rights, duties, powers, responsibility and authority by which law a parent of a child has in relation to the child and his property”.


4.4.2.    In practice, parental responsibility would include:


·         Having the child live with the person with responsibility or having a say in where the child lives

·         If the child is not living with him/her – having a personal relationship and regular contact with the child

·         Controlling, guiding and directing the child’s upbringing

·         Financially supporting the child



4.5.        Health Records Relating to the Deceased


4.5.1.    Requests relating to medical records of a deceased patient fall under Access to Health Records Act 1990.  Such requests from a solicitor must be accompanied by a Mandate signed by the Executor or next-of-kin.  There is a legal obligation under the Act to respond to such requests within 40 days, unless the record, or part record, being requested has been made within the 40 days preceding such a request, in which case the time limit to respond is 21 days.


4.5.2.    Where the patient has died the patient’s representative or any person who may have a claim arising out of the patient’s death may make an application.  Access shall not be given to any part of the record which in the opinion of the health professional would disclose information which is not relevant to any claim which may arise out of the patient’s death.


4.6.        Solicitor/Insurance/Medical Company Requests


4.6.1.    Solicitors/Insurance/Medical companies who are acting in civil litigation cases for patients should obtain written consent from the patient, which should be included with the request.


4.7.        Application for Access to Health Records


4.7.1.    Requests for access are received in various ways; via mail, email, telephone and Patient Relations.


4.7.2.    As all applications must be in writing, the relevant Manager will ensure a Subject Access Request form together with other appropriate information is sent to the applicant.  This information will contain guidance on requesting  any additional support needs, e.g. information in large print, records in alternative formats, community languages etc.


4.7.3.    Applications must be signed and dated by the applicant.


4.7.4.    Where an application is made on behalf of an individual, a signed form of consent must accompany the written application.  See Appendix 1 Subject Access Request for Health Records Application Form and Appendix 2 Subject Access Request Patient Information Leaflet.


4.8.        Duty to consult on a valid application for Access to Records


4.8.1.    The Manager receiving the request will liaise with all information holders to ensure one application, where possible, is processed.


4.8.2.    On receipt of the application for access to health records, the Health Records Manager/Administration/Clinical Services Manager has a duty to consult the relevant Health Professional(s) on issues relating to the disclosure of information –


·         To confirm that the applicant is of an age and capacity to understand the nature of the application

·         To take a decision regarding the withholding of access to all or part of a health record

·         To provide assistance where records may need to be explained to the applicant


4.9.        Fees to access and copy Health Records


4.9.1.    Under the Data Protection Act 1998 (fees and miscellaneous provisions) Regulations 2001, a patient can be charged to view their records or to be provided with a copy of them.


4.9.2.    Maximum charges will include postage and packaging costs and are intended to cover the reasonable administration costs of disclosure.


4.9.3.    To provide copies of patient health records, the maximum charges are as follows –


·         Health records held electronically – a maximum charge of £10.00

·         Health records held both electronically and manually – a maximum charge of £50.00

·         Health records held manually – a maximum charge of £50.00


4.9.4.    If a patient wishes to view their health records or obtain copies, access is free if the records have been added to within the last 40 days.


4.9.5.    Within NHS Fife if a patient wishes to view their health records or obtain copies, charges will be as above to a maximum of £10.00.


4.9.6.    Charges for photocopying will be added for patient/representative access at 10p per copy.  This will be on top of the £10.00 access charge.  The maximum fee including photocopying cannot exceed £50.00.


4.9.7.    Solicitors acting on behalf of patients will be charged at £50.00.  No charge may be made for photocopying.  If the solicitor is requesting a copy of an Accident and Emergency record card only, then a fee of £10.00 plus photocopying at 10p per sheet will be charged.


4.10.     Timescales


4.10.1. Response time for access requests will be within the timescales outlined in the Data Protection Act 1998 and Access to Health Records Act 1990.


4.10.2. If a fee is to be charged for the access request, the applicant will be informed that a fee is payable and the amount requested. Information will not be provided until such time as the fee has been paid.


4.10.3. However, where a request for copy health records has originated from solicitors, an invoice will be raised at the time of providing copy records to the solicitors.


4.10.4. Responses to requests for access must be made within 40 days of the date of receipt of the request for health records relating to living individuals and within 21 days for health records of the deceased.  See Appendix 3 “Process for actioning Subject Access Requests”.


4.11.            Denial of Access


4.11.1.        Access to all or part of a record will be denied if –


·            In the opinion of the relevant health professional, the information to be disclosed would be likely to cause serious harm to the physical or mental health of the applicant or any other person

·            Where the record relates to, or has been provided by, an identifiable third party, unless the third party has consented to disclosure.


4.11.2. In addition the Data Protection (Subject Access Modification) (Health) Order states that access may be denied in circumstances where –


·            The granting of access to a patient representative would disclose information provided by the patient in the expectation that it would not be disclosed to the person making the request

·            The granting of access would disclose information obtained as a result of any examination or investigation to which the patient consented, in the expectation that the information would not be so disclosed to another individual

·            The patient has expressly indicated that such information should not be disclosed to another individual


4.11.3. Notification of refusal to grant access will be given as soon as possible in writing to the applicant.


4.12.     Disclosure of the Record


4.12.1. Once the appropriate consent documentation is received, disclosure is approved and the fee is paid, the copies of the health records will be sent to the patient or their representative in a sealed envelope by recorded delivery.  Where requested, viewing will also be arranged.


4.12.2. This completes the Health Records procedure for Subject Access Request; any further support should be sought via the Patient Relations Department.




5.            RISK MANAGEMENT


5.1.        There is a risk to the organisation of inappropriate disclosure of third party information due to the volume of casenotes to be checked.





Appendix 1  :   Subject Access Request for Health Records Application Form

Appendix 2  :   Subject Access Request Patient Information Leaflet

Appendix 3  :   Process for actioning Subject Access Requests

            GP/D3 NHS Fife Data Protection Policy



7.            REFERENCES


The Children’s Act 1989


http://www.ico.gov.uk/ - the Information Commissioners website for information on the Data Protection Act 1998


http://www.opsi.gov.uk/acts/acts1990/Ukpga - Government website for information on the Access to Health Records Act 1990


http://www.hris.org.uk - Health Rights Information Scotland website for more information on ‘How to see your Health Records’