Health Records

Document Control

Policy Number


Policy Manual/System General Policy
Author Head of Health Records  Version No 2
Reviewer Assistant Head of Health Records  Implementation Date 01/01/2011
Signed By Director of Acute Services  Last Review Date

Next Review Date




1.1 A Health Record is a document (in any format) which is created or received by an organisation or person in the transaction of clinical activities and which is maintained as evidence of these.  The authenticity and reliability of records depends on them being created and handled in a properly managed and documented record-keeping system.

1.2 NHS Fife is dependent on its records to operate efficiently and account for its actions. This policy defines a structure for NHS Fife to ensure adequate records are maintained and they are managed and controlled effectively.

1.3 This document aims to set out the policy to be adhered to in relation to Health Records Management within NHS Fife to ensure that Health Records are:

  • properly controlled
  • readily accessible and available for use, and eventually archived or otherwise disposed of

Taking into consideration:

  • access, storage & retrieval
  • retention & destruction schedules
  • confidentiality



2.1 This policy is NHS Fife wide.



3.1 Roles and Responsibilities

3.1.1 The Board is responsible for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirement.


3.1.2 NHS Fife Chief Executive has overall accountability for ensuring that Health Records management operates correctly/legally within the Board.  Responsibility may be delegated for management and organisation of Health Records services to the Director of Acute Services and CHP General Managers who are responsible for ensuring appropriate mechanisms are in place to support service delivery and continuity.  Health Records management is key to this, as it will ensure appropriate and accurate information is available as required.


3.1.3 The Board’s Caldicott Guardian has a particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information.

The Caldicott Guardian has responsibility for:

  • Ensuring the Board is fulfilling all legal obligations in managing patients’ Health Records
  • Agreeing and reviewing internal protocols governing the protection and use of patient identifiable information by Board staff
  • Agreeing and reviewing protocols governing the disclosure of patient information across organisational boundaries, e.g. with social services and other partner organisations, contributing to the local provision of care
  • Developing the Board’s security and confidentiality policies
  • Representing confidentiality requirements and issues to the Board, advising on annual improvement plans and agreeing and presenting annual outcome reports


3.1.4 The Board’s Information Governance Committee is responsible for ensuring that the Health Records Policy is implemented.


3.1.5 The designated officer (Head of Records) holds a Health Records qualification or is suitably trained in Health Records practices.  This officer has professional responsibility for the overall development and maintenance of Health Records management practices throughout the Board and for ensuring that related policies and procedures conform to the latest legislation and standards on data protection, patient confidentiality and Health Records practice. 

They have particular responsibility for drafting guidance to support good records management practice in relation to clinical records and for promoting compliance with the Records Management Code of Practice.

This officer is also accountable for the release of all patient clinical information for data subject access and medico-legal purposes.  This release may be provided by nominated representatives.


3.1.6 All NHS employees are responsible for any Health Records which they create or use.  This responsibility is established and defined by the law (Public Records (Scotland) Act 1937 as amended).  Furthermore as an employee of the NHS, any Health Records created by an employee are public records.

All Board staff whether clinical or administrative, who create, receive and use Health Records have records management responsibilities.  All staff must ensure that they keep appropriate records of their work and manage those Health Records in keeping with this policy and with any guidance subsequently produced.

Everyone working for or within the NHS who records, handles, stores or otherwise comes across patient information has a personal common law duty of confidence to patients and to his or her employer.  The duty of confidence continues even after the death of the patient or after the employee or contractor has left the NHS.

Breach of this policy will mean the organisation is not safeguarding information entrusted to it, which in some circumstances may render the organisation liable to prosecution.  It is therefore essential staff within the organisation with responsibility for records management comply with the policy otherwise they may be subject to disciplinary procedures.



Records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater coordination of information and storage systems.

The records are also public records under the Public Records Acts and must be kept in accordance with following statutory and NHS guidelines: --
Public Records (Scotland) Act 2011
Medical Reports Act 1988
The Computer Misuse Act 1990
Access to Health Records Act 1990
Data Protection Act 1998
Human Rights Act 2000
Records Management: NHS Code of Practice (Scotland) Version 2.1,       January 2012
Quality Improvement Scotland  - Standards for Record Keeping
Information Governance Standards
National eHealth Strategy
Caldicott Review of Patient Identifiable information, 1997
Information Governance Records Management Guidance notes 1-9    27/08/2010


4.1 Classification of Records

4.1.1 A Patient health record relating directly to the physical or mental health or condition of an identifiable individual and which has been made by, or on the advice of, a health professional in connection with the care and treatment of that person, or in connection with the organisation of that care’(see Appendix 1 for definition of a 'health professional').


4.1.2 This policy relates to all clinical operational records.  Operational records are defined as information, created or received in the course of business, and captured in a readable form in any medium, providing evidence of the functions, activities and transactions. They include:

  • Patient Health Records, including those concerning all specialities, but excluding GP medical records and includes private patients seen on NHS premises
  • Theatre Registers and all other registers that may be kept
  • X-ray and imaging reports, output and images
  • Photographs, slides, and other images
  • Microform (i.e. fiche/film)
  • Audio and video tapes, cassettes and digital files.
  • Records in all electronic formats and material intended for short term or transitory use, including notes and ‘spare copies’ of documents, pathological records, including cervical smears and histological specimens.

This list is not exhaustive.

They do not include copies of documents created by other organisations such as the Scottish Government Health Directorates and predecessors, kept for reference and information only.

This policy sets out the best practice for NHS Fife in creating, using retaining and disposing of Health Records.  It applies to records in all formats, of all types and in all locations.


4.2 Aims of Health Records Management System

The aim of this Health Records policy is to ensure that procedures are in place to bring together the health professionals and accurate, relevant, reliable patient documentation at the correct time and place to support patient care.  In achieving this aim, all the NHS Scotland employees should fulfil statutory and other legal requirements, ensuring patient safety and safe custody and confidentiality of patient information at all times.

The aims of our Health Records management system are to ensure that:

Health Records are available when needed – from which NHS Fife is able to form a reconstruction of activities or events that have taken place

Health Records can be accessed – Health Records and the information within them can be located and displayed in a way consistent with the record’s initial use and that the current version is identified where multiple versions exist

Health Records can be interpreted – the context of the record can be interpreted: who created or added to the Health Record and when, during which business process, and how the Health Record is related to other Health Records

Health Records can be trusted – the Health Record reliably represents the information that was actually used in or created by the business process, and the records integrity and authenticity can be demonstrated

Health Records can be maintained through time – the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the Health Record is needed, perhaps permanently despite changes of format

Health Records are secure – from unauthorised and inadvertent alteration and erasure.  Access and disclosure are properly controlled and audit trails will track all use and changes to ensure that Health Records are held in a robust format which remains readable for as long as they are required.

Health Records are retained and disposed of appropriately using consistent documented retention and disposal procedures, which include provision of appraisal and permanent preservation for Health Records with archival value

Staff are trained – all staff are made aware of their responsibilities for Health Record keeping and management

It is used to:

  • support patient care and continuity of care
  • support day to day corporate activities which underpin delivery of care
  • support evidence based practice
  • support epidemiology
  • meet legal and regulatory requirements
  • assist medical and other audits
  • Support improvements in clinical effectiveness through research


4.3 Health Records Life Cycle Process

Health Records are confidential documents and should be clearly identifiable, accessible and retrievable.  They should be authentic, meaningful, authoritative, and adequate for their purpose and correctly reflect what was communicated, decided or done.  They should be unalterable and after an action has occurred nothing from the Health Record should be deleted or altered.  Information added to an existing hard copy Health Record should be signed and dated.  Health Records systems should be secure and their creation, management, storage, transport and disposal should comply with current legislation.


4.3.1 A comprehensive Health Record is created and maintained for every patient attending health services to provide an up to date and chronological account of the patient’s care.

Patient demographic data for each registration should be recorded on the master patient index of the patient administration or departmental patient management system.  The minimum patient demographic data should include surname, forename, sex, date of birth, home address, postcode, Community Health Index (CHI) number and departmental number.

NHS Fife should use the CHI number as the primary patient identifier.

Where there is more than one local identifier or case record per patient, a system should be in place to ensure that the existence of all other Health Records is known at all times.

Paper Health Records have a standard case record folder constructed of robust material to withstand handling and transport and with secure anchorage points to prevent loss or damage to documents.  There should be no inside pockets or flaps as these can lead to misfiling or loss of documents.

There is a method for indicating alert or risk factors which is used consistently in all Health Records, with a designated place for healthcare professionals to record actual or suspected clinical alerts and hazards which are signed and dated. 

There may be an indicator on the outside of the folder but the confidential detail should be placed inside the folder.

There is a locally agreed format for filing of information within the Health Record which facilitates ease of access to all clinical information.  Clear instructions regarding the order of filing should be contained within the folder or printed on the divider(s).  Documents should be viewable in chronological order reflecting the continuum of patient care.

Machine generated reports and recordings, e.g. CTG, ECG and laboratory reports, are securely stored using a method that will minimise deterioration.

There are dated documented procedures for the management of electronic Health Records.

All electronic Health Record information systems are password protected and passwords are changed at regular intervals.


4.3.2 Health Records storage areas should provide a safe working environment with secure storage that allows Health Records to be retrieved at all times. 
These areas should only be accessible to authorised Administrative or Clinical staff.

Health Records storage areas and office accommodation conform to all current legislation and guidance regarding health and safety.

Regular risk assessments are undertaken in line with the organisation’s risk management strategy.

Racking for storage of Health Records is stable, of strong enough construction to support the weight of Health Records and complies with current health and safety regulations. 

There are safety step ladders and safety stools appropriate to the number of staff employed/size and use of the Health Records storage area.

There is a documented protocol for safe manual and object handling practices.  All staff are fully trained in related manual handling

There is a mechanism to ensure that all equipment used in the department conforms to appropriate legislation and a record of equipment checks is kept.

Access to Health Records storage areas is restricted to authorised personnel only.  Health Records should not be accessible to unauthorised persons nor left for any period where they might be accessed by unauthorised persons.  The keys/access codes/access pass to storage areas that are locked are available to authorised staff at all times to facilitate retrieval of Health Records. 

Health Records storage areas must be able to accommodate current needs and annual growth of Health Records.  The Health Records collection inventory demonstrates how this will be achieved.

Health Records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of Health Records when required.

When paper Health Records are no longer required for current episodes of care they may be placed in secondary storage areas, either on site or off site.


4.3.3 Paper records may be scanned into electronic format


4.3.4 All Patient Identifiable Information must be transported securely. Transportation methods must be fit for purpose and in accordance with individual departmental procedures.  There are various methods employed for both manual and electronic records.


  • Single record Envopak carriers with seals
  • Multiple record Envopack carriers with seals
  • Sealed double envelopes
  • Purpose designed plastic boxes

For further information please refer to information governance health records guidance note 9, Transportation of Manual records, 27/08/2010



Please refer to the following NHS Fife IT policies:

  • IT Security Policy
  • IT Data Storage Policy
  • IT Mobile Data use of storage devices
  • NHS Fife Email Policy


4.3.5 Maintaining proper Health Records is vital to patient care. A comprehensive Health Record should be maintained for every patient.  Each Health Records system should have well defined procedures for the ongoing management of the Health Record from initiation to final disposal in accordance with current legislation.

Whenever possible, separate areas are maintained for current and non-current Health Records in use within the organisation.

There are documented procedures for the safe storage and retrieval of Health Records, both manual and electronic.

There are documented procedures for booking Health Records out from the normal filing system which enable rapid retrieval of Health Records and prevents misfiles. 

Tracer and tracking systems facilitate timeous retrieval of Health Records.

There is a documented procedure for splitting fat folders including cross-referencing of the volumes such that clinical staff may efficiently use them.  Closed volumes are suitably labelled.

There is a documented procedure relating to the return of patient held records to the Health Records department when the episode of care for an individual patient is complete.

Contents of the Health Record are filed in the correct order according to the design of the Health Record folder and dividers.  Documents are securely fastened within the folder.

The responsibility for filing of loose documentation is clearly defined.

There is a system to ensure that staff routinely remove poorly filed and torn Health Records to reassemble or re-cover.

There are documented procedures for the transportation of Health Records within and outwith health board boundaries.

There are documented procedures for handling Subject Access and other legal requests with clear responsibility for responding by fully trained dedicated staff who process requests efficiently and in accordance with the law.

There is a mechanism to help identify any misfiled Health Records, e.g. colour coding.

There are documented procedures for the retention, archiving or destruction of Health Records in accordance with national guidelines.  The method of destruction must ensure that confidentiality is maintained at all times.

There is a set of performance indicators which demonstrate the efficiency of Health Records management.  These should monitor such things as Health Record availability, use of temporary folders and timescales for receipt of Health Records at wards following emergency admission.

Health Records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of Health Records when required.


4.3.6 There is a documented Policy for the Retention & Destruction of Health Records GP/R8 in accordance with the Scottish Government Records Management NHS Code of Practice (Scotland).  The method of destruction must ensure that confidentiality is maintained at all times.  The Policy specifies the timescale for retention for all types of Health Records and media, the procedure for transfer between media


4.4 Legal and Professional Obligations

All NHS Health Records are public records under the Public Records (Scotland) Act.  The Board will take actions as necessary to comply with legal and professional obligations such as:

The Data Protection Act 1998
Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.1 January 2012
The Common Law Duty of Confidentiality; and
The NHS Scotland Confidentiality Code of Practice
Access to Health Records Act 1990
Public records (Scotland) Act 2011

And any new legislation affecting Health Records management as it arises.


4.5 Core Standards

The following core standards must be met across NHS Fife, and within each area/department/ward, with clear access procedures agreed locally

4.5.1 All entries in records must be recorded legibly in ink, dated and signed

4.5.2 All records are stored securely with controlled access

4.5.3 Outwith the main Health Records Libraries, all confidential records are kept secure in locked filing cabinets or offices with controlled access.

4.5.4 The main Health Records Libraries will secure physical access through scan entry     systems.

4.5.5 Records are filed in the manner most appropriate for effective management, timeous retrieval and compliance with NHS Fife Retention & Destruction Policy GP/R8.

4.5.6 Protection from the risk of fire and flood must be considered in designating storage areas


4.6 Retention and Disposal Schedule

It is a fundamental requirement that all of the Board’s Health Records are maintained for a minimum period of time for clinical, legal, operational, research and safety reasons.  The length of time for retaining Health Records will depend on the record type

NHS Fife has adopted the minimum retention periods set out in the Scottish Government Records Management NHS Code of Practice (Scotland) Version 2, March 2010 and is contained in a separate policy.  The local retention schedule will be reviewed every 3 years or earlier in the light of legislative or Scottish Government changes.


4.7 Health Records Inventory

NHS Fife requires to know what records are held, where they are kept and how the information contained within the records is being used.  An up-to-date Health Records inventory will be maintained by the Head of Records.  This will identify all record collections/information sets that exist within the organisation, the volume of records, the type of media on which they are held, their physical condition, their location, the physical and environmental conditions in which they are stored and the responsible manager

The Head of Records should be made aware when new collections of records or information sets are created or where management arrangements or physical locations change. A Manual Health Records Inventory Form can be found as Appendix 2.


4.8 Health Records Management Systems Audit

NHS Fife will regularly audit the records management practices for compliance with this policy.  Auditing Health Records policies and procedures will be done on a systematic basis.  The audit will compare current operational practice against defined procedures.  The audit cycle will include self assessment against the Information Governance and Quality Improvement Scotland.  A summary of these standards are listed at Appendix 3.


Audit Cycle:



4.9 Health Records Management Improvement Plan

NHS Fife is formulating an Improvement Plan identifying programmed activity for delivery of the Health Records best practice.  This identifies tasks related to each of the development areas with achievable milestones and timescales for implementation.  Progress will be monitored through audit and compliance with the Information Governance.  An example of the Improvement Plan is attached as Appendix 4.


4.10 Health Records Procedures

The Head of Records is responsible for planning and documenting Health Records departmental policies and procedures thus providing standardisation of work tasks throughout the department.  In this context a procedure is a structured, action orientated list of sequential steps involved in carrying out a specific job.  It is a series of related steps designed to accomplish a specific task.  All Health Records Departments should have a procedure manual to ensure that all staff members are undertaking their duties in a consistent way.  Health Records procedures associated with this document can be found at Appendix 5.


4.11 Training

All staff employed by NHS Fife including volunteers and contractors should be given training on their personal responsibilities for Health Records keeping.  This includes the creation, use, storage, security and confidentiality of Health Records.  Appropriate training should be provided for all users of the Health Records systems to meet local and national standards.  All new employees to the organisation will be given basic training as part of the organisation’s induction process.  Additional training in the specifics of Health Records management will be provided where appropriate.  Training is tailored to specific staff groups and functions including the following:

  • All current relevant legislation and NHS standards
  • All current relevant organisation policies and procedures
  • Caldicott requirements
  • Patient confidentiality and the security of records, whether paper or electronic
  • Access to Health Records Act 1990
  • Scottish Government Records Management NHS Code of Practice (Scotland)
  • Secure destruction of confidential waste
  • Individuals rights to access information (Data Protection Act 1998/Mental Health (Scotland) Act 2003)
  • NHS Scotland Code of Practice on Confidentiality
  • Health Records practitioners and personnel are pivotal to the management of Health Records systems and should receive customised training in Health Records practice.  The procedure manual is a key management tool and should form the basis for all Health Record system specific training.



5.1 Failure to abide by this Policy could lead to breach of the Data Protection Act, Freedom of Information Act and Caldicott recommendations.

5.2 It is the responsibility of the Line Manager to ensure this Policy is deployed within their area of responsibility.



6.1 NHS Fife Health Records Retention and Destruction Policy GP/R9

6.2 All other related NHS Fife Medical Records Procedures (List as Appendix  6)



7.1 Public Records (Scotland) Act 2011

7.2 Medical Reports Act 1988

7.3 The Computer Misuse Act 1990

7.4 Access to Health Records Act 1990

7.5 Data Protection Act 1998

7.6 Human Rights Act 2000

7.7 CEL 31 (2010) Records Management Code of Practice (Scotland)

7.8 Records Management: NHS code of practice (Scotland) Version 2.1 January 2012

7.9 Quality Improvement Scotland – Standards for Record Keeping

7.10 Information Governance Standards

7.11 National eHealth Strategy

7.12 Caldicott Review of Patient Identifiable information, 1997

7.13 Information Governance Records Management Guidance notes 1-9   27/08/2010

Related Publications

Related Policies


We have placed cookies on your computer to improve your experience here. If you do not want us to use cookies you can change your settings at any time.