Data protection

Online patient access - hot topic FAQs

Get advice on key risk areas ahead of the final deadline for online access to patient records

Woman holds smartphone
  • Date: 23 June 2023
  • |
  • 6 minute read

PLANS to give patients in England digital access to all new entries in their GP health records are in the final stages. Practices who have not already made the switch have been given a final deadline of 31 October 2023.

MDDUS has received a steady stream of advice calls ahead of the ‘go-live’ date, with a number of queries focusing around three key areas:

  • considering access for patients with safeguarding concerns
  • managing potentially harmful information
  • proxy access to records.

Below is practical advice on these areas, as well as helpful tips from “early adopter” practices who shared their experiences with NHS Digital.

The key take-home messages are:

  • Have agreed policies for identification of potentially harmful information and vulnerable patients. Ensure this provides clear guidance for all staff members and is reviewed and updated regularly.
  • Maintain good communication with staff and patients. Make use of all resources available and have information visible in a variety of accessible formats.
  • Ensure all staff have role-appropriate training and that this is refreshed regularly.

As the planned automatic switch-on applies only to prospective records, this is where we will focus our advice in this article. You can also read more general advice on online access in this MDDUS article.

How do we identify patients who may be unsuitable for online access?

It can be helpful to put in place a policy outlining the process to identify and manage access for key patient groups. First, you could meet as a team to identify and agree groups of patients who may be unsuitable for access.

Consider adding enhanced review codes to the records of those to exclude from auto enrolment until a discussion can take place with the patient. These might include codes relating to domestic violence, safeguarding, vulnerability (adults and children), learning disability, abuse and mental health diagnoses. Encourage the team to also consider any other patients without the relevant codes who would benefit from a review prior to enabling access.

Consider how you will flag the records to highlight the need for discussion with the patient and how you will update the records after discussion – either allowing or blocking access. Different IT systems will have different ways of doing this, so be sure to check this with your clinical system supplier.

Have a plan for patients who wish to revoke access to their online records. Be ready to act on such requests quickly as access can always be reinstated if necessary.

Make sure all colleagues (including new-starts) are aware of the policy and review regularly.

How do we manage third-party requests for access to records?

Patients often find it helpful to grant “proxy access” to their medical records to a third party, for example a trusted family member, friend or carer. The proxy can book appointments, request prescriptions, or view clinical notes on the patient’s behalf. This can be helpful for patients who lack capacity or have complex comorbidities.

The proxy should have their own login. This allows the practice to set varying levels of access depending on need, and to switch off access where necessary.

Parental access

Parents often request proxy access for children, so it’s important to have a specific policy on this. The practice may decide to completely exclude parental proxy access or review the merits on a case-by-case basis. Be sure to consider the child’s age and review proxy access once the child has capacity to provide consent for proxy access. As this is likely to vary, practices may wish to implement restrictions once a patient reaches a certain age and then review ongoing access on a case-by-case basis considering patient consent and their best interests. Read more about parental responsibility.

What staff training should be provided?

Frontline staff will require a greater level of understanding, but all staff should have a general awareness and be able to provide patients with appropriate support and information.

Encourage staff not to use acronyms in records and avoid misspelling as this can create confusion or cause distress. Key messages could be posted on a staff noticeboard.

Consider appointing an online access champion who can act as a ‘go to’ for staff and patients. This will be someone able to lead the team, ensure information is up-to-date, and identify and monitor risks and issues. They may also run engagement sessions with staff and patients.

How do we best communicate with patients?

Give patients information (including how to opt out) and regular updates in a variety of formats and locations, e.g. practice website/social media, posters, newsletters, waiting room screens, patient participation group (PPG) engagement, drop-in sessions etc. Posters in public toilet areas may be helpful for more vulnerable patients.

There are many mobile apps and online services available to provide records access, with the NHS app proving popular so far. One early adopter practice recommends choosing one app and promoting this to patients to avoid confusion.

What other tips and experiences can we learn from?

Reduced admin

One early adopter practice told NHS Digital that the overall process has been positive and less stressful than anticipated. They found it reduced the number of subject access requests (SAR) and other administrative burdens. They noted that patients were empowered and have embraced having access to their own records online.

Avoid auto-file

Incoming correspondence should be reviewed carefully before filing. Avoid ‘auto file’ functions to make sure information that should be redacted isn’t uploaded to the online record. Practices should already be reviewing correspondence for action points, so this should not increase workload.

How much to redact?

Redacting sections of correspondence may lead to concerns from patients, so consider if entire letters, or consultations should be removed from patient/proxy view.

Keep in mind that redacted information and redaction flags will pop up on-screen and may be visible to patients during face-to-face consultations.

Get IT aware

GP clinical IT systems will have different ways of redacting or ‘hiding’ information from online visibility. It is important to ensure you’re fully aware of the functionality of your own system and stay up to date with guidance and resources provided by system providers and NHS Digital.

Get advice

Contact for more detailed advice.

Further guidance

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Related Content

Bleak Practice two

GDPR: Managing subject access requests

Good practice in record keeping for GPs

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

For registration, or any login issues, please visit our login page.