Patient confidentiality after death

Risk adviser Kay Louise Grant outlines the key confidentiality issues when responding to a request for access to a deceased patient's records

  • Date: 17 December 2020

HEALTHCARE professionals are acutely aware of the importance of patient confidentiality, and that this is a duty that extends even beyond death.

It is not uncommon for clinicians to receive requests from family, close friends with caring responsibilities or third-party representatives for access to a deceased patient’s records. As Covid-19 continues to take its toll, it is likely that such requests will sharply increase from those involved in the care of a patient who died during the pandemic.

Requests for records may be made by grieving loved ones who are seeking to better understand the events surrounding the person’s death, or in relation to a complaint or negligence claim.

Regardless of the reason, it is important to be aware of key patient confidentiality issues before you respond.

The law and GMC

Access to a deceased patient’s records is not covered under the Data Protection Act 2018, but is instead governed by the Access to Health Records Act 1990 and Access to Health Records (Northern Ireland) Order 1993. It is under these regulations that a patient’s personal representative (an individual with legal authority to deal with the estate after death) or any person who may have a claim arising from the patient’s death would have rights of access to relevant information from the records.

Para 137 of GMC guidance on Confidentiality highlights the circumstances "in which you should usually disclose relevant information about a patient who has died", including the following scenarios:

  • when a parent asks for information about the circumstances and causes of a child’s death
  • when someone close to an adult patient asks for information about the circumstances of that patient’s death, and you have no reason to believe the patient would have objected to such a disclosure


You should review the clinical records carefully before any disclosure is made, to allow a thorough check of what part of the record should be made available to the applicant. You must redact any information that was provided by the patient in the expectation that it would not be disclosed beyond their death. You should also redact any information that is likely to cause serious physical or mental harm to any individual, and any third-party information (names and any other identifiable details) other than that relating to treating healthcare professionals.

Where the applicant has requested the records in connection with a claim arising out of the patient’s death, then only records relevant to any such claim may be disclosed.

Electronic records

Some electronic records systems only allow access to the records of living persons. You should have a process in place for removing automatic remote access to a deceased person’s electronic record where indicated. If you are asked by relatives/carers if online access is still available after the patient’s death, first assess whether they have a right of access and then seek advice from your IT support to check whether your clinical system allows it.

As some systems only allow for limited amounts of information to be viewed electronically, you may be asked for further details. The usual security and redaction process should already be in place for electronic records as with hard copy records. For further guidance, read our previous risk alert on electronic records here.

Covid-19 effect

For someone who died during the pandemic, it is possible that relatives or carers will seek to find out whether the death was preventable.

If there is no specific legal right granting an individual access to a patient’s records, you may still choose to meet/speak with the bereaved family/friend to answer any questions they may have relating to the person’s care and address any concerns, providing that you have no reason to believe that the patient would have objected to such disclosure.

Adopting an empathetic approach may also result in any potential complaint being resolved earlier and more effectively.

Action points

  • Follow the steps provided within the Access to Health Records Act 1990 and Access to Health Records (Northern Ireland) Order 1993.
  • Familiarise yourself with the relevant GMC guidance.
  • Before disclosing, be sure to undertake any appropriate redactions in line with our advice above.

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Read more from this issue of Insight Primary

Insight Primary is published quarterly and distributed to MDDUS members throughout the UK who work in primary care. It provides a mix of articles on risk, medico-legal and regulatory matters as well as general features and profiles of interest to our members.
In this issue

Related Content



Bleak Practice four

160470056 - Confidential.jpg

Confidentiality in practice - GP workshop

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

For registration, or any login issues, please visit our login page.