Call log

  • Date: 05 December 2019

These cases are based on actual calls made to MDDUS advisers and are published here to highlight common challenges within practice management. Details have been changed to maintain confidentiality.


Q We are a practice based in Scotland and an elderly but otherwise healthy patient has sent in a letter requesting to formally record that if he should stop breathing he does not wish to have CPR. He wants to complete a DNACPR (Do not Attempt CPR) form to go in his medical records. Is this appropriate?

A DNACPR forms reflect a clinical decision, not necessarily a patient’s request. The patient should be advised to complete an advance directive (also called an advance decision in England and Wales). This could be a detailed document setting out the patient’s wishes regarding future treatment, including decisions over the provision of CPR. The patient must have capacity to make such decisions. If an appropriate advance directive is in place then, arguably, a DNACPR form is not required but may be helpful to indicate to other healthcare professionals that the advance directive should be abided by.


Q A patient has asked for copies of her full medical records, and claims that under the new GDPR our practice can no longer charge for this. Does this really mean we have to print out all notes for any patient without covering our costs?

A Under GDPR you are not allowed to charge patients for access to medical records apart from in exceptional circumstances. The regulations stipulate that a reasonable fee can be charged if a request is unfounded or excessive but these circumstances are likely to be rare: for example, a patient who makes repeated requests for the same information. In general, your patient is correct and you cannot charge for disclosures. The ICO offers advice in relation to GDPR.


Q A 19-year-old patient has contacted the practice asking for a correction on her medical records. She applied to join the army but the recruitment office suspended her application upon reviewing her medical records and noting a "two-year history of back pain". The patient claims she presented to the doctor twice in a two month period and the reference to the “two-year history” was after the second consultation. She claims that this is clearly an error and would like to have it corrected. She also requests that the practice forward the amended records to the recruitment office with a covering letter pointing out the error. What would you advise?

A The practice should first investigate the matter in discussion with the consulting GP. The Data Protection Act (DPA) requires that data controllers ensure that the information they hold is accurate, and it also permits data subjects to request amendments to their records. Such requests usually relate to the correction of factual inaccuracies. In cases where both the doctor and patient agree that the recorded information is factually inaccurate, the record can be amended The original information should be able to be viewed and accompanied by an explanation of why there has been an alteration to the record. Should there be disagreement over the accuracy of an entry, the patient is entitled to include a statement in the record to this effect. In this case, it may boil down to a dispute of fact as to the duration of the symptoms and the practice would need to consider the evidence that is available and make a judgment on how to proceed. Be prepared to explain and justify that decision and the action taken, and ensure this is recorded in the notes.


Q The husband of a recently deceased patient has attended the practice requesting access to his wife’s medical records. When asked the purpose and time frame of the disclosure he admitted that he suspected his wife had terminated a pregnancy a number of years ago and he wants to check. He has now provided evidence that he is the executor of his wife’s estate. Should we comply with this request?

A The duty of confidentiality extends beyond a patient’s death and the presumption should be that personal information remains confidential unless there is a good reason for disclosure. The GMC provides guidance on the disclosure of records (Confidentiality) and paragraph 35 describes circumstances when you may disclose relevant information about a patient who has died. Such instances are when required by law or when necessary to meet a statutory duty of candour. In other circumstances, the extent of the personal information disclosed will depend on the facts of the case. A patient may have asked that certain information remains confidential and you should usually abide by those wishes. Otherwise, you should take into account whether disclosing the requested information is likely to cause distress to, or be of benefit to, the patient’s partner or family – and the purpose of the disclosure. A person with right of access to a deceased patient’s records under the Access to Health Records Act 1990 can include a personal representative or executor of the patient’s will – but the Act does not guarantee full unredacted access to the records should there be third-party or potentially harmful information. In this particular case, the practice will need to decide whether providing the husband with details of a previous termination would have been what the patient would have wanted. You should consider the nature and purpose of the request and avoid providing information which may cause serious harm. In this case, there may be an argument that, given the patient has not previously disclosed this sensitive information, she may have wished it to remain confidential after her death. If information is not disclosed, the decision can be challenged in court.


Q The practice has received an anonymous letter claiming that a patient has been selling on their prescription medication. A GP has discussed the matter with the patient who denies the allegation – however the doctor remains suspicious. How should we proceed?

A This is a difficult situation as the claim is hearsay and cannot be substantiated. You should consult GMC guidance on Confidentiality, which states: "Doctors owe a duty of confidentiality to their patients, but they also have a wider duty to protect and promote the health of patients and the public." The guidance goes on to explain that there can be a public interest in disclosing information to protect individuals or society from risks of serious harm. "Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person." The practice should consider trying to seek consent to disclose the concern raised (although this is clearly unlikely to be given). The conversation will, however, prompt a discussion about this issue and may help clarify whether the patient is using the medication appropriately. If the practice considers that a serious crime may have occurred or might occur in the future, there could be a public interest to disclose the minimum information necessary to allow the police to initiate an investigation, The patient should be informed of this intention to disclose, unless doing so would increase risks to any individual or compromise the investigation. If the public interest is not outweighed by the patient’s duty of confidentiality and the information is not disclosed, this should be documented, along with the rationale.


Q Our dental practice asks patients to complete a medical history form at every six-month check-up. At visits in between, our clinicians only ask if there have been any changes in the medical history. One of our dentists feels this is not sufficient and believes important information might be missed. He would prefer patients to fill in a new PMH form at every visit. What is most appropriate?

A MDDUS advises that patients should complete a new medical history every six months, signing and dating it as appropriate. The practice should have a system in place for checking patients attending in between the six month time frame. This should refer to the uploaded form and prompt the dentist or DCP to verify the information and ask about any changes, particularly in medication. Any changes should be noted, the form dated and initialled by the patient and the treating clinician (or by other means on an electronic form).


Q Can you provide some clarification regarding the question of confidentiality when leaving messages on patients’ voicemail? Some partners at our practice leave messages asking a patient to contact the surgery but others will leave no message at all. What is best practice?

A It would be appropriate for your medical/nursing colleagues to use their discretion regarding leaving a message. There may be consent in place to do so, or they may have significant concern for the patient’s health and wellbeing. Leaving a message on a patient’s voicemail in such circumstances could certainly be justifiable. If there is no clinical need to leave a message and doing so might disclose information to someone other than the patient, it is not usually appropriate nor necessary to record such a message.


Q Clinical staff in our practice are using mobile phones to photograph patient wounds in order to assist with ongoing care. These photographs are being emailed and then uploaded to the patient records. Concerns over data protection have been raised by some staff. Where do we stand?

A The GMC provides guidance on Making and using visual and audio recordings of patients which states that any recording made as part of the patient’s care forms part of the medical records and should be treated in the same way as written material in terms of security and disclosure. The patient must agree to this way of monitoring their condition (i.e. informed consent must have been obtained). Confidentiality must also be safeguarded, with digital photographs safely stored and secured. The Information Commissioner’s Office (ICO) provides guidance in regard to the use of personal devices by staff and the practice should consider which types of personal data may be processed by staff on their own mobile phones. A mobile phone issued by the practice for general use would clearly be preferable, and you may find that your LMC has considered the practicalities of this issue. The NHS Information Governance Toolkit advises that data on portable devices should be encrypted and this may not be the case with a personal phone used to record patient images. How the images are relayed to the practice is also important, as using personal email might raise significant concerns with the GMC and the ICO. Any images of patients should be deleted from the portable device as soon as practical. They should also not be inadvertently uploaded to cloud storage and the information processing must meet GDPR requirements. Overall, it is probably more appropriate for a secure and practice-based system of clinical image capture and storage to be used.

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Read more from this issue of Practice Manager

Practice Manager is published twice yearly and distributed to MDDUS practice managers and others with management responsibility in dental and medical surgeries. It features articles on employment law, health and safety, risk as well as profiles of practices across the UK. Browse our current and back issues below.
In this issue

Related Content

Call log

Call log

Call log

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

We are currently carrying out some essential website improvements

We are carrying out some essential website improvements today (Saturday 18th May), scheduled to be completed at 7pm.

During this time you will be unable to get a quote, apply for membership or access the existing membership area to make any changes, report a claim or access any information about your membership.

Our 24 hour claims advice line is available as normal, so please call us on 0333 043 0444.

We are sorry for any inconvenience this may cause and appreciate your understanding.

For registration, or any login issues, please visit our login page.