Are you ready for online patient access to medical records?

THE new GP contract in England commits to all patients having online access to their full record by April 2020. The rest of the UK is not far behind. Is your practice ready?

  • Date: 28 February 2020


HEALTHCARE is now catching up with the finance and utilities sectors in offering patients access to their personal information online. In England, this type of access has already been made available to a limited extent after plans announced by the health secretary in 2018. This allowed online access to information in medical records such as current and resolved problems that had been coded, current medications, and for many the ability to book and cancel appointments.

A new contract agreement between NHS England and the GPC (General Practice Committee of the BMA) now commits to all patients in England having online access to their full record, including the ability to add their own information, as the default position from April 2020. Such in-depth access will allow patients to see information such as the notes taken during past consultations, hospital letters and test results.

The rest of the UK is still in the early stages of offering full online patient access but is heading in the same direction.

Allowing this type of access gives patients more control over their health and greater insight into their medical conditions and history. It also allows patients more flexibility with their healthcare. For example, if they choose to go for private treatment or become unwell while on holiday, the medical history will be there at their fingertips to share with the doctor.

Easy access should also take some of the pressure off healthcare staff by reducing the number of medical record queries, such as subject access requests. It also allows patients to see how clinical systems work to a certain extent and how their health information is recorded.

However, there are risks that need to be considered in order to maintain high standards of care. These include ensuring confidentiality and redacting seriously harmful information and third party information, as well as rectifying any factual inaccuracies that may be discovered. Other risks include records being accessed without patient permission, for example through coercion by an abusive partner or family member.

The GMC makes clear in Good Medical Practice that doctors "must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss".

Providing patients with login credentials can ensure their records are kept secure but this should include a reminder of the consequences of sharing personal access with anyone else.

Redaction of third party information or seriously harmful data in patient records should be carried out by trained and experienced staff and should always be reviewed by a clinician. Allowing patient access from a certain date going forwards should make this process more manageable, with electronic review of more recent records. For older records it may be more effective to print out and redact as required, before providing these to the patient. All of this will be dependent on the functionality of your patient system.

There are services being offered by external agencies that can vet patient notes and redact third party or seriously harmful information before allowing online access. This may be useful for some practices in terms of efficiency but we would advise practices to consider the risks posed in terms of confidentiality and also accuracy. It is best practice to ensure review by a clinician to check nothing has been missed.

Any issues regarding accuracy or details within records that are believed to be incorrect must also be reviewed by clinicians and rectified as soon as possible. In cases where it is agreed that information is factually inaccurate, such as information entered in error, the record should be amended but ensuring that an audit trail is visible, along with an explanation of why the record has been altered. The patient may require a further explanation of why this is necessary.

Practices may get requests from individuals wishing to access medical records on behalf of another patient and the same guidance will apply as for disclosing medical records to any third party: you must ensure that you have the patient’s consent. In cases where the patient lacks capacity to consent, the individual making the request must be able to demonstrate they hold appropriate legal authority, such as a welfare guardian, or it must be in the patient’s best interests and/or the public interest to make such a disclosure.

Recognising when a patient may be being coerced into providing access to their records can be tricky. The issue of potential coercion should be raised when patients registering for online access, to provide them the opportunity to speak up or cancel the request. Should coercion be suspected then access can be limited and details passed to an appropriate clinician who can assess the individual patient’s situation.

The ICO (Information Commissioner’s Office) reports that since the introduction of GDPR (General Data Protection Regulation) there has been an increase in patients requesting access to personal healthcare information, leading in turn to an increased administrative burden on practices. This burden is expected to decrease as more patients have access to their medical records online – but there are technical challenges.

NHS England and the Royal College of GPs provide extensive guidance on how to begin the process of providing online access to patients, while complying with information governance. The guidance includes case examples of how online access can improve communication between health professionals and patients, and also patient understanding of their health conditions.


  • Make yourself aware of current guidance and the functionality of your patient system.
  • Agree a process within your practice for providing online access to patient records and train staff as appropriate.
  • Verify patient identity before allowing online access to records.
  • Be aware of steps to protect children and vulnerable adults from possible coercion.
  • Redaction procedures must be reviewed by a clinician.
  • Inaccuracies must be reviewed by a clinician and rectified promptly if appropriate.

Kay Louise Grant is a risk adviser at MDDUS

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

Related Content

Risk: Gift or abuse of trust?

Dilemma: Disputed consent in a minor

Risk: Can reflective practice be “incriminating”?

For registration, or any login issues, please visit our login page.