Patient records: legal issues to avoid

Patient records: legal issues to avoid

Simon Kidd, discusses the dentolegal issues involved in retaining and accessing patient records during your dental career – and after retirement.

Patient records should only be accessed on a need-to-know basis, with a legitimate and lawful reason for doing so and not for any personal reasons. Indeed, there have been instances where healthcare providers have been fined by the Information Commissioner’s Office (ICO) because of employees accessing personal data out of a personal, not business, interest. 

Accessing patient records 

All patient records held by a dental practice are under the control of the appointed data controller, who should be registered with the ICO. 

The data controller is responsible for limiting the number of people who will have permission to access records to those with a legitimate reason, as per GDPR and the individual practice’s privacy policy. 

This will include a lawful reason for holding and processing a patient’s personal data that is not based on the consent of the data subject, but legal and contractual obligations. An example of this is a statutory requirement in the NHS regulations to make clinical records and retain them for a specified period. 

Generally, the only people who should access a patient’s records are those directly involved in that patient’s current care. The patient, or their representative, should give their consent if any additional individuals or third parties, such as the police or solicitors, request their records. 

Indeed, principle 4 of the General Dental Council’s (GDC) Standards for the Dental Team focuses on maintaining and protecting patients’ information and principle 4.2.5 specifically states that: ‘You must explain to patients the circumstances in which you may need to share information with others involved in their healthcare. This includes making sure that they understand: 

  • What information you will be releasing 
  • Why you will be releasing it 
  • The likely consequences of you releasing the information.’ 

However, the GDC, in principle 4.3.1, also recognises that there are sometimes ‘exceptional circumstances, [in which] you may be justified in releasing confidential patient information without their consent if doing so is in the best interests of the public or the patient.’ 

Accessing patient records following retirement 

Unfortunately, you can still face a complaint or claim from a patient, post-retirement, about any treatment you provided. If you were not the practice owner, approach the current practice owner to request copies of the records. 

If you are a practice owner and you are planning to sell your practice, ensure the contract of sale includes a requirement for the purchaser/successor to keep your clinical records safe and confidential, and to give you reasonable access in case a complaint or claim arises. Consequently, if you need access to a patient’s records to respond to a complaint or claim, you should approach the current data controller, setting out your legitimate reason for wanting copies. 

If you are planning to close your practice when you retire, contact your defence organisation for advice about your obligations as data controller so you can ensure you make appropriate arrangements to store all clinical records safely and securely. 

To learn more about this and other dentolegal topics visit the DDU’s website

Get the most out of your membership by subscribing to Dentistry CPD
  • Access 600+ hours of verified CPD courses
  • Includes all GDC recommended topics
  • Powerful CPD tracking tools included
Register for webinar
Add to calendar