Access To Health Records Policy

Transcription

1 HYWEL DDA LOCAL HEALTH BOARD Access To Health Records Policy Policy Number: 249 Supersedes: All former access to health records policies Standards For Healthcare Services No/s 3.5 Version No: Date Of Review: Reviewer Name: Completed Action: Approved by: Date Approved: New Review Date: 1.0 IGC Dec 11 Dec March 2015 Steven Bennett Reviewed BP&PAC Brief Summary of Document: This policy sets out the guidelines to ensure compliance with the relevant legislation and to provide appropriate and timely access for patients and their representatives when accessing personal health records. To be read in conjunction with: Health Records Management Strategy 192 Health Records Management Policy Retention and Destruction Policy Data Protection Act 1998 Access to Health Records Act 1990 Classification: Corporate Category: Policy Freedom Of Information Status Open Authorised by: Phil Kloer Job Title Medical Director & Director of Clinical Strategy Signature: A signed copy of this document is stored with corporate services

2 Responsible Officer/Author: Contact Details: Steven Bennett Job Title: Health Records Manager Dept Health Records Base Prince Philip Hospital Tel No Scope ORGANISATION WIDE DIRECTORATE DEPARTMENT ONLY COUNTY ONLY Staff Group Administrative/ Estates Medical & Dental Nursing Allied Health Professionals Ancillary Maintenance Scientific & Professional Other CONSULTATION Please indicate the name of the individual(s)/group(s) or committee(s) involved in the consultation process and state date agreement obtained. Individual(s) Group(s) Committee(s) Health Records Committee IGSC Date(s) Date(s) Date(s) 2016 RATIFYING AUTHORITY (in accordance with the Schedule of Delegation) A = Approval Required KEY Date Approval Obtained NAME OF COMMITTEE FR = Final Ratification BP&PAC A COMMENTS/ POINTS TO NOTE Date Equality Impact Assessment Undertaken 10/01/2012 Group completing Equality impact assessment Steven Bennett Jackie Hooper Please enter any keywords to be used in the policy search system to enable staff to locate this policy Records Access Database No: 249 Page 2 of 44 Version 2.0

3 Document Implementation Plan How Will This Policy Be Implemented? Via Health Records Committee, Team Brief, Policies and procedures Web page, via all policy review and ratification groups. Who Should Use The Document? What (if any) Training/Financial Implications are Associated with this document? What are the Action Plan/Timescales for implementing this policy? All staff who utilise patient records Action By Whom By When Send to Health Records Committee for approval Sent to Information Governance Committee for approval After approval policy to be made active on intranet/internet Steven Bennett Steven Bennett Corporate Governance Team 15 th June 2015 Database No: 249 Page 3 of 44 Version 2.0

4 CONTENTS 1. INTRODUCTION POLICY STATEMENT SCOPE OF POLICY AIM OBJECTIVES RESPONSIBILITIES CHIEF EXECUTIVE & HYWEL DDA UNIVERSITY HEALTH BOARD THE CALDICOTT GUARDIAN SENIOR MANAGERS AND SERVICE MANAGERS DEPUTY CHIEF EXECUTIVE & DIRECTOR OF OPERATIONS HEALTH RECORDS MANAGER INFORMATION GOVERNANCE MANAGER CLINICIANS RELEVANT CLINICIANS ACCESS TO HEALTH RECORDS CLERKS EMPLOYEES INFORMATION GOVERNANCE COMMITTEE HEALTH RECORDS COMMITTEE LEGAL SERVICES RIGHTS OF ACCESS RIGHTS - WHERE PATIENT IS ALIVE RIGHTS - WHERE PATIENT IS DECEASED TYPES OF REQUESTER THE PATIENT A PERSON ACTING ON THE PATIENT S BEHALF A PERSON WITH PARENTAL RESPONSIBILITY FOR A CHILD INDIVIDUALS OTHER THAN PARENTS WITH PARENTAL RESPONSIBILITY RIGHTS OF CHILDREN RIGHTS OF ADOLESCENTS A PATIENT LIVING ABROAD IN-PATIENTS, OUTPATIENTS, DAY CASE & OTHER ATTENDANCES ACCESS REQUESTS BY OTHER ORGANISATIONS (SOLICITOR, POLICE, COURT ORDER, PENSIONS AND BENEFITS OFFICE, CORONER, COUNCILS, SOCIAL SERVICES, GOVERNMENT AGENCIES, RESEARCH ORGANISATIONS) APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS FORMAL APPLICATIONS GENERAL PRINCIPLES EXCEPTIONS TO ACCESS RIGHTS CHARGES TIME LIMITS SENDING AND PROVIDING COPIES OF RECORDS SENDING ORIGINAL RECORDS DISPROPORTIONATE EFFORT APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS INFORMAL APPLICATIONS APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS DECEASED PATIENTS ACCESS TO CCTV, AUDIO & DIGITAL IMAGES MAINTAINING CONFIDENTIALITY RESPONSIBILITY FOR PROCESSING ACCESS REQUESTS...18 Database No: 249 Page 4 of 44 Version 2.0

5 15. MISTAKES & INACCURACIES COMPLAINTS TRAINING MONITORING & COMPLIANCE IMPLEMENTATION DEFINITIONS AND ACRONYMS REFERENCES & GUIDANCE REVIEW APPENDIX A DISCLOSURE OF PERSONAL INFORMATION TO A THIRD PARTY WHERE THE PATIENT LACKS... CAPACITY TO CONSENT APPENDIX B CONSULTANT AUTHORISATION FORM APPENDIX C GUIDANCE FOR INFORMAL ACCESS TO HEALTH RECORDS APPENDIX D GUIDANCE FOR FORMAL ACCESS PATIENT REQUESTING ACCESS TO THEIR OWN...HEALTH RECORD APPENDIX E REQUESTS FROM SOLICITORS APPENDIX F INSURANCE REQUESTS APPENDIX G RESPONSE TO CRIMINAL INJURIES COMPENSATION AUTHORITY (CICA) APPENDIX H APPLICATION FOR ACCESS TO MEDICAL RECORDS APPENDIX I ACCESS TO HEALTH RECORDS PROCESS SHEET APPENDIX J INFORMATION SHEET APPENDIX K ACCES TO HEALTH RECORDS FEES APPENDIX L GUIDANCE FOR ALLEGED INACCURACIES IN THE HEALTH RECORD APPENDIX M ADVERSE PATIENT OUTCOME APPENDIX N EXEMPTIONS APPENDIX O HEALTH PROFESSIONALS APPENDIX P CHECKLIST FOR DISCLOSURE OF PERSONAL INFORMATION TO THE POLICE APPENDIX Q POLICE SECTION 29 FORM APPENDIX R POLICE MEDICAL CONSENT FORM...44 Database No: 249 Page 5 of 44 Version 2.0

6 1. INTRODUCTION This policy sets out the for Hywel Dda University Health Board (HDUHB). The policy clearly explains what Hywel Dda University Health Board will do to meet their legal obligations under the subject access provisions of the Data Protection Act 1998 and Access to Health Records Act Patients have statutory rights of access to their personal health records, subject to certain safeguards. These procedural guidelines are in place to ensure compliance with the relevant legislation, NHS guidance and to provide appropriate and timely access for patients and their authorised representatives to all types of personal health records held by the Health Board. It is essential that staff understand the requirements of these Acts, and their individual roles in ensuring that the Health Board complies with legal obligations. 2. POLICY STATEMENT Statutory rights of access for the patient or the patient's representative derive from the general 'subject access' provisions of the Data Protection Act 1998, as modified by the Data Protection (Subject Access Modification) (Health) Order 2000 and other regulations (e.g. relating to charging for patient access). The Data Protection Act 1998 covers all personal information whether held on paper or on computer. All organisations holding personal information are required to comply with this legislation. Within the Data Protection Act 1998, a health record is defined as, a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual. A health record can be computerised (electronic) and/or manual (case notes). They may include such documentation as hand-written clinical notes, letters to and from other health professionals, laboratory reports, x-rays (these are now mostly stored electronically using PACS (Picture Archiving and Communication System) and other imaging records, printouts, photographs, DVD and sound recordings. The legislation recognises that health records contain sensitive information and disclosure is subject to certain safeguards, including obtaining the approval of the relevant health professional, utilising the agreed method of authorisation. The right of access is for the patient or someone who is their authorised representative. There is no automatic right of access for relatives, carers or other parties to a patient's actual records or to information contained in the records. Details of who is legally entitled to have access is provided in sections 7 and 8 of this policy. In the event of the patient not having mental capacity then the treating Clinician may seek further advice regarding release of any information. Such decisions should always be made in the best interest of the patient and further guidance is available in Appendix A of this Policy. 3. SCOPE OF POLICY This policy has been written as guidance for Hywel Dda University Health Board in dealing with formal and informal applications to access personal health records under the provision of the Data Protection Act Staff working for the Health Board must make every effort to comply with this policy and it applies to all permanent, temporary or contracted staff employed by Hywel Dda University Health Board (including Executive and Non Executive Directors). 4. AIM The policy will provide a framework within the Health Board that will ensure compliance with the requirements of the Data Protection Act and will underpin any operational procedures and activities connected with the implementation of the Act. The policy will assist all staff to respond to requests under the Act and ensure compliance with legal timeframes. Database No: 249 Page 6 of 44 Version 2.0

7 5. OBJECTIVES The objectives of the policy is to provide all Health Board staff with detailed and clear guidance for the standards required on a daily basis when dealing with both formal and informal requests for access to patient information. The policy and associated procedures will provide robust assurance that all access requests are dealt with in a standardised manner, in accordance with legal requirements and are designed to reflect best practice. The policy will support compliance with the legal time limits and exemptions associated with all access for health records requests. 6. RESPONSIBILITIES 6.1. Chief Executive & Hywel Dda University Health Board The Chief Executive and Hywel Dda University Health Board have a duty to ensure that the requirements of the Data Protection Act 1998 are upheld and the Chief Executive has overall responsibility for implementation of this policy The Caldicott Guardian The Caldicott Guardian is responsible for the strategic management of confidentiality within the organisation and for providing advice on confidentiality issues. The Caldicott Guardian, as guardian of patient data, must approve each new or changed agreement to share personal data with bodies such as acute hospitals, social services, police, prisons and private health care Senior Managers and Service Managers All senior managers and service managers have a responsibility for ensuring that this policy is known to all staff, e.g. discussed at staff meetings and that its requirements are followed by all staff within their directorate/service/division/department Deputy Chief Executive & Director of Operations The Deputy Chief Executive & Director of Operations has delegated responsibility for ensuring that this policy is distributed to and understood by all staff and that the requirements are followed by all staff within the Health Board, Counties, Localities, Services and Directorates Health Records Manager The Health Records Manager has delegated responsibility for ensuring that this policy is distributed to all Health Records staff and provides evidence that the policy has been cascaded to every member of staff within the Health Records Service. The Health Records Manager is responsible for ensuring that the policy is fully implemented, all staff fully understand the policy and that the requirements are followed explicitly. The Health Records Manager must ensure staff have the relevant knowledge and skills to adhere to the requirements and provide specific training when gaps are identified. The Health Records Manager, will provide specialised advice and assistance for any contentious or complicated request and monitor compliance levels with legal timescales Information Governance Manager The Information Governance Manager will provide specialised advice and assistance for any contentious or complicated requests, as and when required Clinicians All clinicians are responsible for ensuring that they are fully aware of this policy and that the patient records they utilise on a daily basis are maintained to the highest standards possible and that the Database No: 249 Page 7 of 44 Version 2.0

8 content is legible, accurate, comprehensive and understandable. They must maintain an awareness of confidentiality and record keeping standards including patients rights of access to their health records, and implications that this has on current record keeping practices Relevant Clinicians The relevant clinician is responsible for authorising the disclosure and release of information utilising the standard consultant authorisation form identified in Appendix B of the policy. The relevant clinician is normally the individual clinician who is responsible or was responsible for the clinical care of the patient during the period to which the application refers. In the case of deceased patient s records, when there is no current clinician involved or when a request is made for copies of all the patient record, then this should ideally be the last consultant that was involved in the care of the patient. Where this is not possible other arrangements must be made to ensure that an appropriate clinician is able to undertake this role and this process may require the approval of the Caldicott Guardian. Clinicians have a responsibility to: Assess where release of information from any part of the health record, if disclosed, is likely to cause serious harm to the physical or mental health of the patient, data subject or a third party. Check if any part of the record discloses information relating to another individual or information provided by a third party, who can be identified from the entry (unless that person has consented to disclosure or is a health professional involved in the care of the patient). Where information has been provided by the patient in the expectation that it would not be shared or disclosed to the applicant. Where the record would disclose that an individual had been born of the consequence of treatment of the Human Fertilisation & Embryology Act 1990 or completed a change in Gender. Assess the capacity of the patient to consent to the disclosure of their health records to that third party. Check whether the patient has at any time indicated a wish not to give access to all or part of their record. To authorise and sign off the record as being fit to provide to the requester Access to Health Records Clerks The access to health records clerks are responsible for ensuring they have reviewed and fully understood this policy and they follow the requirements explicitly. They are responsible for processing all requests in conjunction with the Data Protection Act. Staff must ensure they review each request in detail, reading all the enclosed documentation and follow the agreed process, to only release the information that has been requested and consented to and providing the requesters with the relevant information within the legal timescales Employees All employees whether permanent, temporary or contracted should be aware of this policy and adhere to the principles set out within it. Staff should be aware how to access this policy Information Governance Committee The Information Governance Committee has the responsibility to approve this policy and forward to the relevant committees/boards for information, as well as monitoring compliance with this policy and the Data Protection Act. Database No: 249 Page 8 of 44 Version 2.0

9 6.12. Health Records Committee The Health Records Committee has the responsibility for reviewing this policy and ensuring there is effective implementation and distribution across the necessary staff groups within the Health Board. The Health Records Committee is also responsible for monitoring and regularly reviewing compliance levels associated with subject access requests and the Data Protection Act, through the agreed reporting methods Legal Services The Legal Services Team will support the Health Records service and staff with any contentious requests for release of patient information that could either cause harm or distress or result in potential litigation against the Health Board. Legal Services will act as the designated link between the Health Records service and the Health Board s solicitors. This process will ensure detailed and expert advice is received as and when required 7. RIGHTS OF ACCESS The Data Protection Act 1998 gives individuals the right to access health information held by the Health Board about them. Patients who wish to see what is written about them in their individual health record have a legal right to do so, subject to given exemptions and unless there are compelling reasons to the contrary. An individual does not have the right to access information about someone else, unless they are an authorised representative, have parental responsibility or are acting on behalf of the deceased. The Health Board is not required to respond to requests for accessing health records, unless it is provided with sufficient details to enable the location of information and to satisfy itself as to the identity of the individual making the request. Applicants also have the right to an explanation of any terms in the records that they do not understand, e.g. technical language or terminology, the right to ask for corrections to be made to inaccurate personal information in the record and to request a copy of the corrections. Individuals are entitled to apply for access to their total health record as it stands at the time the request was received. However, the information provided may take account of any amendment or deletion that was made to the record in the period between the request having been received and dealt with. If a patient feels information on their health record is incorrect then they may firstly make an informal approach to the health professional responsible for their records to have the records amended. If this is unsuccessful, then they make a formal complaint, following the normal complaints process RIGHTS - WHERE PATIENT IS ALIVE The patient (aged 16 or over) A person with parental responsibility for a child patient under 16 years old where the child has EITHER consented to the application OR is incapable of understanding the nature of the application. A person authorised in writing by the patient to make the application. A person appointed by the Courts to manage the affairs of a patient, documentary proof must be given. Where a patient is unable to authorise the release of their records due to a lack of mental capacity then a person who has been legally appointed to act on behalf of the patient has the right to apply for access to the health record. Where a request is received from a legally appointed representative, they should be asked to produce evidence that they hold a lasting power of attorney which allows the person to make decisions regarding finances, property and welfare. A legal power of attorney must be registered with the Office of the Public Guardian. An Independent Mental Capacity Advocate (IMCA) is a statutory form of advocacy that provides safeguards for people without representation form friends and family who lack Database No: 249 Page 9 of 44 Version 2.0

10 capacity to make decisions about situations including: Serious medical treatment or moving into or between care settings (including hospital). An IMCA is entitled under the Mental Capacity Act (2005) to ask for access to the person s medical and health records, and to take copies from these RIGHTS - WHERE PATIENT IS DECEASED The personal representative of a deceased patient documented evidence will be required (This means a person who has been appointed to act as an executor or administrator of the patient's estate. Evidence of appointment can be by producing the Grant of Probate or Letters of Administration issued by the Probate Registry), copy of Power of Attorney Documentation. A person who may have a claim arising from the patient's death. You will be asked to provide a reason for requesting this information. 8. TYPES OF REQUESTER 8.1. The patient Patients or ex-patients do not need to give a reason for applying to request their health records, but they do need to give sufficient information to enable the records to be located A person acting on the Patient s Behalf A person acting on the patient s behalf (e.g. a relative, a carer, a solicitor) may apply for a copy of the patient s records however they must have obtained informed, explicit and written consent from the patient, have lasting Power of Attorney or be an Independent Mental Capacity Advocate (IMCA). Such a request should be dealt with in exactly the same way as a request from a patient. The applicant should be given access only to the information and explanation that would otherwise have been made available to the patient, subject to the exemptions. If there is any doubt as to whether the patient has mental capacity to give consent, the record holder must refer to the Mental Capacity Act The mental capacity assessment and outcome must be recorded as per Appendix A of this policy. If the patient is assessed as lacking mental capacity to give consent, the record holder and the Caldicott Guardian must then jointly consider that: Releasing the information would be lawful if I doubt, legal advice should be sought. The applicant is acting in the best interests of the patient If a decision is taken to release the information, then: The reasons leading to the decision must be recorded. Only enough information should be released for the purpose 8.3. A person with Parental Responsibility for a Child A person with parental responsibility has the right to request a copy of a child s health records, although it must be remembered that disclosure may be refused if the child is deemed competent and understanding of the nature of the application and thus refuses to give consent, taking into account Gillick Competences. Parental responsibility for a child is defined in the Children Act 1989 and amended in the Adoption and Children Act 2002, as all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property. Married parents have parental responsibility, unless a Court Order has removed that status from any party. A separated or divorced parent who no longer lives with the child has parental responsibility unless a Court has removed that status from either party. An unmarried father does not have parental responsibility, unless he acquires it by: Database No: 249 Page 10 of 44 Version 2.0

11 Registering the birth, along with the mother, as the child s father (for children born after December 2003). Formal agreement with the mother (Section 4 of the Children Act 1989) agreement can then only be brought to an end by a Court. Marrying the mother. Obtaining a court order. Obtaining a residence order Individuals Other than Parents with Parental Responsibility Individuals other than parents can acquire parental responsibility by: Adoption Order this confers full parental responsibility upon adoptive parents and that formerly held by their birth parents is extinguished. Appointment of a Guardian (after a parents death) this gives guardians all the parental responsibility that the parent would have had. Residence Order parental responsibility is shared with the parent and is subject to the limitation that the person with the order cannot withhold consent to adoption or appoint a guardian (limitation may not be relevant for the policy). Parental Order full and permanent responsibility is conveyed to a married couple of a child born in surrogacy, where at least one member of the couple is the genetic parent. Parental Responsibility is also acquired by local Authorities and is shared with the parents, using the following orders: Emergency Protection Order. Interim Care Order. Full Care Order Rights of Children The Gillick competences is a term used in medical law to describe when a minor, despite a young age, has reached the necessary maturity and intelligence to understand and consent to his or her own medical treatment. Originally developed to make professional judgements about providing contraceptive advice and/or treatment and are used by professionals to help them frame a judgement about whether a child is competent. If a doctor (or health professional) has judged a child to be competent according to the Gillick competences, then the health records of that child must not be disclosed to the child s parents, unless the child has clearly given consent. Young people are owed the same duties of care and confidentiality as adults and confidentiality may only be broken when the health, safety or welfare of the young person or others would otherwise be at grave risk. Where, in the view of the doctor (or appropriate health professionals), the child is not deemed to comply with the Gillick competences, the record holder is still entitled to deny the parents access to the child s health records if it is judged not to be in the child s best interest. Any reason for denying parental access to part or all of a child s health records must be recorded. The professional involved in making this judgement should seek legal advice if necessary Rights of Adolescents The law regard young people aged to be adults for the purposes of consent to treatment and right to confidentiality. If they are judged competent to make a decision about their own medical treatment, then they have the right to deny parental access to their health records. However, good practice dictates that, as with children, they should be encouraged, but not required, to involve parents or other legal guardians in any treatment or consent. Any reasons for denying parental access to part or all of a young person s health records must be recorded. The professional involved in making this judgement should seek legal advice if necessary. Database No: 249 Page 11 of 44 Version 2.0

12 8.7. A patient living abroad When a patient moves abroad, their health record will be retained by the Health Board for the recommended period specified in the Retention and Destruction of Records Policy, before the record holder will decide whether to retain them for a longer period or destroy them. Patients who move outside the UK are not permitted to take their health records with them, however they are entitled to request a copy of their records and then take a copy abroad with them. The record holder should provide the patient with a summary of the patient s treatment to take to their new healthcare professional In-patients, outpatients, day case & other attendances If any patient currently admitted or attending one of the Health Board s hospitals for a course of treatment or consultation, requests informal access to their records and records of previous episodes of care, they have a right to do so. The patient does not have to give a reason why they are making a request and they do not need to make a formal application. Nothing in the law prevents healthcare professionals from informally showing a patient their records. Providing the current clinician or last treating clinician has determined that the information can be accessed, the patient can view the records providing a member of the medical team, nursing team or Senior Manager is present. Full guidance for informal requests is provided in Appendix C of this policy Access requests by other organisations (Solicitor, Police, Court Order, Pensions and Benefits Office, Coroner, Councils, Social Services, Government Agencies, Research organisations) Various organisations and agencies are likely to demand access to patient s health records at different times. In almost all cases, staff must not share any information that is not directly related to the healthcare of the patient, unless they have consent from the patient. Examples of requests from other agencies are listed below: Solicitors Solicitors may apply to see their client s health record, but informed, explicit and signed consent must have been obtained from the patient, along with proof of the client s identity, before a copy of the record is released. The solicitor should be given access only to the information and explanation that would otherwise have been made available to the patient, subject to the restrictions stated in Appendix E of this policy Court Orders, Coroners, County Councils & Social Services A Court may order disclosure of a patient s health record (e.g. under the Civil Procedure Rules, the Data Protection Act 1998). A Court may also order release of children s records via the local County Councils or Social Services, for reasons such as custody cases or child protection. Unlike a request from a solicitor, a Court Order should be obeyed unless there is a robust justification to challenge it, in which case the Health Board may challenge the order through the Court. The Court s decision is law, unless the Health Board decides to appeal the order and take the case to a higher Court in an attempt to override the Court s decision. Records may also be requested directly by the Coroner. Courts and Coroners are entitled to request original records. If they do, copies of the records must be retained by the Health Board. Coroners normally give sufficient notice for copies to be made, but have the power to seize records at short notice, which may leave little or no time to take copies. Database No: 249 Page 12 of 44 Version 2.0

13 Pensions and Benefits Office Section 29 of the Data Protection Act 1998 allows (but does not require) personal data to be disclosed to assist in the assessment or collection of any tax or duty. Any request by the Department of Works and Pensions for access to a patient s health record must be accompanied by the relevant form. These access requests are generally sent directly to the Consultant involved in order to send copies of reports or for a synopsis regarding the patients care, illness or treatment Government Departments, Agencies & Insurance companies The arrangements for complying with requests from Government Departments or Agencies are laid down in a Welsh Health Circular and identified in the reference section of this policy. It is the responsibility of the department or agency requesting the information from a patient s personal health record to obtain the prior consent of the patient and no charge can be made for providing the information. Patients will often request that dates are provided for inpatient or outpatient attendances for insurance purposes. The individual making the request will be responsible for providing clear written consent for the release of this information and a fee is chargeable Police Police do not have an automatic right of access to patient information. Requests from the police (or the NHS Counter Fraud Service) would normally be refused, however Section 29 of the Data Protection Act 1998 allows personal data to be disclosed, in the public s interest to assist in the prevention or detection of crime and the apprehension or prosecution of offenders. The patient should be asked (if possible) for their informed, explicit and signed consent to disclose the information, unless this would prejudice the enquiry or court case. Any request by the Police for access to a patient s health record must be made in writing using the appropriate request form (Section 29 Form) identified in Appendix Q of the policy. The form should be fully completed by the requesting police officer and signed by a Senior Officer within the requesting police force. For any victims of crime where the policy require access to the patient information the police will use a medical consent form as identified in Appendix R of this policy. All staff should follow the minimum requirements and appropriate checklist as outlined in Appendix P. The Crime and Disorder Act 1998 also allows the Health Board to disclose information to the police, local authority, probation service or health authority for the purposes of preventing crime and disorder. For the Health Board to consider releasing any information without consent, the access request must relate to a serious crime in line with the Crime and Disorder Act 1998 (e.g. murder, rape, etc), otherwise the Police should be asked to obtain a Court Order or written approved signed consent. There are also other Acts which may require the Health Board to release information without consent and they include: Prevention of Terrorism Act (1989) and Terrorism Act (2000), if you have gained information (including personal information) about terrorist activity you must inform the police. It is a statutory duty to do so. The Road Traffic Act (1988), you have a statutory duty to inform the Police, when asked, of the name and address of any driver who is allegedly guilty of an offence under the Act; it is not necessary to disclose clinical information. The Police and Criminal Evidence Act (1984), you can pass on any information to the Police, as the Act creates a power to do so (not a duty) if you believe that someone may be seriously harmed or death may occur if the Police are not informed. Serious offences include murder, rape, kidnapping (and all attempts to commit such offences) and causing death by dangerous driving. Database No: 249 Page 13 of 44 Version 2.0

14 All such requests from the Police for release of information without consent should be in writing and forwarded immediately to the Health Board s Caldicott Guardian Research Organisations Although research is considered an important factor in the improving of healthcare, the Information Commissioner does not consider it an essential element in the provision of healthcare. If personal identifiable or pseudonymised information is required informed, explicit and signed consent must be obtained. Patients and service users are generally aware and supportive of research, but it is not reasonable to assume that they are aware of or likely to consent to each and every research subject or proposal. If it is sufficient for the purposes of the research to make data anonymous, consent is not required, but patients should be informed by posters and/or leaflets how their information may be shared Safeguarding Adults Documentation relating to adult protection referrals must not kept in the health record, but stored in accordance with the guidance in the Health Board Interim Safeguarding Vulnerable Adults Policy. However, existing documentation in the health record may note that an adult protection referral has been made. The clinician must assess if it is appropriate to provide a copy of a record where this is noted. Advice may be sought from the Head of Safeguarding Adults. Requests to share information related to an adult protection referral may be made by the Police and/ or Local Authority Adult Safeguarding Team. It is not acceptable to provide the Police or Local Authority with copies of the patient s health record other than for the Police, as noted in Section or on behalf of the Coroner as noted in Section Armed Forces and Prison Service There may be occasions when the Health Board receives requests for access to patient health records from individuals serving within the armed forces or currently retained within the prison service. All such requests should be treated in the exact same manner as per any individual request received within the organisation and all agreed processes should be followed accordingly. Potentially there may also be very rare occasions when the Armed Forces or Prison Service themselves request the release of information in regards certain individuals. In these circumstances it is essential that no information is released in any instance until the requester has provided documented evidence that they have obtained informed, explicit and written consent from the patient for the release of information. There may however be circumstances associated with the prevention or detection of crime and the apprehension or prosecution of offenders. In this instance it may be required to release information without consent and the access request must relate to a serious crime in line with the Crime and Disorder Act 1998 (e.g. murder, rape, etc). All such requests for release of information without consent should be in writing and forwarded immediately to the Health Board s Caldicott Guardian Telephone requests If a telephone request is received from an individual requiring access to information, a full explanation of the process should be provided and the individual s details recorded, so the relevant application form and information can be forwarded accordingly. 9. APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS FORMAL APPLICATIONS 9.1. General principles In general the Data Protection Act allows any person to apply to access information held about them. The person is entitled to know what information is being held, how it is being held and for what Database No: 249 Page 14 of 44 Version 2.0

15 purpose it is being held. This applies to all information held, irrespective of when it was created. A request for access under the Act must be made in writing the applicant is under no obligation to provide a reason for submitting the application. The appropriate fees apply and are identified in Appendix K of this policy. The fees should accompany the application form and also appropriate proof of identification form when sent to the individual making the request. The applicant may be either the subject of the information held or someone acting on their behalf. Where another person is making the application, the consent of the subject is necessary if the information is required. Where there is any doubt about whether consent can be provided, i.e. where the subject is unable to provide consent, for example if the person is a child or lacks capacity to consent, every consideration should be given to any disclosure being in the person s best interest. Any information that is held by the Health Board in relation to a patient s care that has been created by the Health Board is considered as first party information in relation to such requests. Any contributory information from another source, i.e. outside of the Health Board, is considered third party information. It remains the responsibility of the clinician in charge of the patient s care to decide if disclosure is appropriate in the first instance. Where the patient is no longer a patient of the Health Board the responsibility remains with either the last clinician in charge of the patients care or the most suitable health professional within the service that the patient last attended to decide if disclosure is appropriate. If there are any contentious issues then advice may be sought from the Caldicott Guardian Exceptions to access rights There are a number of exceptions to the provision of information, namely where: The fee has not been supplied; The information is held purely for research or historical reasons; Disclosing the information could reveal information that identifies a third person, unless that person has consented to the request and when that person is not a health professional; Permitting access would be likely to cause serious harm to the physical or mental health or condition of the patient or any other person (which may include a health professional) The request is made on behalf of a person other than the patient, such as a parent of a child, and the information held was provided in the expectation, or on indication, that it would not be disclosed to the applicant. For further details on the full list of exemptions please see Appendix N Charges The Data Protection Act states that all associated fees should be paid in full and in advance of any information being provided to the requester, but in the interests of providing a helpful service to patients, NHS organisations may request the fee at the release stage of the access request. The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 sets out the fees a patient may be charged to view their records or provided with a copy of them. The fees to provide information to the individual are summarised below: To view your individual Health Records (electronic or paper) - 10 To provide copies of Health Records held in part on computer and part in another media (paper, x-ray film) - 50 Health records held totally on other media - 50 Database No: 249 Page 15 of 44 Version 2.0

16 The Health Board retains the right not to charge for copies should it choose not to do so. All these maximum charges include postage and packaging costs. These are maximum costs and any charges for access requests should not be sought to make a financial gain. For a full and detailed description of the costs associated with access request please see Appendix K Time Limits For living individuals the Data Protection Act 1998 superseded the Access to Health Records Act 1990 which requires requests to be completed within 40 days. Best practice suggests that for individual patient requests or individuals acting on behalf of the patient (not solicitors) the 21 day response time contained within the Access to Health Records Act 1990 should be retained and achieved by NHS organisations. Hywel Dda University Health Board will endeavour to comply with the 21 days time limit, but fully recognises that both staff and departments by law have 40 days to respond. If the Health Board cannot provide the requested information within the agreed timescales, the applicant must be advised at the earliest possible opportunity and informed of the reason why the time limits cannot be complied with. Failure to comply gives the applicant the right of action in the County Court or High Court. It is therefore essential that all applications be processed as a matter of priority, thereby minimising risk to the organisation. All services dealing with access requests will retain a centralised database recording all request details and implement monitoring arrangements to ensure compliance with the above time frames Sending and Providing Copies of Records If the patient, relative or representative has arranged to review the records within a Health Board locality all copy records should: Be provided to the individual in a sealed envelope. If there is a requirement to send copy records externally staff must ensure: The information is sent to the individual within a sealed envelope. Is clearly marked and addressed for the attention of a named person/individual. Is clearly marked as Private & Confidential. To be opened by the addressee only. Sent via special mail/recorded delivery only. Copies should not be sent via electronic methods such as fax or , unless staff are utilising a suitably secure means of electronic transfer. Such systems should only be utilised if they have been fully agreed by the Information Governance Committee, the Caldicott Guardian and other Senior Managers. If there is a requirement to send copy records internally staff must ensure: The information is sent to the individual within a sealed envelope. Is clearly marked and addressed for the attention of a named person/individual. Is clearly marked as Private & Confidential. Is sent via the internal courier service (e.g. Hotel Services) or via an agreed Health Board courier provider (e.g. Just Wales). All copy records for Solicitors, Court and Ombudsman are to be copied on a single sided basis. Copy records for patients can be copied back to back. Database No: 249 Page 16 of 44 Version 2.0

17 All copy records provided to all individuals should be checked by the Access to Health Records Clerks to ensure the information being sent is accurate and only relates to the patient involved in the request and no other patient Sending Original Records Under NO circumstances should original health records be sent to any applicant or individual, including solicitors due to the potential implications to the patient and the Health Board if records are lost. Loss of such sensitive and confidential information could result in significant fines or reviews from organisation such as the Information Commissioner s Office (ICO). The main exceptions to this rule is a Court Order or a request from a Coroner and in these cases original records may be sent but copies must be retained within the Health Board Disproportionate Effort The obligation to provide a copy of records may be waived where the data subject (individual) agrees otherwise or it is not possible to supply a copy of the material sought or to do so would involve disproportionate effort, for example because papers have been destroyed. 10. APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS INFORMAL APPLICATIONS The preferred option for any informal applications, particularly from current patients is to be dealt with informally at the time and through agreed processes as set out in Appendix C of this policy. The same conditions for responsibility, consent and proof of identity applies as per section 9.1 above, with the exceptions: Where a patient requires viewing of their records it is the responsibility of the health professional in charge of the patient s care to organise an appropriate viewing. The patient should not be allowed to view their health records on his or her own, or to take original records away from Health Board property. The health professional should arrange suitable representation for the patient to help understand the contents of the records. There is no charge levied where a patient requests sight of their health records only, however where a patient requires copies of the information that has been viewed, the appropriate charges identified in section 9.3 and Appendix K of this policy apply. Provision of copy records should also be completed in conjunction with section 9.5 of this policy. 11. APPLICATIONS TO ACCESS PERSONAL HEALTH RECORDS DECEASED PATIENTS The Data Protection Act relates solely to applications relating to living individuals. The Act refers applications relating to information held about deceased patients back to the Access to Health Records Act The Access to Health Records Act 1990 restricts access to records compiled on or after the 1st November There remains, therefore, no right of access to information compiled prior to this date and the 1990 Act provides for an application to be submitted by the patient s personal representative and by any person who may have a claim arising out of the patient s death. Proof of authority in relation to the above plus a copy of the deceased death certificate will be required prior to processing such requests, plus in the case of the patients personal representative, evidence of identity is required. Where an application is being made on the basis of a claim arising from the deceased s death, applicants must provide evidence to support their claim. The personal representative is the only person who has an unqualified right of access to a deceased person s record and need give no reason for applying for access to a record. There is less clarity regarding which individuals may have a claim arising out of the patient s death. Whilst this is accepted to encompass those with a financial claim, determining who these individual s Database No: 249 Page 17 of 44 Version 2.0

18 are and whether there are any other types of claim is not straightforward. The decision as to whether a claim actually exists will be made in conjunction with the Caldicott Guardian. In cases where it is not clear, legal advice will be sought and a health professional will need to inspect records taking into account the following: If it is known whether the deceased patient did not wish for their records to be disclosed or the records contain information that the deceased patient expected to remain confidential. If the release of the information is likely to cause serious harm to the physical or mental health of any individual. 12. ACCESS TO CCTV, AUDIO & DIGITAL IMAGES Any requests received for access to CCTV footage would not come under the remit of this policy or the responsibility of the identified staff for providing information. All requests associated should be directed to the relevant staff/department and completed in conjunction with the Health Boards CCTV policy. An individual has the rights to listen to an audio tape or view a digital recording if it contains personal information about them. There should be in place arrangements to provide transcripts or CDs of the recorded information and normal exemptions rules would apply for this process. 13. MAINTAINING CONFIDENTIALITY In order to maintain patient confidentiality it is important that access requests are dealt with by designated staff, who are working to clear guidelines on maintaining confidentiality and to internal procedures that include checking the identity of applicants (e.g. use of application forms that comply with central NHS guidance and require certification of the applicant s identity) as provided in Appendix H this policy. The Health Board staff and applicants need to be aware that these precautions are also necessary to protect patient information against unauthorised disclosure. Hospitals are targeted by organisations such as non reputable debt collection agencies or sometimes by private individuals seeking access to information about patients on false pretences (e.g. bogus callers claiming to be from another hospital or Health Authority) 14. RESPONSIBILITY FOR PROCESSING ACCESS REQUESTS As identified throughout this policy, patient access requests will normally come under one of the following categories Informal Informal requests that are best dealt with on the spot, by the clinical staff and in line with the agreed processes set out in Appendix C. A person can make an informal request during a consultation or admission and the records can be reviewed as long as there is appropriate supervision as identified in section 8.8 of this policy Formal In order to ensure standardisation and compliance with the relevant legislation and the Health Board s policy on charges for access, all formal applications for access to inspect or obtain copies of personal health records are to be made in writing to designated contact points within the Health Records Service and Mental Health Act Department. Formal applications for Acute, Mental Health & Learning Disability Records and other patient records, from Patients, their relatives or representatives must be submitted in writing (or via ) to: Database No: 249 Page 18 of 44 Version 2.0

19 Medial Legal Department, Hywel Dda University Health Board, Amman Valley Hospital, Folland Road, Glanamman, Ammanford, Carmarthenshire, SA18 2BQ. Or 15. MISTAKES & INACCURACIES The statutory rights for all applicants include a right to the correction of inaccurate information. If the applicant considers that there are mistakes or inaccuracies in the record they can make a request that a note be placed in the record stating their opinion or the inaccuracy is corrected. If the clinician agrees that the information is inaccurate he/she should make the necessary correction. Care must be taken to ensure the error and information is simply not obliterated, which may have significance for future care or treatment of the patient or for litigation purposes. Mistakes should be crossed through with a single line, the written statement written in error should be made and the entry signed, dated and timed. Reasons for the error should always be noted e.g. wrong patients records. If the clinician does not agree that the information contained within the record is an error or inaccurate a note should be clearly recorded in the relevant part of the record, stating the reason why the applicant considers the information to be inaccurate. It should be clearly understood that by law nothing may be erased from a paper health record but a correction may be made. A copy of any correction or note should be provided to the patient and no fee may be charged for this process. 16. COMPLAINTS If the applicant feels they have not been treated fairly and have a complaint about refusal or access to a record or that the holder of the record has not complied with the Act, in the first instance they should complain via the Health Board s agreed complaints process. The Patient Support service staff will then contact the individual and provide a full response to their concerns. If the individual is still unhappy after the response the patient has a right to contact the Information Commissioner or in extreme cases the Courts to seek enforcement of their rights. Both the Courts and Information Commissioner can order that the applicant be given access to the record if they are satisfied that the complaint is justified. 17. TRAINING All staff employed by the Health Board will receive information on their personal responsibilities and information in regards the Data Protection principles as part of the Health Board s Induction programme. This is a mandatory programme and all staff should be aware of their responsibilities in relation to an individuals rights under the Data Protection Act and the right to have access to information that the Health Board holds about them. Specific training in relation to Information Governance and access to Health Records requests has and will be provided by the Health Boards Information Governance Manager. All staff handling and dealing with such requests will be expected to attend the training sessions and will be provided with clear guidance on how to manage individual requests for access to information and have a working knowledge in place to manage requests. The policies and procedures relating to health records will fully support all specific training. Database No: 249 Page 19 of 44 Version 2.0

20 18. MONITORING & COMPLIANCE From a Health Board perspective it is essential that performance and compliance levels are monitored on a regular basis. Attainment levels with legal timeframes are an essential part of the access to health records process and monitoring arrangements need to be fully operational. To ensure there is effective compliance with this policy and that staff are responding to request accordingly the Health Board will ensure: Compliance levels against the statutory timescales will be regularly reported to the Health Records Committee and Information Governance Sub Committee. Regular review audits will be completed every quarter to monitor the compliance levels. A centralised database will be available for staff to record all requests received within the Health Board. It is the responsibility of the Information Governance Sub Committee in conjunction with the Health Records Manager to ensure compliance is met. 19. IMPLEMENTATION As identified within the Documentation Implementation Plan on page 3 of the Access to Health Records Policy, dissemination will be lead by the Health Records Committee and all other policy review and ratification groups and to all staff via Team Brief s, the Health Board s policies and procedures web page and via induction and staff training. 20. DEFINITIONS AND ACRONYMS Access Caldicott Guardian Data Controller Data Subject The availability of or permission to consult records The person within an NHS organisation who is responsible for the systems that protect patient data Under the Data Protection Act 1998, the Health Board is a data controller i.e. the organisation (or person) that determines the purposes for which and the manner in which any personal data about individuals are processed. According to the Data Protection Act 1998, the data subject is a living individual (not an organisation) who is the subject of the personal data. Health Professional a) A registered medical practitioner also includes any person who is provisionally registered under Sections 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of the section. b) A registered dentist as defined by Section 53(1) of the Dentists Act 1984 c) A registered optician as defined by Section 36(1) of the Opticians Act 1989 d) A registered pharmaceutical chemist as defined by Section 24(1) of the Pharmacy Act 1954 or a registered person as defined by Article 2(2) of the Pharmacy Act (Northern Ireland) Order 1976 e) A registered nurse, midwife or health visitor f) A registered osteopath as defined by Section 41 of the Osteopaths Act 1994 g) A registered Chiropractors Act 1994 h) Any person who is registered as a member of a profession to which the Professions Supplementary to Medicine Act 1960 for the time being extends Database No: 249 Page 20 of 44 Version 2.0

21 Health Record Personal Identifiable Information (Data) Record Redact Third Party Request i) A clinical psychologist, child psychotherapist or speech therapist j) A misic therapist employed by a health service body k) A scientist employed by such a body as a head of department A record consisting of information about the physical or mental health, or condition, of an individual, made by, or on behalf of, a health professional, in connection with the care of that individual. A health record can be computerised and/or manual form. It may include such documentation as hand written clinical notes, letters to and from health professionals, laboratory reports, radiographs and other imaging records, printouts, photographs, video and tape recordings. Personal-identifiable information is anything that contains the means to identify a person (e.g. name, address, postcode, date of birth, NHS number, National Insurance Number, photograph, etc) Reference 13 of the Caldicott Committee Report on the Review of Patient- Identifiable Information (published December 1997) states: All items of information which relate to an attribute of an individual should be treated as potentially capable of identifying patients and hence should be appropriately protected to safeguard confidentiality. A record comprises of recorded information in any format (e.g. digital or physical) of any type, in any location (e.g. central database server, standalone PC, filing cabinet, archive store) which is created, received or maintained by the organisation in the transaction of its activities or the conduct of its affairs, and kept as unique evidence of such an activity. To remove information that is subject to an exemption under legislation such as the Data Protection Act An access to health records request from anyone other than the data subject (but with the data subject s consent), e.g. solicitor, patient s representative Pe 21. REFERENCES & GUIDANCE Access to Health Records Act Data Protection Act 1998: Caldicott Principles into Practice Access to Medical Records Act en 1.htm Adoption and Children Act Children Act Crime and Disorder Act Data Protection Act Database No: 249 Page 21 of 44 Version 2.0

22 Mental Capacity Act Freedom of Information Act Guidance for Access to Health Records Request Records Managment: Code of Practice (2 nd Edition) WHC (2000) 71: For the Record DGM (96) 43 Guidance on the Protection and Use of Patient Information, March 1996 WHC (82) 20 - Supply of Information about Hospital Patients in the context of Civil Legal Proceedings Welsh Office Circular from HFM2 Division dated 14 February Requests from Government Departments and Agencies Subject Access to Health Records - Office of the Data Protection Commissioner, September REVIEW This Policy will be reviewed every three years (or sooner if new legislation, codes of practice or national standards are to be introduced). Database No: 249 Page 22 of 44 Version 2.0

23 23. APPENDIX A DISCLOSURE OF PERSONAL INFORMATION TO A THIRD PARTY WHERE THE PATIENT LACKS CAPACITY TO CONSENT The most common route for authorising any disclosure of personal information from a health record to a third party is through the consent of the patient about which the information is held. On occasions, there may be a need to disclose personal information about a patient where they are not able to grant a valid consent, for example to people interested in the welfare of a patient when decisions about health and welfare matters are being made in the patient s best interests. Patients should be presumed to have the necessary decision-making capacity to consent to a disclosure of their personal information. Where there are reasons to doubt the patient s capacity in this respect a formal capacity assessment must be undertaken (see section 8 of the Mental Capacity Act 2005 Policy, No. 374 for guidance on assessing capacity). Patients who have been assessed as lacking decision-making capacity retain the right to the privacy of their health care information. A decision maker must respect the patient s right to privacy. There must be: - A positive reason to disclose the information (a decision to disclose cannot be based simply on a perception that to do so is unlikely to cause harm) - Consideration of whether the patient is likely to regain capacity and whether the disclosure could wait until they may be able to consent to, or decline the disclosure - Clarity about the minimum amount of information that might need to be disclosed to achieve the purpose for which disclosure is being considered. The decision as to whether limited disclosure should be made must be approached by use of the best interests process outlined in the Mental Capacity Act (see section 9 of the Mental Capacity Act 2005 Policy, No. 374 for guidance on determining best interests). This will include consideration of: - What is known or can be ascertained about the patient s current or past wishes and feelings in relation to the proposed disclosure - Whether the purpose for which disclosure is being considered can be achieved in other ways which do not intrude on the patient s right to privacy - The likelihood and extent of any benefits or perceived harm to the patient if the disclosure is made, weighed against benefits or harm if the disclosure is not made - The views of people close to the patient, such as family, friends or informal carers and involved professionals, about the patient s wishes and feelings and whether they consider the disclosure to be in the person s best interests - How the extent of any proposed disclosure can be minimised, both in relation to how much information is disclosed and to how many people. The best interests decision must be clearly recorded in the record and include the purpose for which disclosure was considered, the key issues that have been thought about, how they have been weighed by the decision maker and why the final decision is felt to be in the patient s best interests. The decision maker is responsible for ensuring that only the minimum necessary information is safely conveyed to the minimum number of people and must ensure that the receiving person/s are aware of the need to treat the information as confidential. A best interests decision to provide a copy of written information from the patient s record must be made by the clinician in charge of the patient s care at the time. Access to a patient s complete healthcare record cannot usually be in their best interests and must not be granted unless the individual requesting access has an appropriate form of authority. Further guidance on disclosing personal information in a patient s best interests can be found in chapter 16 of the Mental Capacity Act 2005 Code of Practice. Database No: 249 Page 23 of 44 Version 2.0

24 24. APPENDIX B CONSULTANT AUTHORISATION FORM HEALTH RECORDS DEPARTMENT APPLICATION FOR ACCESS TO HEALTH RECORDS To: Medical Secretary/ DATE: Patient Label We have received an application for access to health records from the patient/the patient s representative. They have requested to have access to the record via the following method: Provision of copies of the record Inspection of the record with Health Records representation (copies may be provided following inspection) Inspection of the record with a Health Professional present (copies may be provided following inspection) Other (please specify): Applicants are normally entitled to view the whole record except: Where access would disclose information that is likely to cause serious physical or psychological harm to the patient or any other individual. Clinicians need to consider the following issues although this list is not exhaustive: Gender Change, Human Fertilisation & Embryology Act, Genetics, Sexual Health Information, Mental Health Information Where access would disclose information relating to or provided by an individual other than the patient who could be identified by the information. Where information has been provided by the patient in the expectation that it would not be disclosed to the applicant. The application and the patient records are provided for your urgent attention as the relevant health professional. Please could you either provide your signature below confirming your authorisation for access to the patient record or contact us immediately if there are any reasons for withholding disclosure, so we can ensure we comply with the legal timescales associated with access requests. I have no objection to authorising access to the patient s records. Signature: Date: Database No: 249 Page 24 of 44 Version 2.0

25 25. APPENDIX C GUIDANCE FOR INFORMAL ACCESS TO HEALTH RECORDS Are you the Clinician treating the patient or do you have delegated authority on their behalf? YES NO Is there information in the record that has been supplied by a third party and/or from which a third party can be identified? NO YES Consult with the other professionals and the third parties. Is there any information likely to cause serious harm to the patient s health or well being? YES Agreement from the above given for you to continue with informal access? NO YES NO Clinician allows informal access in accordance with procedure. Informal access will have to be denied. Offer the patient a form to complete to make a formal application and offer guidance. Clinician ensures that an entry is made in the Health Record and signed by both the patient and the clinician indicating that the Health Record has been accessed informally. FORMAL ROUTE Database No: 249 Page 25 of 44 Version 2.0

26 26. APPENDIX D GUIDANCE FOR FORMAL ACCESS PATIENT REQUESTING ACCESS TO THEIR OWN HEALTH RECORD Completed Access to Health Records Application form received within the Health Records department NO Write back to or contact the applicant to obtain the required information or request fee. Does the Access to Health Records clerk have sufficient information to identify the patient, to locate the record, have signature of consent and the relevant fee? YES Record the request on the centralised database with appropriate reference number and comply promptly with the request within the agreed timeframe. If it appears compliance will take longer than 40 days the applicant should be informed immediately and a full explanation provided. Fully review the request documentation to ensure only the information requested is provided. Be aware a patient may not be entitled to all information contained within their medical record. Where there are any concerns seek advice from the Information Governance Manager, Caldicott Guardian or Legal Services. Locate the patient records and forward them to the relevant health professional along with the Consultant Authorisation Form for review and authorisation to release information. Data Protection and Caldicott Principles should be considered at all times. ACCESS DENIED ACCESS GRANTED Advise the applicant that access has been denied to some or all of the information. There is no requirement to detail the grounds upon which the information is withheld Provide the patient with copies of the relevant and authorised parts of the health record. If the applicant is unhappy with the decision to withhold information, the Health Board will endeavour to resolve the matter locally, and may require involvement of the health professional involved. If the applicant is still unsatisfied the complaints procedure should be implemented. Database No: 249 Page 26 of 44 Version 2.0

27 27. APPENDIX E REQUESTS FROM SOLICITORS Letter, e mail or request form for access to health records received from a solicitor within the Health Records department. Health Records clerk to fully review all documentation. Does the letter/ quote or refer to the Data Protection Act 1998 or Access to Health Records Act YES NO Is there any litigation intended against the Health Board? YES Immediately forward the letter or request to Legal Services Has the patient s written consent been received? NO NO YES PROCEED THROUGH THE FORMAL ROUTE AS PER APPENDIX D. REFER THE REQUEST OR LETTER BACK TO THE SOLICITOR FOR SIGNED PERMISSION FROM THE PATIENT. Database No: 249 Page 27 of 44 Version 2.0

28 28. APPENDIX F INSURANCE REQUESTS Insurance form received from a patient within the Health Records department. Health Records staff to fully review the form and information required. If the form requires detailed diagnosis or clinical information the form is to be sent directly to the Consultant/Clinician for completion. Health Records staff to complete form and the agreed fee of 10 is applied. Database No: 249 Page 28 of 44 Version 2.0

29 29. APPENDIX G RESPONSE TO CRIMINAL INJURIES COMPENSATION AUTHORITY (CICA) Letter and standard form received from the Criminal Injuries Compensation Authority (CICA). Health Records staff to immediately forward the form to the correct individual for completion, e.g. Accident & Emergency Secretary. Database No: 249 Page 29 of 44 Version 2.0

30 30. APPENDIX H APPLICATION FOR ACCESS TO MEDICAL RECORDS (Data Protection Act 1998, Access to Health Records Act 1990) DETAILS OF PATIENT Surname Address Forename(s) Date of Birth Treatment / Attendance Hospital Number (if known) DETAILS OF APPLICANT (if different from above) Surname Address Date of Death Approx Date Forename(s) Relationship (please tick one box) I am the patient I have been asked by the patient and attach his/her written consent. I am acting in loco parentis and the patient is under the age of 16 I am the personal representative of the deceased patient and attach confirmation of my appointments.(documentary evidence is required eg Grant of Probate or letter from the solicitors stating that you are the executor.) I am appointed by the Courts to manage the affairs of the patient. (Documentary evidence is required eg proof of Power of Attorney) REASON FOR REQUEST FOR DECEASED PATIENTS OR PATIENTS WITHOUT MENTAL CAPACITY TYPE OF REQUEST: (please tick the appropriate box) View Health Records/Read Only Full Copy of Health Records Partial copy of Health Records If applicable, please let us know if there is a particular period of care you are interested in, providing as much information as possible e.g. A&E treatment, specific service, treatment by a named consultant. Declaration I declare that the information given in this form is correct to the best of my knowledge and that I am: The Patient Signed: DECLARATION A Third Party acting on the patient s behalf and have attached the patient s written authorisation Date:. I declare that the information, given by me, is correct to the best of my knowledge and that I am entitled to apply for the Medical Records referred to above, under the terms of the Data Protection Act 1998 and/or Access to Medical Records Act You are advised that making false or misleading statements in order to obtain access to personal information to which you are not entitles is a criminal offence. Signed:.. Date:.. Database No: 249 Page 30 of 44 Version 2.0

31 CERTIFICATE OF PATIENT/APPLICANT S IDENTITY COUNTERSIGNATURE To be completed by the person required to confirm your identity. I certify that I am (first and last name): Of (give your address): And that I have known the applicant for.. years as an Employee / Client / Patient / Personal Friend / and have witnessed the applicant read and sign this form. Signed: Date: Telephone Number: Profession: A fee of 50 is payable for the request and to provide copies of the record. Please enclose a cheque payable to this amount when returning the form. Cheques should be made payable to: Hywel Dda University Health Board Please return this form to: Medial Legal Department, Hywel Dda University Health Board, Amman Valley Hospital, Folland Road, Glanamman, Ammanford, Carmarthenshire, SA18 2BQ. Database No: 249 Page 31 of 44 Version 2.0

32 HYWEL DDA LOCAL HEALTH BOARD 31. APPENDIX I ACCESS TO HEALTH RECORDS PROCESS SHEET ACCESS TO HEALTH RECORDS PROCESS SHEET APPLICANT:. PATIENT S NAME (if different):... HOSPITAL NUMBER:... ACTION Request Received Application Form Sent Valid Application Form Received Access Fee Received Latest Response Date (*delete as appropriate) *21 days *40 days Case Notes Obtained Health Professional consulted (Name) (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) Patient Received Information Please circle as appropriate: Visual By Post By Hand DATE Access Photocopying Postage ITEM AMOUNT RECEIPT NUMBER

33 HYWEL DDA LOCAL HEALTH BOARD 32. APPENDIX J INFORMATION SHEET BACKGROUND The Act gives individuals the right to access, subject to certain exemptions, health information held about themselves under the Data Protection Act RIGHTS - WHERE PATIENT IS ALIVE The patient (aged 16 or over). A person with parental responsibility for a child patient under 16 years old where the child has EITHER consented to the application OR is incapable of understanding the nature of the application. A person authorised in writing by the patient to make the application. A person appointed by the Courts to manage the affairs of a patient, documentary proof must be given. Where a patient is unable to authorise the release of their records due to a lack of mental capacity then a person who has been legally appointed to act on behalf of the patient has the right to apply for access to the health record. Where a request is received from a legally appointed representative, they should be asked to produce evidence that they hold a lasting power of attorney which allows the person to make decisions regarding finances, property and welfare. A legal power of attorney must be registered with the Office of the Public Guardian. An Independent Mental Capacity Advocate (IMCA) is a statutory form of advocacy that provides safeguards for people without representation form friends and family who lack capacity to make decisions about situations including: Serious mental treatment. Moving into, or between, care settings (including hospital). An IMCA is entitled under the Mental Capacity Act (2005) to ask for access to the person s medical and health records, and to take copies from these. RIGHTS - WHERE PATIENT IS DECEASED The personal representative of a deceased patient documented evidence will be required. (This means a person who has been appointed to act as an executor or administrator of the patient's estate. Evidence of appointment can be by producing the Grant of Probate or Letters of Administration issued by the Probate Registry). Copy of Power of Attorney Documentation. A person who may have a claim arising from the patient's death. You will be asked to provide a reason for requesting this information. CONFIDENTIALITY Patients have a right to have their personal health information kept confidential and record holders are obliged to be satisfied that an applicant is the patient or is otherwise entitled to access that patient's records. As a very minimum the staff must check the identity, but may also have to make further enquiries to complete the process. LOCAL ARRANGEMENTS Applications for access to records held by the Hywel Dda University Health Board should be made in writing to the: Medial Legal Department, Hywel Dda University Health Board, Amman Valley Hospital, Folland Road, Glanamman, Ammanford, Carmarthenshire, SA18 2BQ. A fee of 50 will be payable for access to information and the provision of copies.

34 33. APPENDIX K ACCES TO HEALTH RECORDS FEES Hywel Dda University Health Board INSURANCE FORMS COST COMMENT Countersignature of insurance forms. 10 Exception no-fee for Welsh Hospitals Association (as donations of medical equipment are given.) Provision of copy notes for individuals. Provision of copy notes for Solicitors or Courts. Provision of information regarding time of birth for horoscopes. War veteran requests and service personnel Police 50 Includes all photocopying costs. If x-rays are required then there is additional fee payable to a maximum of If x-rays are requested, then the locally agreed processes are implemented. 5 Free of charge Free of charge Councils for care Free of charge proceedings Viewing of Records Only 10 If photocopies are required see above Database No: 249 Page 34 of 44 Version 2.0

35 34. APPENDIX L GUIDANCE FOR ALLEGED INACCURACIES IN THE HEALTH RECORD A request for the patient record to be amended may arise in various contexts, e.g. as part of a written complaint, during the course of an inspection of the records, or when a patient is given informal access to their notes in the course of treatment. The arrangements in place to follow up a request for amendment to be made to the record need to provide for two eventualities: Cases where there is a difference of opinion or perception between the patient and the originator of the entry. Cases where it can be established that there is a factual error in what has been recorded that needs formal correction on behalf of the Health Board. When adding a Note to the disputed patient record (case notes or separate medical record), the following guidelines should be observed: Applicant in not satisfied and requests alleged inaccuracies in the record to be corrected. Do not cross out or blank out an existing entry in the patient record. Use a separate sheet of Health Board headed paper. Ensure that the Amendment Note is approved and signed by an appropriate officer of the Health Board (This may be a health professional or a manager depending on the nature of the disputed entry or entries). If the Health Professional is in agreement he/she can make the necessary correction, in line with the Health Board s Record Keeping Policy. OR If the Health Professional is not in agreement he/she can make a note in the relevant part of the record, of the matters alleged to be inaccurate, in line with the Health Board s Record Keeping Policy. No information is to be obliterated or removed from the record File the completed Amendment Note immediately next to the document with the disputed or inaccurate entry. Further advice and assistance may be obtained from the following individuals: If in doubt about identifying an appropriate officer seek advice from your Line Manager, Clinical Lead, Medical Director or Caldicott Guardian. If you are aware (from checking with the patient) that the issue is or has been subject of a formal complaint to the Health Board liaise with Patient Support Services. For advice and guidance in relation to wording or compliance with the Data Protection Act consult with the Information Governance Manager. For advice in relation to patient access or case note content consult with the Health Records Manager. Database No: 249 Page 35 of 44 Version 2.0

36 35. APPENDIX M ADVERSE PATIENT OUTCOME ILLUSTRATIVE FLOW CHART IF PATIENT SUFFERS ADVERSE OUTCOME PATIENT (P) HEALTHCARE PROVIDER (HCP) INITIAL STAGES Patient suffers adverse outcome and discusses it with Health Care Provider. Patient dissatisfied and asks for written explanation. Professional reports outcome to Clinical Director. Patient still dissatisfied consults Solicitor. Options discussed. Solicitor request patient records. PROTOCOL STAGES 40 DAYS Medical Director/Complaints team investigate obtain records/interview staff and provide explanation. Investigations continue/records provided. Solicitor instructs experts who advises potential breach of duty. 3 MONTHS HCP instructs Solicitors and take advice from in-house expert who advises no breach of duty, claim refuted. Solicitor patient prepare letter of claim send to HCP. Proceedings issued and served. Database No: 249 Page 36 of 44 Version 2.0

37 36. APPENDIX N EXEMPTIONS HYWEL DDA UNIVERSITY HEALTH BOARD Disclosure Might Cause Harm Under the Data Protection (Subject Access Modification) Health Order 2000, the Health Board has the right to deny patients access to all or part of their health records if one of the following conditions apply: If, in the opinion of the healthcare professional in charge of the patient s care, access would disclose information likely to cause serious harm to the physical or mental health or condition of the patient or any person (for example a child in a child protection case). If giving access would disclose information relating to or provided by a third person who has not consented to that disclosure unless: The third party is a health professional who has complied or contributed to the health records or who has been involved in the care of the patient. The third party who is not a health professional gives their consent to the disclosure of the information. It is reasonable to disclose without the third party`s consent. Those who make the decision to disclose information (e.g. healthcare professionals) must consider carefully and be prepared to justify any decisions to disclose or withhold information. The Caldicott Guardian must be advised if there appears to be any grounds for withholding information. If information is withheld the Health Board are free to advise the applicants of the grounds on which information has been withheld, but they are not obliged to do so. Child Protection Concerns There may be situations in which access to all or all or part of a child`s health record can be refused, for example where there are ongoing child protection issues or where releasing information may put a child or young person at risk of harm. In these cases advice must be sought from the appropriate managers and child safeguarding professionals within the Health Board, as well as the Caldicott Guardian before releasing any information. Wishes of Deceased Patients Health records relating to deceased patients do not carry a common law duty of confidentiality. It is however policy of the Department of Health and the General Medical Council that records relating to a deceased patient should be treated with the same level of confidentiality as those relating to living individuals. For example if the record contains a note made at the patient`s request that they did not want a particular individual to know the details of their illness or care then no access should be granted to that individual. In addition the record holder has the right to deny or restrict access if it feels that disclosure would cause serious harm to the physical or mental health of any other person or would identify a third person. Repeat of Earlier Request Access to health records can be refused where an access request has previously been granted. The Data Protection Act 1998 permits record holders not to respond to a subsequent identical or similar request unless a reasonable interval has elapsed. Record holders should consider: The nature of the information How often it is altered The reason for its processing Whether the reason for the request is also relevant Database No: 249 Page 37 of 44 Version 2.0

38 Any requests that may involve a claim or litigation against the Health Board must be immediately brought to the attention of Legal Services. Category Crime and Taxation Health, Education and Social Work Research, history and statistics Human fertilisation and embryology Exemption Where part of the personal information contained within the records or individual records, relate to the prevention and detection of crime or the apprehension or prosecution of offenders. Social work records exemptions come under the Data Protection (subject Access Modification) (social Work) Order 2000 which relates to personal information used for social work purposes: Where the release of the information may prejudice the carrying out of social work by causing serious harm to the physical or mental condition of the data subject or others. Certain third party`s information can be released if they are a relevant person. As long as release of the information does not cause serious harm to the relevant person`s physical or mental condition. Where the personal data is used solely for research purposes and as long as resulting statistics are not made available which identify the person. Personal information can be withheld in certain circumstances where it relates to human fertilisation and embryology. The full list of subject areas where exemptions may apply: National Security Crime and Taxation Health, education and social work Research activity Journalism, literature and statistics Information made available to the public sector or under enactment Domestic purpose Confidential references Armed forces Judicial appointments Crown employment Management forecasts Negotiations Examination scripts Legal professional privilege Self incrimination Crown appointments Human fertilisation, embryology and adoption records and reports Database No: 249 Page 38 of 44 Version 2.0

39 37. APPENDIX O HEALTH PROFESSIONALS The Date Protection Act 1998 identified that health professionals are: Registered medical practitioners including those provisionally registered Registered dentists Registered opticians Registered pharmaceutical chemists Registered nurses, midwives, or health visitor Registered osteopath Registered chiropractor Registered member of Allied Health Professionals Clinical psychologist, child psychotherapist or speech therapist Music therapist employed by health service body Scientists employed by such a body as head of a department Database No: 249 Page 39 of 44 Version 2.0

40 38. APPENDIX P CHECKLIST FOR DISCLOSURE OF PERSONAL INFORMATION TO THE POLICE Establish proof of the Police Officer`s identity, check warrant card or ring the relevant police station is necessary. Ask why the information is required. Check if the individual has given consent to release the information. Does the Police Officer have the relevant documentation e.g. section 29 form or medical consent form. Is the form signed by identified Police Officer and their Senior Officer. Does the form identify why the Police Officer requires the information e.g. preventing serious crime. Only provide the minimum or relevant information to satisfy the request. Don t feel pressured to release the information, remember the Police do not have an automatic right to patient information. If you are in any doubt always discuss the request with you manager, ward sister, clinical lead etc. If there is still any doubt contact the Health Board s Caldicott Guardian. Database No: 249 Page 40 of 44 Version 2.0

41 39. APPENDIX Q POLICE SECTION 29 FORM Personal Data Request Form To (name and position if known)... Organisation & Address... This request for personal data and other information is made under the powers invested in me as a constable of the Dyfed Powys Police by the Police Act 1996 (section 30(1) which gives constables all the powers and privileges of a constable throughout England and Wales and Section 30(5) defines powers as powers under any enactment when ever passed or made). These powers include the investigation and detection of crime, apprehension and prosecution of offenders, protection of life and property and maintenance of law and order. Under the Police Reform Act 2002, the Chief Constable can delegate certain powers to police staff. The personal data I require relates to the following individual(s): (Include identifying details of the person where known, such as name, address and date of birth) I have the following information to assist you in locating the personal data and other information: (Include further details, where available, to assist locating the information sought) I require the following personal data and other information: (Describe the information sought) I require the personal data and other information to assist with my enquiries into: (Describe the subject of those enquiries as far as is possible without prejudicing them) Database No: 249 Page 41 of 44 Version 2.0