Menu

Health Data

Access to Records

Records will be created in the course of medical treatment, and they may include examination records, findings, treatment plans, and consent processes. The Health Service Executive has published guidance for making records within institutions. It indicates that the healthcare record performs a number of functions, including:

  • Maintaining the history of the service user.
  • Recording decisions relating to the care plan.
  • Supporting the workflow of the clinical and administrative functions within the organization for healthcare professionals and other staff.
  • Supporting communication of medical information with external resources such as laboratory and radiological departments, as well as consultations and referrals between clients.
  • Justifying care delivery in the context of legislation, professional standards, guidelines, evidence, research, and professional and ethical conduct.

Medical records may take the form of:

  • Patient health records, whether held electronically or in paper form.
  • Accident and emergency, birth, and other registers.
  • Theatre registers and minor operation registers.
  • X-ray and imaging reports.
  • Photographs, slides, and other images.
  • Emails.
  • Computerized records, text messages, microfiche, and microfilm.

Clinical records and notes are important for justifying treatment and defending claims of negligence or breach of duty. They may comprise the only record of the original events, which might be the subject of litigation or disciplinary proceedings many years later.

Guidance

The Irish Medical Council’s Guide to Professional Conduct and Ethics defines medical records as comprising relevant information learned from or about the client. It may be from the patient or third parties.

Practitioners must keep accurate and up-to-date patient records in paper or electronic form. They should be legible, and the author, date, and, where appropriate, the time of entry should be recorded.

Notes must comply with data protection and other legislation regarding storage, disposal, and access.

Patients have a right to get copies of their medical records, except where it is likely to cause serious harm to their physical or mental health. Before giving information, information relating to other persons, other than those who have consented, should be redacted.

Medical records should be kept as long as they are likely to be relevant to the patient’s care, or as long as the law or practice standards require.

Notes should be available, but if they are not, this may lead to an adverse inference against the party who had custody and was responsible for them. Alteration of notes may have adverse consequences for the person responsible.

Patients have a right of access to their information in clinical records. This does not necessarily mean the right to ownership of the file itself. In private practice, the notes would generally belong to the practice owner. In public sector hospitals and settings, they would belong to the hospital manager or HSE.

GDPR and FoI

Access to notes is regulated by both the General Data Protection Regulation (GDPR) and freedom of information legislation. Data protection rules apply to personal information, and most health data is deemed sensitive personal data subject to more stringent standards. Sensitive personal data includes data concerning the physical or mental health condition or sexual life of the data subject.

Data protection legislation, GDPR, applies to processing data, which includes collecting, storing, transmitting, using, or deleting data.

The data processor is the person who processes personal data on behalf of the data controller. The data controller is a person, either alone or with others, who controls the use of personal data and determines the purposes for which it can be processed.

It appears that generally, the hospital or institution will be the data controller in the case of public patients. In the case of private patients, the consultant or practitioner is likely to be the data controller.

Use of Data

Information may only be used for legitimate purposes. It must be legitimately processed.

  • The information must be obtained fairly.
  • Kept only for one or more specified lawful purposes.
  • Processed in a way compatible with the purposes for which it was given initially.
  • Kept safe and secure.
  • Kept accurate and up-to-date.
  • Ensured that it is adequate, relevant, and not excessive.
  • A copy must be given to the person concerned on request.

For personal data to be legitimate, the person concerned must have consented to the processing, or the processing is necessary for the performance of a contract, compliance with a legal obligation, preventing injury or damage to the health of the person concerned or serious loss or damage to property, or to protect vital interests if seeking consent would limit the damage to those vital interests. Processing is necessary for the purpose of the legitimate interests of the data controller or a third person to whom the data is disclosed, unless unwarranted due to prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.

In the case of sensitive data, which will include much health data, the following additional requirements apply:

  • Consent must be provided explicitly rather than implicitly.
  • Processing must be necessary for the exercise or performance of a right or obligation of the data controller.
  • Processing must be necessary to prevent injury or damage to the health of the data subject or another person, or otherwise to protect the vital interests of the data subject or another person when consent to the processing cannot be given by the data subject or the data controller cannot reasonably be expected to obtain such consent.

Processing of sensitive personal data is legitimate where required for the purpose of obtaining legal advice or in connection with legal proceedings or prospective legal proceedings, or otherwise necessary for the purposes of establishing, exercising, or defending legal rights.

The above provisions are of the widest application and relevance in the context of patient records.

Genetic and Biometric

GDPR defines genetic data and biometric data as special categories of sensitive data. There are two further conditions, including:

  • Processing is necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care treatment, or management of health and social care systems and services on the basis of EU or member state law pursuant to a contract with a health professional.
  • Processing must also be necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of safety of healthcare and of medicinal products and devices on the basis of EU or member state law, which provides suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

GDPR Access Right

The patient has a right of access to data which references him or her. A patient is therefore entitled to a copy of clinical records. Where a request is made, there must be a response within 21 days. If the data controller does not hold the data, providing a written request, the data subject is entitled to obtain within 40 days a description of the categories of data being processed by the data controller, a description of the personal data, a description of the purpose of processing, information as to the recipients to whom the data may be disclosed, and information constituting the personal data.

Related Posts

error: Content is protected !!