Prospective Access to Medical Records

A number of practices have contacted the LMC noting recent communications from their ICB about their provision of Prospective Access to Medical Records. 

Colleagues will recall the furore about this issue over a year ago: many practices concluded that simply permitting full prospective access to medical records was not safe or appropriate and such access should be made available only after a review triggered by the patient’s request for such access. The LMC provided advice at the time, including a recommendation that, if practices believed this was the most appropriate approach, they should develop a DPIA which formally describes those risks and the mitigations the practice is putting in place. 

Many practices also used a …104 coding to restrict prospective access in line with the process adopted by the practices. 

The LMC also recognises many practices also decided this was not an issue of huge concern and were therefore happy to adopt NHS England’s recommendations, and it is the case that neither the LMC nor GPC England have become aware of a surge in complaints or significant events associated with such a policy. 

In terms of prospective access to medical records, all had seemed quiet, and it appeared NHS England had adopted a “quieta non movere” [do not move settled things] approach over this issue which had much to recommend it, especially given the most challenging of years General Practice has experienced. However, NHS England can look at the number of patients with an …104 codes within each practice and therefore infer the practices policy in terms of prospective access. 

The Information Commissioners Office (ICO) has published its view.

The ICO accepted there were risks associated with prospective access, but thought it would also be possible to mitigate these (which is true, in the LMCs view, were sufficient resources available to practices to do so) and the ICOs letter above stated: 

“It is the ICOs opinion that the high risks identified (within the DPIAs submitted to the ICO – my additional comment) would constitute operational risks concerning the allocation of resources, rather than data privacy risks which would infringe the data protection legislation.” 

The ICO noted it was not within its remit to comment on risks of such a nature. 

The LMCs position and advice to GP practices therefore remains unchanged: it would be very helpful, should practices receive further communications on this issue, to forward these to the LMC Office and obviously if the situation does alter, I will circulate updated advice. 

Dr Julius Parker, Chief Executive 

Whilst we are recognising that for some colleagues this no longer represents a significant issue; in some cases, practices have already enabled full prospective access for patients and not found this has created significant concerns. However, we hope the issues being raised by the BMA and LMC will continue to encourage all colleagues to minimise any risks associated with the programme and the safety of participating patients. All practices should use a DPIA to highlight any potential risks and the mitigation that has been applied to these. 

Some practices may not have switched on full prospective access and, because of the concerns identified within their DPIA, be proceeding on the basis that a direct discussion with patients prior to enabling full prospective access is the safest way to proceed and also the one most likely to maximise the benefits patients can gain from such access. 

NHS England can review and identify practices with substantive numbers of patients with …104 codes; the LMC therefore recommends such practices proactively contact their commissioners, setting out the practice’s current position. Action by commissioners is less likely if they know that practices are engaged with the programme, even if they have taken the view that there are greater concerns than NHS England believe. 

Accompanying this update is a template letter practices can personalise and use to send to their commissioners; if sent, it would be helpful to copy to the LMC. It would also be helpful to either ask the commissioners to copy any response to the LMC or if preferred to omit this but send on any response that is received. 

The LMC recommends all practices, whatever process they adopt in terms of enabling access, should publicise the availability of this programme to their patients; obviously some practices may wish to publicise the steps patients may need to take to take advantage of this programme. All practices should highlight the opportunity to opt-out of the programme if they wish. 

There are full details of the BMA’s advice available at:  Providing access to patient records 

We hope matters will calm down in relation to this issue following the contractual go live date of 31st October, but the LMC will continue to update colleagues if any changes are needed or if, for example, the ICO provides relevant advice. 

Dr Julius Parker, Chief Executive 

Practices should individualise this letter but not substantially change its content, as it is based on BMA legal advice; I have highlighted in italics where practices may wish to give practice-specific comments. 

This template should only be sent if your practice has significant numbers of …104 coded patients: if so, you may have received emails from NHS E or your ICB drawing attention to this. 

Dear [Your Commissioner or perhaps your Contract Manager] 

I am writing in relation to the 2023/24 GP Contract imposed requirement to provide full prospective access to GP-held patient medical records by 31 October 2023. 

[Name of Practice] has carried out a DPIA [which can be sent if requested/which is enclosed] which has identified multiple risks associated with this programme. As Data Controllers the partners are responsible for mitigating those risks in order to ensure the safe implementation of the programme. 

I would wish to emphasise that [Name of Practice] is engaging with this programme and supports the principle of patient access to medical records, as long as it is undertaken in a safe way, and appropriate protection is afforded to patients for whom full prospective access may hold risks or is otherwise not in the patient’s best interests. 

[Name of Practice] believes there can be advantages to patients in terms of managing their own health supported by the information available in their record. [Name of Practice] is advertising the availability of prospective access to our patients by [if this is happening, which the LfvfC recommends, you could add how here, for example, by information on the website or SfvfS [or equivalent] messages. 

[Name of Practice] also wishes to note to its commissioners a number of concerns with the current Regulations which mean compliance with these may be impossible, for example: 

• The current Regulations do not stipulate that patients under 16 should be excluded from full perspective access, yet professional advice is that this would not be appropriate [for example, the Royal College of General Practitioners on-line toolkit excludes under 16-year-olds from participation] 

• The current Regulations no longer state that fit for purpose redaction software needs to be in place for full prospective access to be available. [Name of Practice] understands NHS England are advising that full redaction of documents is acceptable. 

whereas in fact only partial redaction may be needed to remove third party references and potentially harmful content, thus full access is not being offered. 

[Name of Practice] will continue to offer prospective access but believes this is most safely and beneficially done by offering such access on a requested basis. This means that a full discussion with patients can occur, ensuring that participants understand: 

• The process of such access and how it can be maintained safely

• The nature of the information they will have access to 

• The potential challenges in interpreting their consultation records 

• How by using this information they can take more responsibility for their health and wellbeing 

[Name of Practice] has considered examples of this process such as – Do you want to see what your doctor or nurse has written about you or check your GP Electronic Health Record ? – Haughton Thornley Medical Centres (htmc.co.uk) – although the practice is developing/has developed its own policies for this process [only say this if such policies are in progress and are available, as the commissioner may ask to see these]. 

[Name of Practice] is providing this update to their commissioners as recommended by the BMA and SSLMCs. I would be grateful if you could copy any response to this letter to the LMC [Omit this last sentence if preferred] 

Normal Practice Sign Off 

cc LMC

We are writing to all practices now that detailed GPC England advice on this issue is available. 

The LMC understands that practices across the Confederation will have made or wish to make different decisions about this issue. A small proportion of practices will have already decided to offer prospective access to their registered patients, excepting those who have declined this, or for whom it is not in their best interests to do so. Other practices may have not yet agreed to operate such a programme. 

This letter describes practices options, and is linked to GPC England’s guidance available at: BMA general practitioners committee England 

In all cases GP partners are the Data Controllers in relation to the patient’s healthcare records held at their practice. As offering patients prospective access to their medical records represents a change in the way this personal data is processed, all practices should undertake a Data Protection Impact Assessment (DPIA). A DPIA is designed to assess the data protection risks in terms of any changes in the way data is processed. 

Some practices will have already undertaken a DPIA in relation to the prospective access programme and be satisfied that any risks have been addressed. These practices can proceed to offer prospective access to all patients (excepting those who have declined, or for whom it is not in their best interests) from 31st October 2023, when this becomes a contractual requirement. Some practices may already be offering such access already. 

The BMA has developed a template DPIA in relation to this change in data processing . Practices are not required to use this template but, if they do, it will need to be personalised to an individual practice’s circumstances. The BMA’s template DPIA is based on the Information Commissioners Office (ICO) template. 

Practices may review the BMA DPIA template and decide that some of the issues within it can helpfully be transferred to their current DPIA, together with mitigations of those concerns that mean GP partners can feel assured in terms of the risks associated with the programme. 
 

The BMA DPIA concludes that the most appropriate and safest way of minimising the risks associated with enabling full prospective access is to provide access only to those patients who request it. If practices believe this is the safest approach, their practice DPIA should reflect this. 

Practices should currently be using three codes to define their patient’s status in relation to prospective access.  Patients who wish to opt-out of prospective access can be coded with a ….103 code (SNOMED1290331000000103).  

Practices should have internal processes designed to identify patients for whom a review is needed to assess whether prospective access can be appropriately offered, this is the …104 code that many practices have already used. A …104 code prevents patients having prospective access when such functionality has been enabled, until a review occurs. Depending on a practices attitude to the risks associated with prospective access, which should be recorded within the DPIA, practices will have a mechanism for enabling access. One example is the application form available within the GPC England guidance.  

For patients who the practice believes have no need for a review prior to offering access, the …106 code [SNOMED1354751000000106] should be used. If a patient has a …104 code, this can be changed to a …103 code, if a patient does not want access, or a …106 code if access is to be offered, following the practices agreed process. If a practice believes that actively reviewing patients who request prospective access is an appropriate prerequisite to safely offering access, then the …104 code can be used in the interim, until this review has occurred. 

In all cases, practices should provide patients information about the prospective access to medical records programme. The BMA guidance includes an example web-page for the practice website but this message relates to a scenario in which practices believe a review is necessary prior to offering access and this is linked to example text messages, if the practice has the functionality and capacity to send these, or shortened versions, available via the GPC England guidance. 

Practices should therefore have trained staff available to answer patients’ questions about prospective access, and to signpost patients with queries, for example, about the content of their records.  NHS England advice, based on data from sites with longer experience of prospective access, is that the numbers of such contacts are low and are outweighed by the fall in queries relating to medical issues because patient can directly access the information in their medical records. 

The LMC also wishes to highlight the example of a practice with considerable experience in ensuring the safe implementation of prospective access to medical records; this information is provided by Dr Amir Hannan at Haughton Thornley Medical Centres.

The RCGP also has extensive information on all aspects of on-line services via its GP on-line services toolkit.

The BMA has also prepared a template draft letter from practices to commissioners about this issue; I enclose a section of this below, but the LMC does not currently recommend practices need to contact their commissioners directly. 

GP contractors are data controllers of the GP-held medical record. GPs’ duties under the Data Protection Act 2018 (“DPA 2018”) and UK GPDR are paramount and must be observed by GPs instituting any new form of data processing. GPs should not breach their duties as data controllers order to comply with a contractual obligation to provide access. It cannot have been NHS England/the secretary of state’s intention to require GPs to act in breach of their data protection duties. The new contractual requirements require changes to the way that GP contractors as data controllers of the GP-held medical record process their patients’ personal data and, as such, a DPIA is required by law. 

The BMA DPIA has identified a number of risks which may be mitigated by operating an opt-in model, which is to say providing access only to patients who request access, as opposed to providing access to all patients who have not opted out. 

Clearly colleagues will appreciate this is a difficult issue: all parties agree that there can be benefits to patients, and GPs, and the wider NHS, if patients are positively engaged with their health, and the information within their medical records can assist them in doing so. The 31 October 2023 deadline for implementing full prospective access to medical records was part of the imposed 2023/24 GP Contract, and this has continued to be a political priority. 

However, as Data Controllers, a role that continues to be expected by NHS England, GPs have responsibility for the safe processing of health records. There is no single correct way in which this process must be undertaken: this means individual practices do need to decide their preferred approach. A practice DPIA enables GPs to describe both their assessment of the risks involved in the prospective access programme and also the mitigation that the practice puts in place to minimise such risks. It is important to note that practices can then justify their approach: the LMC will continue to update colleagues if significant incidents occur which mean a different approach to risk is required. 

It is also important that all practices publicise the availability of prospective access to records to all patients, including the opportunity to opt-out, and also information that enhances the benefits of the process, for example, in terms of understanding what is written in the notes, and minimising risks, for example, in terms of preventing inappropriate access. This may be facilitated by the practice using a 104 code, until a review and decision by the practice takes place. 

I hope this background is helpful; please contact the LMC Office with any queries not covered by the referenced information within this letter. 
 
Dr Julius Parker, Chief Executive