Giving a Patient Access to Medical Records: A Guide for Practices

Under the Data Protection Act of 1998, everyone has at least the right to make an application to view their medical history. When it comes to allowing a patient access to their medical records, there are a number of steps which need to be adhered to.

In short, the process needs the practice to:

  1. Receive a formal written request for medical record access from a patient
  2. Complete a data controlled checklist
  3. Decide whether or not access will be granted for the request in question
  4. Provide a patient with their information within a 21-day period

Handing a patient access to medical records doesn’t have to be a massive headache for a practice. By following this straightforward guide, you’ll have a much clearer idea of how to provide them their required information, without breaching any rules or regulations.


1. Receiving a written request

Naturally, for you to be able to act, a patient must first make a request to access the information they’re after. For them to do this, it’s best practice to make a request form easily attainable for them.

The form will need to possess a series of different information for the patient to fill out, including:

  • Their full name
  • Current address
  • Date of birth
  • NHS number
  • Contact number
  • Whether they’re applying for a copy of their documents, or just to view them
  • Patient signature

Once the request has been processed, it’s handed to the data controller of the practice in question. In some circumstances, patients can make a request without writing it formally. If this is the case, a note must be made on the patient record that the request was placed verbally.


2. Data controller carries out a check

Once the request is in the hand of the data controller of your practice, they will have to assess whether or not everything is in order and if it’s possible to proceed with the process. In order to determine this, a number of factors must be checked off by the controller. These include:

  • Patient request form – Has the form been filled in correctly? If there are any errors or missing sections, the request for medical info will probably be denied.
  • Patient ID – A patient will need to supply ID alongside their application to prove they are who they say they are. Without this confirmation, they won’t be able to access records.
  • Information relates to patient only – The info that’s being asked for must only pertain to the individual who’s made the request. If they want secondary information, they must make a different type of application.
  • Patient made aware of fees – Patients can’t access medical records for free. They will be charged a small fee in order to be handed them.
  • Whether the patient wants a copy or just to view their records – This will determine whether you’ll need to print out copies or just have them come in and view the records for themselves.

Sometimes, if a controller has doubts over whether or not to hand over the requested records, they can refer to a clinician. This will be the person who most recently attended to (or still attends to) the patient in question.

If there are more than one such clinicians for a patient, the controller must decide which one is more relevant to consult in regards to the type of information which is being applied for. From here, a decision will be made as to whether the access should be granted or not.


3. Grant or deny medical record request

At this point it’s down to the data controller to decide whether they can feasibly hand out the information which is being requested. This will be decided via a variety of factors, including:

  • Whether the release of the data in question would cause serious mental or physical harm to the condition of someone other than the individual asking for the records
  • If information about a third party (who has not consented to their info being released) is revealed by the records
  • If a clinician has information about their services revealed which are meant to be private
  • If there is a reasonable or justifiable reason for revealing the information without the consent of a third party

It’s understandable why there are such strict sanctions when it comes to releasing data to a patient. The information stored by practices is some of the most important to keep safe, owing to the delicate nature of the information in question.

As such, you’ll want to invest in a system which guarantees your data is stored in a safe, efficient and easy-to-access manner. For an elite service, you can get in touch with the PPL team.

If the grant for access is denied, a practice doesn’t have to give the patient a clear reason as to why. All they need to do is mark it down in their official records.


4. Getting back to the patient

Once the decision has been made, the patient should be informed as to whether or not they’ll be able to access the desired information. At this point the patient will be contacted and either asked to come in and view their records, or sent a copy.

Naturally, there will be varying fees for the different ways of giving a patient access to medical records.


  • Viewing record: £10, or free if the records have been updated within the previous few days
  • Getting a copy: This will depend on the method in which the data is stored:
    1. If held on a computer – £20 maximum
    2. If held by another form of media – £50 maximum
    3. If held by a combination of other medias and computers – £50 maximum

If your practice is unsure how to accurately and lawfully give a patient access to medical records, this guide should be of help. If you have any further data storage needs, feel free to get in touch with the Premier Patient Line team today.

Leave a Reply

Your email address will not be published. Required fields are marked *