Do patients have the right to request amendments to their health records but an organization has the right to either accept or deny the proposed change?

There is growing public awareness about the rights of patients to access their records and to request amendments to information which may be inaccurate or incomplete. The MDU regularly receives queries from GP members about whether a record should be amended at a patient’s request. Practices need to know their legal obligations in these situations. 

Awareness has increased since the enactment of the General Data Protection Regulation (GDPR) in 2018. More recently, government plans to share health records under the General Practice Data for Planning and Research project (GPDPR) may lead to more patients requesting access to their records and querying the contents.

Patient records support clinical decision-making and continuity of care, as well as having an important medico-legal purpose in the event of a complaint or claim. It is in the interests of GPs and patients to accurately document what took place during a consultation, including all relevant information, from history and differential diagnosis, to the patient's concerns and expressed wishes.

However, there will inevitably be instances where the record of a consultation or episode of treatment could be upsetting for a patient or where they disagree with a GP’s clinical opinions.

Managing requests for rectification

Patients have a right to correct inaccuracies in their records under Article 16 of the UK GDPR. It’s important to take reasonable steps to ensure the data in question is accurate and rectify it if necessary. The reasonable steps will depend on the circumstances but should include the arguments and evidence provided by the patient who is the data subject, or their representative

The Information Commissioner’s Office (ICO) addresses this in its Guide to the GDPR1 which is summarised below:

• Requests for rectification can be made verbally or in writing.
• Requests can be made to any part of an organisation rather than a specific person.
• A request should be considered valid as long as the individual has challenged the accuracy of their data and has asked you to correct it. There is no need for individuals to reference the GDPR.
• It is good practice to have a policy for recording details of requests and to check you have understood them. The ICO recommends keeping a log of verbal requests.
• You cannot charge a fee to comply with a request for rectification unless the request is manifestly unfounded or excessive when it is possible to charge a ‘reasonable fee’ for the administrative costs. There is no definition of what is meant by this. However, you must be able to justify your decision (it’s a good idea to seek advice from your MDO in these circumstances).
• You must act upon the request without undue delay and at the latest within one calendar month of receipt. This may be extended by a further two months when the request is complex but you must keep the requestor informed.

Amending medical records

Patients should be able to report factual inaccuracies or question the content of the records, but they do not have the right to alter their contents because they are upsetting or they disagree with them.

In its FAQs for small healthcare organisations,2 the ICO notes that the right of rectification does not mean that doctors are required to remove their clinical opinions.

It says: ‘An initial diagnosis (or informed opinion) may prove to be incorrect after more extensive examination or further tests. Individuals may want the initial diagnosis to be deleted on the grounds that it was, or proved to be, inaccurate. However, if the patient’s records accurately reflect the doctor’s diagnosis at the time, the records are not inaccurate, because they accurately reflect a particular doctor’s opinion at a particular time. Moreover, the record of the doctor’s initial diagnosis may help those treating the patient later.’

You should restrict processing personal data while you are verifying the record’s accuracy whether or not the patient has exercised his/her right to restrict processing.

You cannot alter a record that is an accurate representation of the situation at the time the note was written, however you can make an additional note to record that the patient disagrees with the opinion. See the case examples below.

If a factual correction is necessary, such as a misspelt name or incorrect date of birth, it must be obvious who made the amendment and when (computerised records usually create an audit trail).

Refusing requests

If you refuse a request for rectification, you must explain why to the patient and tell them of their right to complain to the practice and/or the ICO.

The ICO also recommends keeping a note, indicating that the patient challenges the accuracy of the information in the records and their reasons for doing so.

Ultimately, a patient's record should be complete and accurate to ensure they receive appropriate care.

If you have disclosed the personal data to others, such as secondary care, you should contact the recipients, if possible, to inform them of any amendments to the data.

Case examples

The following anonymised examples, which are based on MDU cases, are typical of the types of requests made to amend records.

Patient objects to working diagnosis
During a consultation with a young woman with pelvic pain, the GP discussed several potential diagnoses including pelvic inflammatory disease and chlamydia. Investigations were arranged and the patient was found to have endometriosis. 

At a later consultation the patient was unhappy to learn that the initial consultation entry included a potential diagnosis of sexually transmitted diseases (STD). The patient requested this information be removed from the record. The GP explained this was her working diagnosis which needed to be documented and ruled out.

The MDU advised that if information recorded was factually accurate and clinically relevant, then it should stay in the records. This is in line with the ICO’s advice and GMC guidance that clinical records should include relevant findings, decisions made and actions agreed, information given to patients and any investigations or treatment carried out (Good medical practice, paragraph 21). This is important for the patient’s ongoing care.

Given the patient’s concerns, the GP suggested an addendum could be added to the records. For example, stating the patient confirmed she was not suffering from a STD and did not think this diagnosis was likely.

Rudeness documented
A recently registered patient made a subject access request for the previous 10 years’ records. They were upset to see an entry from many years before which stated ‘the patient became rude and obnoxious’ when they were not sent for the imaging they requested.

The patient asked that this was removed because it was untrue as they clearly recalled the consultation.

The note was made by a GP at the patient’s previous practice. The MDU adviser explained it is not advisable to omit that part of the record because the patient doesn’t agree with it. However, the patient could approach the previous practice to raise their dissatisfaction with the GP concerned, if they are contactable. Alternatively, the new practice could add an addendum to the records with the patient’s account of events.

This example highlights the issue of subjective terms being used to describe patient behaviour. Unless the behaviour is clinically relevant, it is advisable not to document it in the medical record, so that it does not prejudice future care. This is the same principle under which complaint correspondence and statements about adverse incidents, unless relevant to ongoing provision of clinical care, are placed in a separate practice folder.

A letter in the wrong records
A patient made a subject access request. On reviewing their notes, they discovered a second page of a letter from a psychiatrist which clearly didn’t relate to them. It detailed several diagnoses which seemed to relate to another person, although there was nothing identifiable in the letter.

The practice apologised for the error and removed the page from the records as it was not clinically relevant to the patient’s care.

They were able to identify the correct patient after making contact with the psychiatrist who had signed the letter so the information could be correctly filed.

• Dr Ellie Mein is a medico-legal adviser at the MDU

References

1. ICO. Right to rectification, accessed 5 April 2018.
2. ICO. General Data Protection Regulation (GDPR) FAQs for small health sector bodies, accessed 5 April 2018.

Can individuals request to have an amendment made to their medical records?

Who has the right to request an amendment?

How are amendments handled in the EHR?

What is a patient required to do for a request to restrict the use or disclosure?