Storage and Retention of Medical Records
PMP regularly receives queries from clients regarding the storage and retention of medical records, particularly concerning retaining a record once a patient has completed treatment. This article offers advice regarding your ethical obligations and appropriate retention periods for different categories of patients.
Storage of medical records
As a consultant in private practice, you are responsible for managing your private patient’s medical records. Such records are the individual doctor’s property, although patients have rights of access under the Data Protection Act 2018.
The General Medical Council states in “Good medical practice”:
“You must keep records that contain personal information about patients, colleagues and others securely and in line with any data protection law requirements.”
Medical records should be stored securely and kept confidential at all times, including during transfer between clinics/hospitals and when the consultant needs to send patient data to a secretary. They need to be protected against accidental loss, including corruption, damage or destruction.
GMC guidance “Confidentiality: good practice in handling patient information” states in para 128 and 129:
“If you are responsible for managing patient records or other patient information, you must make sure the records you are responsible for are made, stored, transferred, protected and disposed of in line with data protection law and other relevant laws. You should make use of professional expertise when selecting and developing systems to record, access, and send electronic data.
You must make sure any other records you are responsible for, including financial, management or human resources records, or records relating to complaints, are kept securely and are clear, accurate and up to date. You should make sure administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.”
- hand-written notes
- computer-generated notes
- copies of correspondence
- test results
- video/audio recordings
- consent forms
- anaesthesia and operating notes
- email or text communications.
Ensure that paper records are stored in a locked filing cabinet and any computer systems are appropriately confidential and secure. If storage arrangements for paper files might pose a risk to the security or integrity of the records, they should be scanned carefully and saved electronically so that the hard copies can be securely destroyed.
Any laptops or remote devices with access to patient records should be fully secure and encrypted. Administrative staff must be made fully aware of their obligations in keeping records secure.
Technology is not foolproof and regular back-ups should be made. It is advisable to consider keeping back-ups securely at a different site, eg, a bank.
Avoid carrying medical records in a car, such as when carrying out domiciliary visits.
Patients have the right to request access to their records. Ensure that patients know what will happen to the data held about them and that they agree to its processing or disclosure.
Under the Data Protection Act 2018, organisations or independent practitioners no longer have to register with the Information Commissioner’s Office (ICO). However, they do have to pay a data protection fee. The fee is calculated on the number of staff employed and financial turnover.
The General Data Protection Regulation (GDPR) introduces a duty to report personal data breaches; for example, a loss of data or confidentiality breach should be reported within 72 hours. There are penalties for personal data breaches.
Retention of medical records
There is no definitive guidance relating to the retention of private clinical records; the regulations that covered this (schedule 3 of The Private and Voluntary Health Care (England) Regulations 2001) are no longer in force.
However, the GMC guidance “Confidentiality: good practice in handling patient information” states in para 130:
“The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance, even if you do not work in the NHS.”
Therefore, it is advisable that consultants working in private practice follow NHSX, “Records Management Code of Practice 2020. A guide to the management of healthcare records” (the Code). This outlines the different retention periods that apply to different types of records.
Appendix 11 of the Code provides a detailed retention schedule; below are the minimum retention periods for some medical records (for a full list, please see Appendix 11 on page 50.)
|Type of Patient Record||Retention Period|
|Adult health records not covered by any other section in the schedule (includes medical illustration records, such as x-rays and scans as well as video and other formats. Also includes care plans)||8 years after the patient was discharged or last seen.|
|Children and young people||Retain until 25th birthday or 26 if the young person was 17 when treatment ended.|
|Electronic Patient Record Systems (EPR)||“Where the system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain, demonstrating the destruction, then the Code should be followed in the same way for electronic as well as paper records, with a log kept of destructions. If the EPR does not have this capacity, then once records reach the end of their retention period, they should be made inaccessible to system users upon decommissioning. The system (along with the audit trails) should be retained for the retention period of the last entry related to the schedule.”|
|Cancer/oncology records - any patient||30 years or 8 years after death.|
|Obstetric, maternity, antenatal and postnatal record||25 years. “For record-keeping purposes, these are considered to be as much the child’s record as the parent, so the longer retention period should be considered.”|
|Mental health records including psychology records||20 years, or 8 years after death. “Covers records made under the Mental health Act 1983 (and 2007 amendments)”|
It is essential to note that this guidance sets out minimum retention periods.
If a consultant is aware of a complaint, adverse event or impending litigation, PMP advises clients to retain records. The Code advises that such records be retained for 10 years after the case is closed. Therefore, it may be appropriate to retain patient records for longer than the minimum retention period. In the case of litigation, it is much harder to provide an effective defence if records are missing. Please don’t hesitate to contact the PMP medicolegal helpline for further advice on this issue.
- “You must not keep personal data for longer than you need it.
- You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible to comply with documentation requirements.
- You should also periodically review the data you hold and erase or anonymise it when you no longer need it.”
Disposal of records
Medical records that have reached their retention period should be reviewed to check whether destruction is appropriate. It is advisable to keep any patient records where there has been an adverse incident or complaint as detailed above. Ideally, a register of records destroyed should be maintained as proof the record no longer exists.
Disposal of medical records should be carried out securely, ensuring that patient confidentiality is protected. Examples include cross-cut shredding, incineration or utilising a commercial company holding the necessary accreditations.
Computer-held records may be difficult to delete entirely from a hard drive and you may need to seek appropriate IT advice.
Adhering to the above best practice should assist in preventing or defending any complaints relating to the storage and retention of patients’ records. If you have any queries or concerns surrounding the issues raised in this article, please do not hesitate to call the PMP medicolegal helpline. The helpline is open 24/7, contact details can be found on your policy documents or customer card