Storage and Retention of Medical Records

PMP regularly receives queries from clients regarding the storage and retention of medical records, particularly concerning retaining a record once a patient has completed treatment. This fact sheet offers advice regarding your ethical obligations and appropriate retention periods for different categories of patients.

Storage of medical records

As a consultant in private practice, you are responsible for managing your private patients’ medical records. Such records are the individual doctor’s property, although patients have rights of access under the Data Protection Act 2018.

The General Medical Council states in “Good medical practice”:
“You must keep records that contain personal information about patients, colleagues and others securely and in line with any data protection law requirements.”

Medical records should be stored securely and kept confidential at all times, including during transfer between clinics/hospitals and when the consultant needs to send patient data to a secretary. They need to be protected against accidental loss, including corruption, damage or destruction.

GMC guidance “Confidentiality: good practice in handling patient information” states in para 128 and 129:
“If you are responsible for managing patient records or other patient information, you must make sure the records you are responsible for are made, stored, transferred, protected and disposed of in line with data protection law and other relevant laws. You should make use of professional expertise when selecting and developing systems to record, access, and send electronic data.

You must make sure any other records you are responsible for, including financial, management or human resources records, or records relating to complaints, are kept securely and are clear, accurate and up to date. You should make sure administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.”

Ensure that paper records are stored in a locked filing cabinet and that any computer systems are appropriately confidential and secure. If storage arrangements for paper files might pose a risk to the security or integrity of the records, they should be scanned carefully and saved electronically so that the hard copies can be securely destroyed.

Any laptops or remote devices with access to patient records should be fully secure and encrypted. Administrative staff must be made fully aware of their obligations in keeping records secure.

Data Protection

Patients have the right to request access to their records. Ensure that patients know what will happen to the data held about them and that they agree to its processing or disclosure.

Under the Data Protection Act 2018, organisations or independent practitioners no longer have to register with the Information Commissioner’s Office (ICO). However, they do have to pay a data protection fee. The fee is calculated on the number of staff employed and financial turnover.

The UK GDPR introduced a duty to report personal data breaches; for example, a loss of data or a confidentiality breach should be reported within 72 hours. There may be penalties for personal data breaches.

Retention of medical records

There is no definitive guidance relating to the retention of private clinical records; the regulations that covered this (Schedule 3 of The Private and Voluntary Health Care (England) Regulations 2001) are no longer in force.

However, the GMC guidance “Confidentiality: good practice in handling patient information” states in para 130:
“The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance, even if you do not work in the NHS.”

Therefore, it is advisable that consultants working in private practice follow NHS England “Records Management Code of Practice 2021” (the Code). This outlines the different retention periods that apply to different types of records.

Appendix II of the Code provides a detailed retention schedule. Where stipulated, this is intended to be read in conjunction with Appendix III – “how to deal with specific types of records”. Further guidance is provided on caveats and explanations for these retention periods. 

It is essential to note that this guidance sets out minimum retention periods.

If a consultant is aware of a complaint, adverse event or impending litigation, PMP advises clients to retain records. The Code advises that complaint files must always be kept separately from the patient file and retained for 10 years from the closure of the complaint, or any related processes such as litigation. Therefore, it may be appropriate to retain patient records for longer than the minimum retention period. In the case of litigation, it is much harder to provide an effective defence if records are missing.

Records form an important part of the evidence in inquiries. Before any records relating to inquiries are destroyed, the clinician must check with the inquiries team that they are no longer required. If there is any doubt whether certain records may be of use for an inquiry, they should be retained until clear instruction is issued by the relevant inquiry. For further details, please refer to Appendix I: public and statutory inquiries.

The consultant also needs to balance retention with the requirements of the Data Protection Act 2018 and UK GDPR, which states:

• “You must not keep personal data for longer than you need it.
• You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
• You need a policy setting standard retention periods wherever possible to comply with documentation requirements.
• You should also periodically review the data you hold and erase or anonymise it when you no longer need it.”

Disposal of records

Medical records that have reached their retention period should be reviewed to check whether destruction is appropriate. It is advisable to keep any patient records where there has been an adverse incident or complaint as detailed above. Ideally, a register of records destroyed should be maintained as proof that the record no longer exists.

Disposal of medical records should be carried out securely, ensuring that patient confidentiality is protected. Examples include cross-cut shredding, incineration or utilising a commercial company holding the necessary accreditations.

Computer-held records may be difficult to delete entirely from a hard drive, so you may need to seek appropriate IT advice.

In conclusion

Adhering to the above best practice should assist in preventing or defending any complaints relating to the storage and retention of patients’ records.

If you have any queries or concerns surrounding the issues raised in this fact sheet, please do not hesitate to call the PMP medicolegal helpline. The PMP medicolegal helpline is available to customers 24/7. The contact details are in your policy documents, or you can access the helpline through the PMP WebApp.