Storage & Retention of Medical Records

Storage and Retention of Medical Records

PMP regularly receives queries from clients regarding the storage and retention of medical records, particularly concerning retaining a record once a patient has completed treatment. This fact sheet offers advice regarding your ethical obligations and appropriate retention periods for different categories of patients.

Storage of medical records

As a consultant in private practice, you are responsible for managing your private patient’s medical records. Such records are the individual doctor’s property, although patients have rights of access under the Data Protection Act 2018, as amended.

The General Medical Council states in “Good medical practice”:
“You must keep records that contain personal information about patients, colleagues and others securely and in line with any data protection law requirements.”

Medical records should be stored securely and kept confidential at all times, including during transfer between clinics/hospitals and when the consultant needs to send patient data to a secretary. They need to be protected against accidental loss, including corruption, damage or destruction.

GMC guidance “Confidentiality: good practice in handling patient information” states in para 128 and 129:
“If you are responsible for managing patient records or other patient information, you must make sure the records you are responsible for are made, stored, transferred, protected and disposed of in line with data protection law and other relevant laws. You should make use of professional expertise when selecting and developing systems to record, access, and send electronic data.

You must make sure any other records you are responsible for, including financial, management or human resources records, or records relating to complaints, are kept securely and are clear, accurate and up to date. You should make sure administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.”

Records include:

  • hand-written notes
  • computer-generated notes
  • copies of correspondence
  • test results
  • x-rays
  • photographs/images
  • video/audio recordings
  • consent forms
  • anaesthesia and operating notes
  • email or text communications.

Ensure that paper records are stored in a locked filing cabinet and any computer systems are appropriately confidential and secure. If storage arrangements for paper files might pose a risk to the security or integrity of the records, they should be scanned carefully and saved electronically so that the hard copies can be securely destroyed.

Any laptops or remote devices with access to patient records should be fully secure and encrypted. Administrative staff must be made fully aware of their obligations in keeping records secure.

Technology is not foolproof and regular back-ups should be made. It is advisable to consider keeping back-ups securely at a different site, eg, a bank.

Avoid carrying medical records in a car, such as when carrying out domiciliary visits.

Data Protection

Patients have the right to request access to their records. Ensure that patients know what will happen to the data held about them and that they agree to its processing or disclosure.

Under the Data Protection Act 2018, as amended organisations or independent practitioners no longer have to register with the Information Commissioner’s Office (ICO). However, they do have to pay a data protection fee. The fee is calculated on the number of staff employed and financial turnover.

The General Data Protection Regulation (GDPR) and the UK GDPR introduced a duty to report personal data breaches; for example, a loss of data or confidentiality breach should be reported within 72 hours. There may be penalties for personal data breaches.

Retention of medical records

There is no definitive guidance relating to the retention of private clinical records; the regulations that covered this (schedule 3 of The Private and Voluntary Health Care (England) Regulations 2001) are no longer in force.

However, the GMC guidance “Confidentiality: good practice in handling patient information” states in para 130:
“The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance, even if you do not work in the NHS.”

Therefore, it is advisable that consultants working in private practice follow NHS England, “Records Management Code of Practice 2021” (the Code). This outlines the different retention periods that apply to different types of records.

Appendix II of the Code provides a detailed retention schedule. Where stipulated, this is intended to be read in conjunction with Appendix III – “how to deal with specific types of record”. Further guidance is provided on caveats and explanations for these retention periods. Below are the minimum retention periods for some medical records:

Type of Patient RecordRetention Period
Adult health records not covered by any other section in the schedule (includes medical illustration records, such as x-rays and scans as well as video and other formats. Also includes care plans)8 years after the patient was discharged or last seen.
Children and young peopleRetain until 25th birthday or 26 if the young person was 17 when treatment ended.
Electronic Patient Record Systems (EPR)“Where the system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain, demonstrating the destruction, then the Code should be followed in the same way for digital as well as paper records with a log kept of destruction.

If the EPR does not have this capacity, then once records reach the end of their retention period, they should be made inaccessible to system users upon decommissioning. The system, along with the audit trails, should be retained for the retention period of the last entry related to the schedule.”
Cancer/oncology records – any patient30 years or 8 years after death.

“Retention for these records begins at diagnosis rather than the end of operational use. For clinical care reasons, these records must be retained longer in case of re-occurrence. Where the oncology record is part of the main records, then the entire record must be retained.”
Obstetric, maternity, antenatal and postnatal record25 years.

“For record-keeping purposes, these are considered to be as much the child’s record as the parent, so the longer retention period should be considered.”
Mental health records including psychology records20 years, or 10 years after death.

“Covers records made under the Mental Health Act (MHA) 1983 and 2007 amendments.

Records retained solely for any person who has been sectioned under MHA1983 must be considered for longer than 20 years where the case is ongoing, or the potential for recurrence is high, based on local clinical judgment. This applies to records of patients or service users, regardless of whether they have capacity or not.”

It is essential to note that this guidance sets out minimum retention periods.

If a consultant is aware of a complaint, adverse event or impending litigation, PMP advises clients to retain records. The Code advises that complaints files must always be kept separately from the patient file and retained for 10 years from the closure of the complaint, or any related processes such as litigation. Therefore, it may be appropriate to retain patient records for longer than the minimum retention period. In the case of litigation, it is much harder to provide an effective defence if records are missing. Please don’t hesitate to contact the PMP medicolegal helpline for further advice on this issue.

Records form an important part of the evidence in inquiries. Before any records relating to inquiries are destroyed, the clinician must check with the inquiries team that they are no longer required. If there is any doubt whether certain records may be of use for an inquiry, they should be retained until clear instruction is issued by the relevant inquiry. For further details please refer to Appendix I: public and statutory inquiries.

The consultant also needs to balance retention with the requirements of the Data Protection Act 2018, as amended and UK GDPR, which states:

  • “You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible to comply with documentation requirements.
  • You should also periodically review the data you hold and erase or anonymise it when you no longer need it.”

Disposal of records

Medical records that have reached their retention period should be reviewed to check whether destruction is appropriate. It is advisable to keep any patient records where there has been an adverse incident or complaint as detailed above. Ideally, a register of records destroyed should be maintained as proof the record no longer exists.

Disposal of medical records should be carried out securely, ensuring that patient confidentiality is protected. Examples include cross-cut shredding, incineration or utilising a commercial company holding the necessary accreditations.

Computer-held records may be difficult to delete entirely from a hard drive and you may need to seek appropriate IT advice.

In conclusion

Adhering to the above best practice should assist in preventing or defending any complaints relating to the storage and retention of patients’ records. If you have any queries or concerns surrounding the issues raised in this fact sheet, please do not hesitate to call the PMP medicolegal helpline. The helpline is open 24/7, contact details can be found on your policy documents or customer card.

Reviewed and updated June 2023

Originally published December 2021

This document does not constitute legal or medical advice and should not be construed as rules or establishing a standard of care. We recommend that you seek independent legal and/or professional advice in relation to your legal or medical obligations or rights. Premium Medical Protection Limited is the owner of this material and its contents are protected by copyright law © 2023. All such rights are reserved.

For more information regarding the hyperlinks referenced in this document, click here