This site is intended for health professionals only

How to handle patient records correctly

9 September 2019

Share this article

Patients have a legal right to challenge inaccuracies in their personal information, but practices have an overriding duty to safeguard the integrity of the records they hold as the MDU’s Dr Ellie Mein explains

Over the next few years, it’s likely that more patients will take the opportunity to access their medical records online. While most will only want to satisfy their curiosity, there will be those who are unhappy with what they find.

Under data protection law (the GDPR and Data Protection Act 2018) patients have the right to rectification if their personal information is factually inaccurate or incomplete. While practices will generally have procedures in place to manage Subject Access Requests (SARs), they also need to know how to respond appropriately if the patient objects to the content.

The Information Commissioner’s Office (ICO) addresses this point in its Guide to the GDPR1 and its advice is summarised below: 

  • Patients (or their representatives) can make a rectification request verbally or in writing to anyone in the practice.
  • A request should be considered valid as long as the individual has challenged the accuracy of their data and has asked you to correct it. There is no need for individuals to reference the GDPR.
  • Requests should be considered on a case by case basis – there should be no blanket policy.
  • It is good practice to have a policy for recording details of requests and check you have understood. The ICO recommends keeping a log of verbal requests.
  • You cannot charge a fee to comply with a request for rectification unless the request is manifestly unfounded or excessive when it is possible to charge a ‘reasonable fee’ for the administrative costs. However, you must be able to justify your decision (it’s a good idea to seek advice from your MDO in these circumstances).
  • You must act upon the request without undue delay and at the latest within one month of receipt. This may be extended by a further two months when the request is complex.
  • You should restrict the processing of the personal data in question while verifying its accuracy.
  • If you refuse a request for rectification, you must explain why and tell the patient of their right to complain to the ICO.  
  • If inaccurate personal data has been disclosed to third parties, you must inform them of the rectification unless this is impossible or involves disproportionate effort. At the patient’s request, you must also inform them about any person or body who has received the information.

Safeguarding the integrity of patient records

After receiving a rectification request, the ICO expects you to ‘take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary’. This will depend on the nature of the information and what it will be used for but you should take into account the arguments and evidence submitted by the patient and consider any steps you can take to verify information such as cross-checking against other available records.

If a factual correction is necessary, such as a misspelt name or incorrect date of birth, it must be obvious who made the amendment and when (electronic record systems usually create an audit trail of record creation and modification). If the inaccuracy is in a paper record, it should be scored through with a single line so the original text is still legible and the correct entry written alongside with the date, time and the signature of the doctor making the amendment.

On the other hand, practices are not expected to alter a record simply because the patient finds it upsetting or disagrees with a documented clinical opinion. In its frequently asked question section for small healthcare organisations2, the ICO explains: ‘An initial diagnosis (or informed opinion) may prove to be incorrect after more extensive examination or further tests. Individuals may want the initial diagnosis to be deleted on the grounds that it was, or proved to be, inaccurate.

‘However, if the patient’s records accurately reflect the doctor’s diagnosis at the time, the records are not inaccurate because they accurately reflect a particular doctor’s opinion at a particular time. Moreover, the record of the doctor’s initial diagnosis may help those treating the patient later.’

While you cannot alter a record that is an accurate representation of the situation at the time the note was written, you can agree to make an additional note which records that the patient disagrees with the opinion.

Ultimately, it makes sense for practices look into concerns raised by patients about their records. As well as helping ensuring that the record is accurate and complete, it may be an opportunity to address misunderstandings and improve communication.      


1 Right to rectification, The Guide to the GDPR, ICO, accessed 29 August 2019

2 How do we deal with requests to have personal data rectified?, GDPR FAQs for small health sector bodies, ICO, accessed 29 August 2019