Dental practices often receive requests to access dental records from people other than the patient.
One of the most common questions we are asked at JFH Law is whether a dental practice is obliged to disclose notes to officials, such as the police or social services. It is understandably hard to refuse to disclose patient notes to a police officer during the course of a missing person or criminal investigation. However, it is important to remember that data protection laws prevail and real consideration must be given to when and why notes are being disclosed.
Whilst GDPR is at the forefront of everyone’s minds right now, a practice also needs to consider professional duties of confidentiality, the common law duty to disclosure in the public interests and the rules contained within the Access to Health Records Act (1990).
In this article we clear up the confusion over who actually does has the right to access a patient’s records and in what circumstances, and how dental practices should respond to these requests?
Living Patient’s Records
If you receive a request from an external body, such as the police or social services, in respect of a living patient’s records, you must consider this carefully before disclosing anything. There is no automatic right to access, not even for the police.
Unless there is a specific court order for disclosure, you will need to consider whether the disclosure would be justified in the ‘public interest’. An example might be if either the patient or someone else was at risk of serious and imminent harm if the notes are not disclosed. You should try to seek informed consent first, but if this is not possible weigh up what is being requested against why it is needed to decide whether disclosure would be justified. Either way, make a clear record of why you have reached the decision you have reached, and why you believe it would be in the public interest to disclose any notes if you chose to do so.
GDPR would also apply in this situation. You could potentially rely on ‘protecting vital interests’ as the lawful basis for disclosing notes. However, this can only be relied on if you need to process personal data in order to protect someone’s life and they are not capable of giving consent. There are very few circumstances that this could be said to be the case for dental records.
If another dentist or health care professional requests the notes, then you will need to satisfy yourself that the patient has consented to disclosure to this third party, in accordance with GDPR and your professional duties of confidentiality. There is no such thing as “off the record” as such it is not lawful to send non-anonymised case records to other practitioners or specialists without the consent of the patient.
If the patient asks you for the records, whether in writing or verbally, but requests they be sent to another dentist then you must comply with this also. The only caveat is if you are concerned that the patient does not understand what the implications of the disclosure might be; you should explain what will be disclosed and check the patient is still happy to consent.
Deceased Patient’s Records
The duty of confidentiality extends beyond the death of a patient. This must be borne in mind when deciding if access to the records will be granted to anyone else. Ultimately, if the patient explicitly states whilst alive that they do not want their records disclosed on death, then this wish must be adhered to.
The Access to Health Records Act (1990) allows access to records to two defined categories, namely:
- The patient’s personal representative, namely the executor of the will or administrator of the estate;
- Any person who may have a claim arising out of the patient’s death.
You do not need to provide access to all of the dental records when requested by the above, only information that is relevant to any claim being pursued. This may require you to obtain from the requester more information as to why the request is being made so you can determine what information should be provided.
You may also receive a request to access the notes of a deceased patient from a coroner (or procurator fiscal in Scotland). As they have a legal obligation placed on them to investigate the death, you must provide them with access to the records.
You may also be asked by the police to provide certain information to help identify a body. In these circumstances disclosure would be justified as being in the public interests.
Remember GDPR applies only to living data subjects and so would not be relevant here.
Practical Tips
Whenever you receive a request you should:
- Make sure you understand what is being requested and why;
- Satisfy yourself that the person making the requests, is who they say they are;
- Train staff to ensure they understand GDPR and patient confidentiality and can identify when a request for information is being made;
- Don’t be bullied by officials, who claim to have a right to access, but are unable to identify the lawful basis for disclosure;
- Where applicable try to seek the patient’s consent to the disclosure first;
- Always consider the wishes of the patient, whether living or deceased;
- Make a clear note on the file of any decisions made and why.
If you have any questions about the content of this article please feel free to email Laura Pearce on This email address is being protected from spambots. You need JavaScript enabled to view it. or telephone 0207 388 1658.
Laura Pearce
Senior Solicitor
Image by vjohns1580 from Pixabay