A reminder to think twice before looking at healthcare records

Unless colleagues are involved in the direct care of a patient, or the administration of that care, there is no reason why they should be accessing any healthcare record. Accessing records for any other reason is unprofessional, a clear breach of patient confidentiality, and illegal.

Under the UK General Data Protection Regulations (UK GDPR) such unlawful access or disclosure of personal information is considered to be data theft and is a criminal act.

It is also a criminal offence, under the same legislation, for colleagues to access their own healthcare record held by the Trust. The Trust is the data controller and effectively “owns” this information and accessing it without consent is illegal. If colleagues want to see their healthcare record they should follow the same process as our patients, by putting in a data subject access request. The Information Commissioner’s Office (ICO) has the authority to take action against individuals who have committed such an offence under the UK GDPR, which may lead to a substantial fine and prosecution.

Patients trust us to look after and protect their sensitive information from unauthorised access. They are aware that various professionals will of course require access to their healthcare record to provide them with the best care possible, but do not expect their record to be accessed by colleagues who are not involved with their care.

Please think twice before accessing any records relating to patients’ care if you are not directly involved in delivering this care or its associated administration. As well as facing disciplinary action internally, it could result dismissal, or being struck off your respective professional register. You may also find yourself facing a court case which could result in a hefty fine and a criminal record.

Auditing our IT systems

Access to all electronic Trust systems which hold patient information is audited. It is straightforward for our IT colleagues to see who has accessed a patient record. To protect patient confidentiality, regular audits of electronic records take place to identify anyone who may have accessed a patient record and then to determine if the access was legitimate or inappropriate.

An audit will show how many times the records were viewed, what was viewed and the dates and times they were viewed.

Read more about the importance of information governance on the Health Informatics Website.