Retention of health records How long should patient medical records be kept retained? Here we set out tables of types of records and the length of time they should be kept according to national guidance on NHS records management.
Although this guidance refers to minimum periods for which records must be retained, there may be times when records need to be kept for longer.
Bear in mind that one of the key principles of the GDPR prohibits the retention of personal data for longer than is necessary.
Retention Of Health Records
Where the system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain, demonstrating the destruction, then the Code should be followed in the same way for digital as well as paper records with a log kept of destruction. If the EPR does not have this capacity, then once records reach the end of their retention period, they should be made inaccessible to system users upon decommissioning. The system (along with the audit trails) should be retained for the retention period of the last entry related to the schedule.
When decommissioned retain in accessible format, including the Audit Trail, for a period to be determined by the Data Controller in consultation with Clinical Specialists.
Records should be maintained, deleted or “put beyond use” (in line with the ICO’s guidance “Deleting Personal Data”) in accordance with a regular (at least five years) risk assessment by the Data Controller (or Joint Data Controllers). The risk assessment should be formally recorded and measured against the extant Data Protection legislation and Codes of Practice and the need to ensure effective ongoing clinical care.
Electronic Health Record
Maternity records (including all obstetric and midwifery records, including those of episodes of maternity care that end in stillbirth or where the child later dies)
Retain until the patient's 25th birthday or 26th if young person was 17 at conclusion of treatment, or 8 years after death.
Until the patient's 25th birthday, or 26th if an entry was made when the young person was 17; or 3 years after death of the patient if sooner.
Healthcare Records Retention Chart
Or 3 years after the death of the patient if sooner and the patient died while in the care of the organisation.Sincetraveling around the UK lecturing on the General Data Protection Regulations and how they’re affecting dentists and dental patient records when they came into force on 25
In this dental bulletin we will look at the current legal guidelines before GDPR and attempt to clear up any confusion regarding the retention and value of dental patient records.
Records created by NHS authorities, including NHS dentists, fall within the scope of the Public Records Act 1958 and the Freedom of Information Act 2000. These impose a statutory duty of care directly on individuals who have direct responsibility for such records.
Claiming Compensation For Lost Or Missing Medical Records
In January 2009 the Department of Health published a document entitled “Records Management, NHS Code of Practice, Part 2”. This document stated that NHS records can in certain circumstances be kept up to a maximum of 30 years. It also set out the minimum retention periods for which the various records created within the NHS should be retained. Under Appendix D1 it stated that community (i.e. non hospital) dental records should be retained for a minimum of 11 years for adults and for children 11 years or up to their 25
However in July 2016 that guidance was withdrawn by the Information Governance Alliance on behalf of the Department of Health. The current rules relating to the retention of patients’ notes is in fact set out in the Records Management Code of Practice for Health and Social Care 2016.
These guidelines state that records should be created, controlled and processed in accordance with the purpose for which the data was originally obtained, i.e. for the purpose of providing dental treatment or care. Records should be retained “in line with NHS recommended Retention Schedule”. This states that general Dental Services records should be retained for a minimum period of 10 years from the date of discharge of the patient from the practice or when the patient was last seen. There is no 30 year recommendation. At the 10 year point, there should be an appraisal to determine whether the records should be retained for a further period or deleted.
Personal Records Retention: What Personal Records Should You Keep?
Practices should have an internal policy regarding the appraisal, retention or destruction of dental patient records. No records should be automatically destroyed. However, a practice should consider the purpose for retaining the records; examples of this could be an ongoing legal case or that they are the subject of research. It isn’t appropriate to adopt a blanket “err on the side of caution” approach and retain all dental records indefinitely.
Indeed Article 5 of the GDPR sets out the guiding principles relating to the processing of personal data (including medical records). Article 5(e) specifically states that data shall be:
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
How Long Do Nhs Records Have To Be Kept For?
GDPR is a cultural shift in the way in which personal data is retained and processed. This will extend to medical records, which should only be retained for the amount of time that is absolutely necessary. It is therefore difficult to see in what circumstance a dentist would be able to justify retaining records beyond the ten year period where no contact has been had with the patient in that time and there is nothing unusual about the patient’s clinical care.
The Information Governance Alliance on behalf of the Department of Health has stated that once the minimum period of ten years has expired from the patient’s last visit to the practice has expired “in most cases it will be appropriate to destroy records immediately”
If a dentist is aware of an ongoing legal case relating to the patient notes, then this would be a clear and compelling justification for retaining the records outside of the ten year minimum period, and the value of patient dental records during legal proceedings could potentially be huge.
Pdf) Validity And Reliability Of A Medical Record Review Method Identifying Transitional Patient Safety Incidents In Merged Primary And Secondary Care Patients' Records
Generally patients have 3 years from the date that they first became aware that they had suffered an injury to bring a claim for compensation against a dentist. There are limited circumstances in which this can be extended. However, bear in mind that patients who suffer from a “disability” resulting in an “unsound mind” have no such limitations. Dentists are therefore advised to retain dental patient records in these circumstances beyond the ten year minimum. The reason should be recorded in the practice appraisal.
Be forthcoming cannot be justified. GDPR requires the practice to weigh up the legitimate interests of the practice against the individual’s right to privacy in a more nuanced and considered way.
The Department of Health and GDC is alarmingly quiet regarding the retention of “private” patient records, ie. those that fall outside the NHS. Where private treatment is given within an NHS practice the NHS Code of Practice applies. A common sense approach should be taken to the retention of private patient’s records, and we would advise following the NHS guidance as best practice.
Independent Review Group On Retention Of Organs At Post Mortem: Final Report: Page 18
The value of patient dental records is not to be overlooked, and it is important that dentists take care of their paper and digital records. Paper records can be destroyed by incineration, pulping or shredding (using a cross cut shredder) under confidential conditions. Under no circumstances should domestic waste or rubbish tips be used for disposal. Keep a record of the method of destruction as well as the appraisal decisions. Companies providing this service should provide you with a certificate of destruction.
For digitally held dental records it is important to note that records that are “archived” are not considered to be deleted for the purposes of data protection laws. However, the ICO has indicated that under the Data Protection Act if information can be deleted from a live environment and is not readily accessible, then this will suffice for destruction of data under the Data Protection Act. It seems unlikely that this guidance will change under GDPR.
The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it:
Our Record Keeping And Retention Schedule Policy
Practices should speak to their software providers to determine what processes they have in place to securely delete files from their systems.
Failure to process, retain and dispose of data in an appropriate method will be a breach of the Data Protection Act 2018 when it comes into force, as the value of patient dental records and patient personal data, especially in the wake of GDPR, is huge. The ICO have considerable enforcement powers, and can impose significant fines for breaches (up to 4% of the
