Select country
Menu
Refine my search
  • Home >
  • Medical records: An essential guide

Introduction to medical record keeping

Medical records are essential for the delivery of high-quality healthcare. Medical records consist of information relating to the physical or mental health or condition of an individual made by a healthcare professional in connection with the care of that individual. A number of different healthcare providers may contribute to patient care, so an important purpose of any record is to assist in providing continuity of care.

The main purpose of the record is to provide an account of a patient’s contact with the healthcare system.

Records may be held electronically, manually, or a mixture of both.

Medical records are also used for other purposes, including administrative and managerial decision-making, clinical audit, and clinical research.

Why are medical records important?

Medical records, or health records, and the practice of good record keeping are essential to the provision of healthcare. Without them, it is impossible to diagnose and treat patients reliably. Health records may also be used as evidence in legal proceedings, as the GMC states:

"Medical records are made to support safe and effective care but they may be used for other purposes. [...] They may also be used as evidence in court."

 

Clear and detailed records are important in providing the factual base necessary for responding to complaints and claims and for producing legal and other reports, such as reports for an insurance company or at the request of the coroner. Poor records and a lack of clear documentation can make dealing with requests like this very difficult, especially if the request is made many years after the record was made.

Medical records include a wide variety of documents for example:

  • Handwritten clinical notes
  • Computerised/electronic clinical records
  • Emails
  • Scanned records
  • Text messages (both outgoing from the NHS/professional and incoming from patients)
  • Correspondence between health professionals
  • Laboratory results
  • X-ray films and other imaging records
  • Photographs
  • Videos and audio recordings
  • Printouts from monitoring equipment, particularly in anaesthesia and obstetrics
  • Consent forms

What is in a medical record?

Good medical records should be legible and clear and contain the following information:

  • Relevant medical history
  • Examination and other relevant clinical findings – include important positives and negatives and details of objective measurements such as blood pressure.
  • Differential diagnosis
  • Investigations – details of any investigations requested.
  • Treatment – details of drugs, doses, amount prescribed, and any other treatment organised (include the batch number and expiry date of any medications personally administered).
  • Capacity and consent – details of the patient’s capacity to consent (or lack of) and their consent to proposed investigations, treatments or procedures. Details also of all treatment options discussed (including not receiving treatment), the benefits and risks of each option and any questions that the patient asked.
  • Referrals and follow-up – arrangements that have been made for follow-up tests, future appointments, and referrals.
  • ‘Safety-netting’ - advice given to the patient about when to seek more urgent review.

 

Patients have the right to access their medical records and so it is important that the record made is factual, objective and free from subjective comments about patients or their relatives.

 

If handwritten, good records must be understandable, and each entry should be legibly signed with the date and time.

Abbreviations should be avoided in medical records, as unconventional or unfamiliar abbreviations could lead to confusion. 

Medical records should be contemporaneous and made as soon as possible after a consultation to ensure accuracy and clarity. If information is provided by anyone other than the patient, this should be recorded, identifying the individual and the information provided.

Personal data in medical records

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA), govern the processing of medical records in the UK and anyone responsible for using personal data must follow the ‘data protection principles’

The principles state that personal data must:

  • be processed lawfully, fairly and in a transparent manner
  • be processed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes
  • be adequate, relevant and limited to what is necessary in relation to the purposes
  • be accurate and up to date
  • not be kept for longer than is necessary
  • be secure
    More information on the GDPR and DPA is available in the following article The General Data Protection Regulation (GDPR) and from the Information Commissioner's Office (ICO).

     

    The GDPR and DPA also sets out a number of rights for individuals including the right to:

    • be informed about how data is being used
    • access personal data
    • have incorrect data updated
    • have data erased
    • stop or restrict the processing of data (in some circumstances)
    • data portability (allowing reuse of data for different services)
    • object to how data is processed (in certain circumstances)

    Making changes to medical records

    Medical records should be accurate and up to date and should not be retrospectively amended without making clear when the amendments were made and why.

    In the event that records contain a factual error, the original entry should not be removed. Instead, a single line should run through the entry so it can still be read, and the correction should be added including a date and signature. Failure to do this could lead to allegations of dishonesty and attempting to pass amendments off as part of the original record. Amendments to electronic records can be tracked by audit trail and should be clearly marked on the record.

    Patients have the right to request the deletion of any factual errors in their record, but not the medical record as a whole.

     

    Patients have a legal right, under the GDPR, to ask for factual inaccuracies in the record to be rectified or deleted. They do not, however, have the right to ask for entries expressing professional opinions to be changed. Such a request should only be complied with if the healthcare professional is satisfied that the request is valid and that the entry is indeed factually inaccurate. If it is decided that a correction is not warranted, the medical records should be annotated with the patient’s view.

    If it is agreed that the request is valid, a signed and dated supplementary note to correct the inaccuracy should be made, and it should also be made clear that the correction is being made at the patient’s request. It is best to avoid deleting the original entry, especially if some time has passed as clinical decisions may have been based on the information. If the patient demands nothing less than deletion, then this may be done in exceptional cases; a record of the deletion should be made, stating that the entry was inaccurate and removed at the patient's or another’s request.

    For more information on best practices in altering medical records, please see the following article: When a patient wants to amend their medical records.

    Keeping records secure

    Records that contain personal information about patients must be treated confidentially and kept securely, in line with professional, ethical and legal responsibilities. Healthcare employees will usually find a confidentiality clause in their contract, there is also a common-law duty to preserve professional confidence. There are requirements under the GDPR to keep personal data, including medical records, secure and it is a condition of registration with a medical regulator such as the General Medical Council (GMC) to respect patient confidentiality.

    Confidential records should not be left where other people may have casual access to them and information about patients should be sent under private and confidential cover, with appropriate measures to ensure that they do not go astray.


    The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely.

    Confidentiality is not absolute and there are some situations where disclosure of medical records can be made and this includes disclosure within the healthcare team and disclosure with the patient’s consent.

    Disclosure without the patient’s consent may also be made in some cases for example

    • If required by the law
    • If it is in the public interest

    For more information, please see our article on Confidentiality.

    Access to health records

    The GDPR and DPA give patients a right of access to their medical records. A request made by a patient to access their records in this way is commonly referred to as a subject access request (SAR). Patients can make a SAR verbally or in writing, and a third party can also make a SAR on behalf of another person. When a request is made by a third party, the third party should provide evidence that the patient has consented to the disclosure.

    In most circumstances, a fee cannot be charged to process a request. The request should be processed and the records provided within one month, although the time limit may be extended if the request is complex.

    There are some exemptions, including:

    • that the request is manifestly unfounded or excessive;
    • that providing access to the information about an individual’s physical or mental health or condition would be likely to cause serious harm to them or to another person’s physical or mental health or condition;
    • disclosure would provide information about another person or identify another person as a source of the information (excluding another healthcare worker) unless that other person consents or it is reasonable in the circumstances to supply the information without their consent.
    Access to medical records requires patients or their representatives to submit a subject access request (SAR).

     

    The Information Commissioner's Office (ICO) provides detailed guidance on dealing with subject access requests.

    After death the Access to Health Records Act 1990 and the Access to Health Records (Northern Ireland) Order 1993, permit the personal representative of the deceased and anyone who may have a claim arising from the patient’s death to access the medical records. The records should not be disclosed if they may cause physical or mental harm to anyone, if they identify a third party (excluding a healthcare professional) or if the deceased gave the information on the understanding that it would remain private

    A competent child has the right to make their own application for disclosure under the DPA, and accordingly any application by a parent (or any other party) at this point, can only be with the child’s consent.

    Prior to the child becoming competent, someone with parental responsibility can exercise the right on the child’s behalf, as long as it is in the child’s best interests. For more information, please see Parental responsibility (medicalprotection.org)

    Read more on: Access to health records
    Articles and features 29/06/2023

    The five principles of the Mental Capacity Act

    The five principles of the Mental Capacity Act

    Time to read article: 5 mins
    Close Preview

    Both legislation and the GMC’s guidance emphasise that doctors should presume that adults have the capacity to consent to or refuse a proposed treatment unless it can be established that they lack that capacity.

    Read more

    Article contains

    Tagged in...

    Articles and features 20/09/2021

    COVID-19 vaccination: lacking capacity to consent

    COVID-19 vaccination: lacking capacity to consent

    Time to read article: 3 mins
    Close Preview

    As the vaccination programme against COVID-19 continues in the UK, the usual laws around patient consent still apply. But what if your patient lacks capacity to consent? Dr Jayne Molodynski, Medicolegal Consultant at Medical Protection, offers advice and guidance

    Read more

    Article contains

    Tagged in...

    Storage and retention of medical records

    It is advisable to be familiar with the confidentiality, data protection, and record management policies and procedures at your workplace and know where to get advice on these issues. This includes policies on the use of laptops and mobile devices.

    If personally responsible for managing patient records or other patient information, it is essential to ensure familiarity with the requirements of the GDPR and ensure that the records are made, stored, transferred, protected, and disposed of in accordance with the DPA and GDPR. It is advisable to use professional expertise when selecting and developing systems to record, access, and send electronic data. Please refer to the Information Commissioner's Office (ICO) for more information.

    The UK health departments publish guidance on how long health records should be kept and how they should be disposed of and this guidance should be followed even if you do not work in the NHS. There are minimum retention periods for different types of records are given. Records should not be kept for longer than necessary.

    Improper disclosure and data breach

    A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may be accidental or deliberate and where a data breach is likely to “result in a risk to the rights and freedoms of individuals” it must be notified to the ICO as soon as possible and within 72 hours of first having become aware of the breach.

    The Information Commissioner can impose a Civil Monetary Penalty for contravention of the DPA in a deliberate or reckless way, or of a kind likely to cause substantial distress or damage to an individual. Failure to notify a breach can also result in a significant fine.

    Improper or inadvertent disclosure may also lead to an investigation by the relevant healthcare regulator and may result in disciplinary action by an employer.

    It is important to be familiar with your responsibilities in the event of a breach and deal with the breach in accordance with the GDPR or inform your employer of a breach or potential breach as soon as possible in order that they can take the necessary steps.

    More information on data breach is available in the following article The General Data Protection Regulation (GDPR) (medicalprotection.org) and from the Information Commissioner's Office (ICO) .

    Explore this page
    New site feature tour

    Introducing an improved
    online experience

    You'll notice a few things have changed on our website. After asking our members what they want in an online platform, we've made it easier to access our membership benefits and created a more personalised user experience.

    Why not take our quick 60-second tour? We'll show you how it all works and it should only take a minute.

    Take the tour Continue to site

    Medicolegal advice
    0800 561 9090
    Membership information
    0800 561 9000

    Main navigation

    Use the top navigation bar to access essential links from any page of the site.

    Key contact details

    Should you need to contact us, our phone numbers are always visible.

    Dropdown filters

    Start your search by choosing your profession and/or area of interest through the two dropdowns.

    Search bar

    Enter keywords to find specific resources. For exact terms, just use speech marks, e.g. "record keeping".

    Personalise your search

    We'll save your profession in the "I am a..." dropdown filter for next time.

    Refined search

    Narrow your search based on theme, field, format, article, type or location.

    Suggested links

    Based on the pages you visit, we'll also provide useful links under the 'More' tab.

    Tour completed

    Now you've seen all of the updated features, it's time for you to try them out.

    Continue to site
    Take again

    Continue to site