The function of records

The main purpose of a dental record is to provide a complete and accurate account of the patient's oral health and ongoing treatment, to support continuity of care and minimise the risk of an adverse incident. Records are an essential resource for the treating dental professional - no one's memory is infallible - and for others who might be involved in the care of the patient.

Good record-keeping is an ethical, contractual and regulatory obligation. In Standards for the Dental Team, the GDC expects all dental professionals to 'make and keep contemporaneous complete and accurate patient records' and inadequate record-keeping is regularly cited as evidence of poor performance in fitness to practise hearings.

Meanwhile, Part 13 of the model NHS dental contract requires that, 'The Contractor shall ensure that a full, accurate and contemporaneous record is kept in the patient record in respect of the care and treatment given to each patient under the Contract.'

The Care Quality Commission (CQC), which oversees dental providers in England, states: 'One of the fundamental criteria used to manage risk in a dental practice is keeping good quality clinical records'. CQC inspectors may want to review practice protocols for completing dental health records, and have powers to access dental records to check they are 'accurate, complete, legible, up to date, stored and shared appropriately.'

And finally, records have a valuable dento-legal purpose if a dental professional's standard of care is called into question. In the DDU's experience, a contemporaneous record of a thorough examination or consent discussion can provide valuable evidence when defending a member against allegations of clinical negligence. Conversely, if you are accused of negligence, inadequate records may make it difficult to successfully defend yourself.

What makes a good record?

There is no shortage of professional guidance available on record-keeping, such as the FGDP's reference guide and the GDC's Standards for the Dental Team. But to keep things simple, try thinking in terms of the 4 Cs.

1- Contemporaneous: make a record as soon as possible after a patient interaction.

2 - Clear: record your findings carefully (and legibly if not using a computer) so that they can be understood by anyone who may need to read and interpret them. For example, avoid abbreviations as far as possible and use one system of dental charting. It should be clear who made an entry and when.

3 - Complete: record as much detail as possible of all relevant aspects of a patient's appointment, including:

• medical history
• dental charting and BPE scores
• findings on examination including negative findings (eg no teeth tender to percussion)
• diagnosis
• discussions about treatment options and risks
• agreed treatment plan
• consent to treatment
• treatment given
• mishaps and complications.

As well as consultations, you should record telephone and email interactions with patients and any information relevant to their care, including radiographs, consent forms, photographs, models, audio or visual recordings of consultations, laboratory prescriptions, referral letters and test results. The exception is complaints correspondence, which should be kept separately because it is not directly relevant to the patient's clinical care.

4 - Concise: records should be just long enough to convey the essential information. Avoid superfluous personal comments that could backfire if someone else needs to access the record.

Storage and security

Making a record is only the start of your professional responsibilities. Whether records are held on paper or electronically, you also have an ethical obligation to uphold patients' rights by making sure records are appropriately stored, shared and disposed of.

The GDC says that 'you must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public'.

Dental practices are also bound by the Data Protection Act 2018 and General Data Protection Regulation (GDPR), both of which require organisations to have appropriate information security procedures to prevent the compromise of the personal data. These are likely to include:

• keep hard copies of records under lock and key
• implement IT security measures such as firewalls, virus protection and encryption. Seek professional advice if necessary
• arrange regular data protection training for staff. In NHS practices, staff should know the identity of their local data protection officer
• require all staff to have individual log-in profiles and strong passwords to prevent unauthorised access to patient data. Passwords should be regularly changed and password sharing should be banned
• ensure staff only have access to the information they need to do their job
• back up electronic records regularly to protect against file corruption or accidental loss. Back-ups should be held securely off-site in case of accidental loss
• have a signed written contract with all third-party suppliers, including IT contractors, which sets out your confidentiality requirements
• keep personal and professional computers and mobile devices entirely separate, to avoid confidentiality breaches.

How long should you keep records?

Current data protection law states that personal data should be retained for no longer than is necessary, but does not set limits.

The NHS General Dental Services contract requires the contractor to keep patient records for two years after a course of treatment has finished. However, the DDU recommends retaining NHS and private records for longer than this because of their value as evidence in the event of a claim.

In our experience, claims can be made many years after the patient was treated. For example, the Consumer Protection Act 1998 allows claims involving defective products to be brought up to 10 years after the event in question, and claims in contract up to six years.

We suggest as an absolute minimum, all patient records should be retained for 10 years after the last entry. At that stage, review the records carefully and decide to either destroy or keep them for longer if the reasons for doing so comply with your record keeping policy.

When you have decided that a set of records is no longer needed, they must be disposed of in a way that protects patient confidentiality. Shredding is generally appropriate for paper records but you should seek specialist IT advice when disposing of electronic records, as files can remain on a hard drive even after they have apparently been deleted.

Patients' rights

While clinical records remain the property of the practice, patients have the legal right to view their records and obtain copies. This is known as a subject access request (SAR). Your practice's privacy notice should give details of how patients can make a SAR, as well as setting out how their information will be processed and securely stored, your legal basis for doing so, and your policy on retention periods.

Under the GDPR, you aren't now allowed to charge patients for copies of their records, other than in exceptional cases where a request is 'manifestly unfounded, excessive or repetitive'. A request does not have to be in writing but it should be documented and you should respond promptly, in line with GDC Standards. You should verify the identity of anyone making a SAR.

Occasionally, patients may raise concerns about the content of their records or ask for corrections. Although the GDPR gives data subjects the right to correct information if it is factually inaccurate or incomplete (the right of rectification), clinical opinions might be another matter. 

The Information Commissioner's Office (ICO) says that, "As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified." Any disagreement over factual matters can be noted, signed and dated in the record.

If a factual error has been made, score it through with a single line so the original text is still legible and write the correct entry alongside with the date, time and your signature. For computerised records, the software should be capable of producing a full audit trail of record creation and modification. However, it is important to make clear to anyone viewing the records that you have made an amendment and why you've done so.

Disclosing records

Most patients understand and expect that information will be shared within the direct care team, including administrative staff. However, the GDC still expects you to explain to patients the circumstances in which you may need to share information with others involved in their healthcare, such as when referring them to a specialist. You should give them the opportunity to say no and record whether or not consent has been given.

Practices also need to know how to respond to requests for information from other third parties such as relatives or solicitors. In most cases, you will need the patient's consent, ideally in writing, to release information.

For consent to be valid, the patient needs to know what information you will be releasing and why, who it will be released to, and the likely consequences. If a patient refuses consent, this should be respected, unless there is an overriding public interest (for example, with safeguarding concerns).

If an adult patient does not have capacity, you will need to decide whether releasing the information is in their best interests, in line with the Mental Capacity Act 2005. However, this can be a complex area and it is a good idea to seek specific advice from the DDU.

Parents can request access to their child's records, but bear in mind that you will still need to obtain consent from children with capacity and any child who has reached the age of consent, which is 16.

If the patient has died, anyone with a claim arising out of the death may be entitled to see the patient's dental records under the Access to Health Records Act 1990. Anyone else will need to obtain authority from an executor of the patient's will, their personal representative or their next of kin. That said, it is usually in the public interest to disclose dental chartings and radiographs promptly if it would help identify a deceased patient.

Some bodies have the statutory authority to request access to clinical records, although in some cases you might need to inform the patient and ask for their consent. These bodies include:

• primary care organisations or the NHS Business Services Authority (in England) Dental Practice Board (in Scotland), Central Services Agency (in Northern Ireland)
• healthcare regulators, such as the CQC, the Parliamentary and Health Service Ombudsman (PHSO), NHS Protect and accountable officers (controlled drugs)
• the police; disclosure is required under S172 of the Road Traffic Act 1988 and S38B of the Terrorism Act 2000, but otherwise officers must have a valid court order
• the coroner (or procurator fiscal in Scotland)
• tax inspectors may request any information or documents it is reasonable for them to have to help them in checking a taxpayer's position under the Finance Act 2008. Notice should be given in writing.

Again, contact the DDU if you are in any doubt about whether to disclose records to a third party.

If you do share records, you should document your reasons for doing so, whether consent has been sought/given and your justification for disclosing information in the absence of consent.

It is a good habit to document what happened during an appointment but it shouldn't become such a matter of routine that records are made on autopilot. Dental professionals should always be mindful of the fact that good quality records support their practice and make every effort to ensure their record-keeping is up to standard.