Storage and security
Making a record is only the start of your professional responsibilities. Whether records are held on paper or electronically, you also have an ethical obligation to uphold patients' rights by making sure records are appropriately stored, shared and disposed of.
The GDC says that 'you must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times. You must not leave records where they can be seen by other patients, unauthorised staff or members of the public'.
Dental practices are also bound by the Data Protection Act 2018 and General Data Protection Regulation (GDPR), both of which require organisations to have appropriate information security procedures to prevent the compromise of the personal data. These are likely to include:
- keep hard copies of records under lock and key
- implement IT security measures such as firewalls, virus protection and encryption. Seek professional advice if necessary
- arrange regular data protection training for staff. In NHS practices, staff should know the identity of their local data protection officer
- require all staff to have individual log-in profiles and strong passwords to prevent unauthorised access to patient data. Passwords should be regularly changed and password sharing should be banned
- ensure staff only have access to the information they need to do their job
- back up electronic records regularly to protect against file corruption or accidental loss. Back-ups should be held securely off-site in case of accidental loss
- have a signed written contract with all third-party suppliers, including IT contractors, which sets out your confidentiality requirements
- keep personal and professional computers and mobile devices entirely separate, to avoid confidentiality breaches.
How long should you keep records?
Current data protection law states that personal data should be retained for no longer than is necessary, but does not set limits.
The NHS General Dental Services contract requires the contractor to keep patient records for two years after a course of treatment has finished. However, the DDU recommends retaining NHS and private records for longer than this because of their value as evidence in the event of a claim.
In our experience, claims can be made many years after the patient was treated. For example, the Consumer Protection Act 1998 allows claims involving defective products to be brought up to 10 years after the event in question, and claims in contract up to six years.
We suggest as an absolute minimum, all patient records should be retained for 10 years after the last entry. At that stage, review the records carefully and decide to either destroy or keep them for longer if the reasons for doing so comply with your record keeping policy.
When you have decided that a set of records is no longer needed, they must be disposed of in a way that protects patient confidentiality. Shredding is generally appropriate for paper records but you should seek specialist IT advice when disposing of electronic records, as files can remain on a hard drive even after they have apparently been deleted.
Records have a valuable dento-legal purpose if a dental professional's standard of care is called into question
While clinical records remain the property of the practice, patients have the legal right to view their records and obtain copies. This is known as a subject access request (SAR). Your practice's privacy notice should give details of how patients can make a SAR, as well as setting out how their information will be processed and securely stored, your legal basis for doing so, and your policy on retention periods.
Under the GDPR, you aren't now allowed to charge patients for copies of their records, other than in exceptional cases where a request is 'manifestly unfounded, excessive or repetitive'. A request does not have to be in writing but it should be documented and you should respond promptly, in line with GDC Standards. You should verify the identity of anyone making a SAR.
Occasionally, patients may raise concerns about the content of their records or ask for corrections. Although the GDPR gives data subjects the right to correct information if it is factually inaccurate or incomplete (the right of rectification), the Information Commissioner's Office (ICO) has clarified that this does not extend to clinical opinions, and there is no requirement to amend an entry because the patient dislikes what has been recorded. Any disagreement over factual matters can be noted, signed and dated in the record.
If a factual error has been made, score it through with a single line so the original text is still legible and write the correct entry alongside with the date, time and your signature. For computerised records, the software should be capable of producing a full audit trail of record creation and modification. However, it is important to make clear to anyone viewing the records that you have made an amendment and why you've done so.
Most patients understand and expect that information will be shared within the direct care team, including administrative staff. However, the GDC still expects you to explain to patients the circumstances in which you may need to share information with others involved in their healthcare, such as when referring them to a specialist. You should give them the opportunity to say no and record whether or not consent has been given.
Practices also need to know how to respond to requests for information from other third parties such as relatives or solicitors. In most cases, you will need the patient's consent, ideally in writing, to release information.
For consent to be valid, the patient needs to know what information you will be releasing and why, who it will be released to, and the likely consequences. If a patient refuses consent, this should be respected, unless there is an overriding public interest (for example, with safeguarding concerns).
If an adult patient does not have capacity, you will need to decide whether releasing the information is in their best interests, in line with the Mental Capacity Act 2005. However, this can be a complex area and it is a good idea to seek specific advice from the DDU.
Parents can request access to their child's records, but bear in mind that you will still need to obtain consent from children with capacity and any child who has reached the age of consent, which is 16.
If the patient has died, anyone with a claim arising out of the death may be entitled to see the patient's dental records under the Access to Health Records Act 1990. Anyone else will need to obtain authority from an executor of the patient's will, their personal representative or their next of kin. That said, it is usually in the public interest to disclose dental chartings and radiographs promptly if it would help identify a deceased patient.
Some bodies have the statutory authority to request access to clinical records, although in some cases you might need to inform the patient and ask for their consent. These bodies include:
- primary care organisations or the NHS Business Services Authority (in England) Dental Practice Board (in Scotland), Central Services Agency (in Northern Ireland)
- healthcare regulators, such as the CQC, the Parliamentary and Health Service Ombudsman (PHSO), NHS Protect and accountable officers (controlled drugs)
- the police; disclosure is required under S172 of the Road Traffic Act 1988 and S38B of the Terrorism Act 2000, but otherwise officers must have a valid court order
- the coroner (or procurator fiscal in Scotland)
- tax inspectors may request any information or documents it is reasonable for them to have to help them in checking a taxpayer's position under the Finance Act 2008. Notice should be given in writing.
Again, contact the DDU if you are in any doubt about whether to disclose records to a third party.
If you do share records, you should document your reasons for doing so, whether consent has been sought/given and your justification for disclosing information in the absence of consent.
It is a good habit to document what happened during an appointment but it shouldn't become such a matter of routine that records are made on autopilot. Dental professionals should always be mindful of the fact that good quality records support their practice and make every effort to ensure their record-keeping is up to standard.
Now follow this link to test your learning and earn one hour of CPD.
Deputy head of the DDU
Leo Briggs qualified from University College Hospital, London, in 1989. He has worked extensively in the community dental service including a brief period overseas. He has also worked in general dental practice.
Leo gained a masters degree in periodontology from the Eastman in 1995 and is on the GDC specialist register for periodontics. From 1995-2017 he provided specialist periodontal treatment in both the salaried dental services and private practice. He started working for the DDU in 2005. Between 2007 and 2009 he worked part time at the DDU and part time as a clinical tutor at the School for Professionals Complementary to Dentistry in Portsmouth. In 2009 Leo went full time with the DDU. In January 2016 he became deputy head of the DDU.
See more by Leo Briggs