Office opening hours: 8.30am to 5.30pm Monday to Friday. Offices closed on Bank Holidays.
Home Menu Search

Information Governance - Confidentiality after Death

Access to the Health Records of Deceased Patients

Note: Although the UK GDPR does not apply to data concerning deceased persons, the ethical obligation to respect a patient's confidentiality continues beyond death.

The Access to Health Records Act 1990 (AHRA) provides a small group of people with a statutory right to apply for access to the health records of a deceased person. These representatives are 'the patient's personal representative and any person who may have a claim arising out of the patient's death'. A personal representative is the executor or administrator of the deceased person's estate.

The personal representative is the only person who has a right of access to the record and need give no reason for applying for access. However, they should provide evidence of their identity.

There are occasions when individuals, who do not have a statutory right, may also request access.  In such cases, the general rules that apply to the disclosure of confidential patient information should be considered to determine whether a disclosure is appropriate and lawful.  Requests should be considered on a case by case basis.  A legal right of access under the Act is only allowable where those who do not have a statutory right can establish a claim arising from the patient's death. The decision as to whether a claim exists sits with the record holder. Where this is not clear, legal advice should be sought.

Record holders must be assured of the identity of applicants and, where an application is being made on the basis of a claim arising from  the deceased's death, applicants must provide evidence to support their claim.

A number of public bodies have authority to require the disclosure of health information and these include the Courts (i.e Coroners Court), legally constituted Public Inquiries and various Regulators and Commissions. In these cases, the common law obligation to confidentiality is overridden.

Applying for Access

Requests should be made in writing, contain enough information to enable the correct records to be identified and give details of the  applicant's right to access the records.  It is helpful if specific dates or parts of the record are requested. The release of a complete health record will need a stronger justification than an excerpt from a record.

Once the data controller has the relevant information and fee, the request should be complied with within 40 days or within 21 days where the record has been added to in the last 40 days.

Disclosure in the Absence of a Statutory Basis

Such disclosures should  be:

  • in the public interest;
  • proportionate;
  • judged on a case by case basis.

The public good must outweigh the obligation of confidentiality to the deceased individual and any other individuals referred to in a record. The data controller must consider any preference expressed by the deceased before their death to confidentiality and any potential for distress or harm to any living individual. The views of surviving family and the length of time after death should also be considered (the obligation of confidentiality is likely to diminish over time).Requests should demonstrate a strong legitimate purpose and, generally, a strong public interest justification as well as a legitimate relationship with the deceased.

It is good practice, when considering a request, to consult the Practice's Caldicott Guardian/Governance lead and, if there is any doubt or complexity, to seek legal/MDO advice.


Legislative changes to the Data Protection Act 2018 has also amended the Access to Health Records Act 1990, which now states that access to the records of deceased patients and any copies, must be provided free of charge.


If the deceased indicated during their lifetime that they did not wish information to be disclosed/remain confidential, then it should remain so  unless there is an overriding public interest in disclosing.

If the record holder considers that disclosure would cause serious harm to the physical or mental health of any other person, access may be denied.

Similarly, if disclosure would identify a third party who has not consented to the release of information, access may be denied.

Reference: Department of Health: 'Guidance for Access to Health Record Requests', BMA: 'Access to Health Records'

About this page...

Updated on Thursday, 22 April 2021 4754 views