Information Governance - Confidentiality after Death
Access to the Health Records of Deceased Patients
Note: Although the UK GDPR does not apply to data concerning deceased persons, the ethical obligation to respect a patient's confidentiality continues beyond death.
The Access to Health Records Act 1990 (AHRA) provides a small group of people with a statutory right to apply for access to the health records of a deceased person. These representatives are 'the patient's personal representative and any person who may have a claim arising out of the patient's death'. A personal representative is the executor or administrator of the deceased person's estate.
The personal representative is the only person who has a right of access to the record and need give no reason for applying for access. However, they should provide evidence of their identity.
There are occasions when individuals, who do not have a statutory right, may also request access. In such cases, the general rules that apply to the disclosure of confidential patient information should be considered to determine whether a disclosure is appropriate and lawful. Requests should be considered on a case by case basis. A legal right of access under the Act is only allowable where those who do not have a statutory right can establish a claim arising from the patient's death. The decision as to whether a claim exists sits with the record holder. Where this is not clear, legal advice should be sought.
Record holders must be assured of the identity of applicants and, where an application is being made on the basis of a claim arising from the deceased's death, applicants must provide evidence to support their claim.
A number of public bodies have authority to require the disclosure of health information and these include the Courts (i.e Coroners Court), legally constituted Public Inquiries and various Regulators and Commissions. In these cases, the common law obligation to confidentiality is overridden.
Applying for Access
Requests should be made in writing, contain enough information to enable the correct records to be identified and give details of the applicant's right to access the records. It is helpful if specific dates or parts of the record are requested. The release of a complete health record will need a stronger justification than an excerpt from a record.
Once the data controller has the relevant information and fee, the request should be complied with within 40 days or within 21 days where the record has been added to in the last 40 days.
Disclosure in the Absence of a Statutory Basis
Such disclosures should be:
- in the public interest;
- judged on a case by case basis.
The public good must outweigh the obligation of confidentiality to the deceased individual and any other individuals referred to in a record. The data controller must consider any preference expressed by the deceased before their death to confidentiality and any potential for distress or harm to any living individual. The views of surviving family and the length of time after death should also be considered (the obligation of confidentiality is likely to diminish over time).Requests should demonstrate a strong legitimate purpose and, generally, a strong public interest justification as well as a legitimate relationship with the deceased.
It is good practice, when considering a request, to consult the Practice's Caldicott Guardian/Governance lead and, if there is any doubt or complexity, to seek legal/MDO advice.
Legislative changes to the Data Protection Act 2018 has also amended the Access to Health Records Act 1990, which now states that access to the records of deceased patients and any copies, must be provided free of charge.
If the deceased indicated during their lifetime that they did not wish information to be disclosed/remain confidential, then it should remain so unless there is an overriding public interest in disclosing.
If the record holder considers that disclosure would cause serious harm to the physical or mental health of any other person, access may be denied.
Similarly, if disclosure would identify a third party who has not consented to the release of information, access may be denied.
Reference: Department of Health: 'Guidance for Access to Health Record Requests', BMA: 'Access to Health Records'