Retention of Patient’s Dental Records
DENTAL BULLETIN, ISSUE 65
Over the last few weeks myself and Laura Pearce have been traveling around the UK lecturing on the General Data Protection Regulations and how they will affect dentists when they come into force on the 25th May 2018. In the general maelstrom of GDPR, one question that keeps being asked relates to the security and retention of patients’ clinical records.
– How long do I have to retain patient records for?
– In what circumstances should I delete patient records?
– What are the consequences if I get this wrong?
At present online guidance from the dental unions is out of date and our enquiries with the GDC proved fruitless.
In this dental bulletin we will look at the current legal guidelines and attempt to clear up any confusion in regards to to the retention of patient records.
Retaining NHS Records
Records created by NHS authorities, including NHS dentists fall within the scope of the Public Records Act 1958 and the Freedom of Information Act 2000. These impose a statutory duty of care directly on individuals who have direct responsibility for such records.
In January 2009 the Department of Health published a document entitled “Records Management, NHS Code of Practice, Part 2”. This document stated that NHS records can in certain circumstances be kept up to a maximum of 30 years. It also set out the minimum retention periods for which the various records created within the NHS should be retained. Under Appendix D1 it stated that community (i.e. non hospital) dental records should be retained for a minimum of 11 years for adults and for children 11 years or up to their 25th birthday, whichever is the longer. This is the guidance currently adopted by both the DDU and Dental Protection.
The Current Rules
However in July 2016 that guidance was withdrawn by the Information Governance Alliance on behalf of the Department of Health. The current rules relating to the retention of patients’ notes is in fact set out in the Records Management Code of Practice for Health and Social Care 2016.
These guidelines state that records should be created, controlled and processed in accordance with the purpose for which the data was originally obtained, i.e. for the purpose of providing dental treatment or care. Records should be retained “in line with NHS recommended Retention Schedule”. This states that general Dental Services records should be retained for a minimum period of 10 years from the date of discharge of the patient from the practice or when the patient was last seen. There is no 30 year recommendation. At the 10 year point, there should be an appraisal to determine whether the records should be retained for a further period or deleted.
Practices should have an internal policy regarding the appraisal, retention or destruction of patient records. No records should be automatically destroyed. However, a practice should consider the purpose for retaining the records, examples of this could be an ongoing legal case or that they are the subject of research. It is not appropriate to adopt a blanket “err on the side of caution” approach and retain all dental records ad infinitum.
What does the GDPR say about the length of time records should be retained?
Indeed Article 5 of the GDPR sets out the guiding principles relating to the processing of personal data (including medical records). Article 5(e) specifically states that data shall be:
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
GDPR is a cultural shift in the way in which personal data is retained and processed. This will extend to medical records, which should only be retained for the amount of time that is absolutely necessary. It is therefore difficult to see in what circumstance a dentist would be able to justify retaining records beyond the ten year period where no contact has been had with the patient in that time and there is nothing unusual about the patient’s clinical care.
The Information Governance Alliance on behalf of the Department of Health has stated that once the minimum period of ten years has expired from the patient’s last visit to the practice has expired “in most cases it will be appropriate to destroy records immediately”.
Keeping records in the event of a legal claim
If a dentist is aware of an ongoing legal case relating to the patient notes, then this would be a clear and compelling justification for retaining the records outside of the ten year minimum period.
Generally patients have 3 years from the date that they first became aware that they had suffered an injury to bring a claim for compensation against a dentist. There are limited circumstances in which this can be extended. However, bear in mind that patients who suffer from a “disability” resulting in an “unsound mind” have no such limitations. Dentists are therefore advised to retain patient records in these circumstances beyond the ten year minimum. The reason should be recorded in the practice appraisal.
Suggestions that patient notes should be retained forever on the basis that a legal claim might be forthcoming cannot be justified. GDPR requires the practice to weigh up the legitimate interests of the practice against the individual’s right to privacy in a more nuanced and considered way.
The Department of Health and GDC is alarmingly quiet regarding the retention of “private” patient records, so those that fall outside the NHS. Where private treatment is given within an NHS practice the NHS Code of Practice applies. A common sense approach should be taken to the retention of private patient’s records, and we would advise following the NHS guidance as best practice.
Paper records can be destroyed by incineration, pulping or shredding (using a cross cut shredder) under confidential conditions. Under no circumstances should domestic waste or rubbish tips be used for disposal. Keep a record of the method of destruction as well as the appraisal decisions. Companies providing this service should provide you with a certificate of destruction.
For digitally held records it is important to note that records that are “archived” are not considered to be deleted for the purposes of data protection laws. However, the ICO has indicated that under the Data Protection Act if information can be deleted from a live environment and is not readily accessible, then this will suffice for destruction of data under the Data Protection Act. It seems unlikely that this guidance will change under GDPR.
The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it:
– is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
– does not give any other organisation access to the personal data;
– surrounds the personal data with appropriate technical and organisational security; and
– commits to permanent deletion of the information if, or when, this becomes possible.
Practices should speak to their software providers to determine what processes they have in place to securely delete files from their systems.
Failure to process, retain and dispose of data in an appropriate will be a breach of the Data Protection Act 2018 when it comes into force. The ICO have considerable enforcement powers, and can impose significant fines for breaches (up to 4% of the annual turnover).
If you find this article interesting, please like, comment and share it!
Julia Furley, Senior Barrister