skip to main content

Access to Health Records

All patients have the legal right to see or have a copy of their own Health Records.

Individuals who want to see a copy of the information an organisation holds about them can make a Subject Access Request (SAR).

The Trust has one month in which to complete Subject Access Request applications. There is now no charge for individuals or third parties unless there are exceptional circumstances.

In addition, relatives of deceased patients may be able to have access to the Health Records under the Access to Health Records Act 1990, providing they are able to provide proof of entitlement to act as the personal representative of the deceased or are making a claim arising from the patient's death. 

Under the General Data Protection Regulations (GDPR) now in force Article 15 gives an individual the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data

Other supplementary information may be provided (e.g. information about the source and recipients of the data) will include, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Disclosure with consent

The Trust will not share or release records without consent and checks will be carried out to ascertain exactly what part of the record the consent applies to.

Disclosure without consent

Occasionally, there will be circumstances where the Trust will disclose a patient’s records without their consent (and, rarely, in the face of the patient’s clear objection to disclosure). There are three possible justifications for this:

  • If the Trust believes that a patient may be a victim of neglect or abuse, and that they lack capacity to consent to disclosure
  • If the Trust believes that it is in the wider public interest, or that it is necessary to protect the patient or someone else from the risk of death or serious harm
  • Disclosure is required by law – for example, in accordance with a statutory obligation, or to comply with a court order or a disclosure notice from the NHS Counter-Fraud Service

Access to a child or young person's health records

The Information Commissioner’s Office states that parents can make subject access requests on behalf of their children who are too young to make their own request. A young person aged 13 under General Data Protection Regulations (GDPR) in or above is generally considered mature enough to understand what a subject access request entails.

NB: In certain cases, the Trust may consider informing the other parent that an application for access has been made, so that they can seek their own advice.

Access to the medical records of an incapacitated patient

Healthcare professionals can disclose information from the records of an in capacitated patient (following the Mental Capacity Act 2005), either when it is in the patient’s best interests, or where there is some other lawful reason to do so. Disclosure would usually be related to the ongoing care of the patient.

Information should not be disclosed, if it is judged that doing so would cause serious mental or physical harm to the patient or anyone else.

An attorney (who is a person nominated by the patient) for the patient, acting as a Lasting Power of Attorney (LPA), can ask to see information about the person they are representing, provided that it is relevant to the decisions the attorney has a legal right to make. Before disclosing any information, the holder of the information should make sure that the attorney has the official authority.

Sharing information with other health professionals

Doctors, nurses, physiotherapists, midwives etc., have a professional and ethical duty to respect patients’ confidentiality and should only access records if they are involved in the patient’s care. This is on a ‘need-to-know’ basis.

Whilst it is assumed that patients generally consent to their personal information being shared among the clinical team for the purposes of their care, they should be made aware that this is the case and told that they have the right to withhold consent. Sometimes, patients may ask for certain – usually extremely sensitive – information to be kept private and you should respect this. However, in certain circumstances this information may need to be released if failure to disclose would place others at risk of death or serious harm.

A patient’s HIV, or similar, status should not be disclosed without the patient’s consent, as this does not normally fall within the “risk of death or serious harm” exception. For more information, see the GMC’s Confidentiality – Supplementary guidance: Disclosing information about serious communicable diseases.

Administrative staff

Non-clinical staff are increasingly required to access patients’ records for administrative purposes, and this raises serious concerns about preserving patient confidentiality. It is essential that all such staff be given training on confidentiality and record-security and that a confidentiality clause is included in their contracts. Their access to patient information should be restricted to what they need for carrying out their specific duties.

Access to a patient’s record after death

The duty of confidentiality remains after a patient has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient’s death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question.

The records may not be disclosed if it is thought that they may cause mental or physical harm to anyone, if they identify a third party or if the deceased gave the information on the understanding that it would remain private.


Under the GDPR a request can be made free of charge.  However, a “reasonable fee” will be charged for further copies of the same information and when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee will be based on the administrative cost of providing the information.

Time Limit

Under GDPR the Trust will ensure your request is provided without delay and at the latest within one month of receipt. The Trust will extend by a further two months where the request is complex or where there are numerous requests. If this is the case, the Trust will ensure the Data Subject is contacted within one month of the receipt of the request and explain why the extension is necessary.

The Right to Complain

The Trust will put in writing all refusals setting out the reasons and the right of the Data Subject to complain to the Information Commissioner’s Office (ICO).

Format of responses

Where the Data Subject makes a SAR by electronic means, and unless otherwise requested by the Data Subject, the information will be provided in a commonly used electronic format. The Trust before providing the information, the Subject Access team on behalf of the Data Controller will verify the identity of the person making the request using “reasonable means”.

NB: The Trust does not provide remote access to a secure self-service system which will provide you with direct access to your record.

Subject Access data portability (automated data only)

The Trust within reason will allow for personal data to be sent to the Data Subject in a structured, commonly used and machine-readable format. Under data portability the Data Subject may request for data to be transmitted to another Data Controller.

Forms for making Subject Access Requests, for patient representatives to make an application, or for making an application on behalf of a deceased patient can all be found by clicking here

If you wish to email the form to us please fill in the Word document version of the form.

If you wish to print the form and send this to us via the post please print the PDF version of the form and fill this in. 

If you need any further information the Health Records Team can be contacted via the information below.

Please send completed forms to - 

Subject Access Team, Health Records Department, James Paget University Hospitals NHS Foundation Trust, Lowestoft Road, Gorleston, Great Yarmouth, Norfolk. NR31 6LA

Or email: