Profile information Account settings
Logout
Sign up Sign in

What are the main rules applicable to retaining medical records?

The main rules in this area are the Records Management Code of Practice for Health and Social Care for England, the Records Management Code of Practice for Health and Social Care for Wales, and the Scottish Government Records Management: NHS Code Of Practice (Scotland). Guidance is also available from the British Medical Association. Further, data protection legislation like the GDPR, and the relevant time limits imposed by it, apply to the handling of medical information. 

How long can medical records be kept for?

How long medical records can be retained depends on the type of record in question. A brief summary of the standard, mandated retention periods is as follows:

Hard copy GP records 

Relevant retention periods depend on location:

  • in England and Wales, records can be retained for 10 years after a patient’s death

  • in Scotland, records can be retained for 3 years after death

Electronic patient record systems (EPRs)

EPRs are methods of storing medical records and notes electronically, rather than in paper form. Relevant retention periods for EPRs depend on location.

In England and Wales, EPRs should be:

  • retained for 10 years after a patient’s death if the EPR can destroy records and demonstrate this destruction (eg by keeping a log of the destruction)

  • if the EPR cannot destroy records and demonstrate this destruction, records should be made inaccessible and retained (along with an audit trail) for the retention period of the entry 

In Scotland, EPRs should be retained indefinitely.

Maternity records

Maternity records include all obstetric and midwifery records, including those which ended in stillbirth or where the child died at a later date.

Relevant retention periods depend on location:

  • in England and Wales, these records should be retained for 25 years after the birth of the last child

  • in Scotland, these records should be retained for 25 years after the birth of the last child or until the mother turns 50, whichever is longer

Records of children and young people

Relevant retention periods depend on location:

  • in England and Wales, these records should be retained until the patient’s 25th birthday; until the patient’s 26th birthday if they were 17 when their treatment concluded; or for 8 years after the patient’s death

  • in Scotland, these records should be retained until the patient’s 25th birthday; until the patient’s 26th birthday if an entry was made when they were 17; or for 3 years after the patient’s death

Mental health records (England and Wales only)

In England and Wales, retention periods for mental health records are 8 years after a patient’s death or 20 years.

Medical records for mentally disordered persons as defined by the Mental Health Act (Scotland only)

The Mental Health (Care and Treatment) (Scotland) Act 2003 defines a ‘mentally disordered person’ as someone with a mental illness, personality disorder, or learning disability. 

In Scotland, relevant retention periods are 20 years after the date of last contact between the patient and the relevant healthcare professional or, if the patient died while in the care of the organisation, 3 years after the patient’s death.

All other hospital records

For all other hospital records, other than specified care records (eg oncology records, Human Fertility and Embryology Authority (HFEA) records, or Creutzfeldt-Jakob disease records), the relevant retention periods depend on location:

  • in England and Wales - 8 years after the conclusion of treatment or the patient’s death

  • in Scotland - 6 years after the last entry or 3 years after the patient’s death

Paper vs digital records

The challenges of paper records

Many industries have either digitised their records or are in the process of doing so. The medical profession is moving in this direction. There are, however, significant challenges in digitising certain types of medical records, such as scan results. Losing even the smallest details obtained during the scanning process could have disastrous consequences, both medical and legal.

As a result, it can be advisable to hold on to at least some paper records, even if they have already been scanned. Obviously, this requires physical storage space. For practical purposes that is probably going to mean using an offsite storage provider. It’s advisable to choose that provider with great care.

When choosing an offsite storage provider, you’re going to need to be certain that they can maintain an appropriate level of security. Secondly, you need to consider the possibility that the data may need to be accessed again. This may be for medical reasons, legal reasons, or as the result of a subject access request. It will definitely need to be accessed at the end of the retention period to be moved on (eg destroyed).

The challenges of digital records

Digital medical records are a prime target for hackers. They are also vulnerable to cyber attacks, which aim to cause havoc rather than harvest data (eg the WannaCry attack of 2017). Added to all of this, they are vulnerable to damage to storage media and to general environmental hazards.

This means that all digital medical records should be protected with the highest standards of encryption and security. They should also be kept backed up at all times. Ideally, there should be both online and offline backups to cover all eventualities.

Which to choose?

Although there are pros and cons to both physical and digital records of patient data, there is certainly still room for both and keeping patient data safe can be achieved by either approach. Going digital will have more benefits long term with regard to sustainability and cost - you just need to get the security part right.

If your doctors’ practice or surgery is currently combating the task of adhering to data retention rules for medical records, there are safe and secure solutions to ensure you can destroy records safely without the private details of individuals getting into the wrong hands.

The complexity of medical records can come in the form of many different media types that contain sensitive information, from paper records to text messages, scans and images. Understanding which records to destroy, digitise, or store will enable the medical industry to work efficiently with the security of patient data at the forefront.

 

For more information on data protection and relevant retention periods, read Complying with the GDPR, Data protection, Data protection principles, and Data retention periods. Ask a lawyer if you have any questions or concerns. If you’re unsure whether your business is complying with the GDPR, consider using Rocket Lawyer’s Data protection compliance service.


Joe Muddiman
Joe Muddiman
General Manager at RADS Document Storage

RADS Document Storage have provided secure data management and document storage solutions to businesses throughout the UK for over 25 years.

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Start your Premium Membership now and get legal services you can trust at prices you can afford. You’ll get:

All the legal documents you need—customise, share, print & more

Unlimited electronic signatures with RocketSign®

Ask a lawyer questions* and get a response within one business day

Access to legal guides on 100s of topics

A 30-minute consultation with a lawyer about any new issue

33% off hourly rates or a fixed price if you need further legal help

*Subject to terms and conditions