If someone wants to see their records, access can only be limited or denied if:
- it would be likely to cause serious harm to physical or mental health of the data subject or another individual – except for information of which the patient is already aware
- it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party’s consent.
Practices might sometimes consider limiting access so that sensitive information isn’t disclosed. If you’re considering this, there must first be an assessment by the doctor responsible for the patient’s care. Make a record of this.
Once a practice has decided to offer online access to patients, it should only be refused with good reason.
