How long you should retain your patient’s medical records is a frequently raised issue by independent practitioners. Dr Kathryn Leask gives advice and explains how to dispose of them responsibly.
Records have a number of important functions, from supporting clinical decision-making and continuity of care to providing evidence of what happened in the event of a complaint or claim.
But how do you decide when they have served their purpose and what should you do when that time comes?
There is no specific statutory provision covering the retention of private medical records. However, the GMC says: ‘The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance, even if you do not work in the NHS.’
The most recent is the Records Management Code of Practice published in 2021 by NHSX covering NHS and social care records. It sets out the minimum retention periods for many key types of medical records, including:
Adult health records are usually retained for eight years;
Children’s records are retained until 25th birthday, or 26th if the patient was 17 when treatment ended;
GP records for deceased patients are usually retained for ten years after death;
GP records for patients who have deregistered and the reason is unknown are still to be retained for 100 years. This is under review;
Mental health records, including psychology records, are retained for 20 years after cessation of treatment or ten years after death;
Obstetrics, maternity, antenatal and postnatal records are to be retained for 25 years after care has ceased, but as they are also considered to be part of the child’s record, the longer retention period should be considered;
Records used in evidence in public inquiries must not be destroyed until guidance is issued by the relevant inquiry;
Complaints records must be kept separately from the patient file and retained for ten years from the closure of the complaint or any related processes such as litigation.
The code is a live document that is subject to amendments, so it makes sense to check the latest version on the NHS website rather than relying on a downloaded PDF version.
Practitioners in other parts of the UK should follow the Scottish Government Records Management Code of Practice for Health and Social Care (Scotland) 2020, the Welsh Records Management Code of Practice for Health and Social Care 2022 and the Good Management, Good Records – Disposal Schedule in Northern Ireland.
Bear in mind that the recommended retention periods are the minimum. It might be appropriate for records to be retained for longer if you are aware of an adverse incident or a complaint, so it is a good idea to review records before consigning them to the ‘destruction pile’.
The MDU regularly receives requests for assistance many years after the event in question and an absence of records can make it much harder to mount an effective defence against allegations.
At the same time, you should balance these medico-legal considerations against the requirements of the Data Protection Act 1998, which says you should not retain records for longer than necessary. If in doubt, seek advice from your medical defence organisation.
You might decide to archive paper records that are no longer in daily use until they are no longer needed. If so, they must be stored securely, protected from damp, and accessible should it be necessary to respond to a complaint or claim. It is important to keep a record of archived material and review it at regular intervals so it isn’t forgotten.
Be careful about storing records off-site: some self-storage may not be sufficiently secure or damp-proof and it could be difficult to find and retrieve a record if they have been stacked on shelves and not properly labelled.
Confidential record management companies may be a better option, but you should ensure they comply with data protection law and meet industry standards (ISO 27001:2013 – Information Security Management Systems).
If you are satisfied that records can be destroyed, this should be carried out in such a way that protects patient confidentiality and in accordance with national and local waste disposal requirements.
Documents which include identifiable patient information should be destroyed by cross-cut shredding or incineration. Do not simply throw out records with domestic waste, as they could later be found on landfill.
If you are outsourcing the destruction of records, use a licensed confidential waste disposal company and have a suitable written agreement with them.
This should acknowledge the records’ confidential nature and confirm the company will take all reasonable steps to protect that confidentiality. NHSX signposts organisations to guidance on information destruction which is available from the British Security Industry Association (BSIA).
We recommend that you talk to an IT professional about permanently destroying electronic records, as these may be difficult to delete entirely from a hard drive.
As above, be sure the company concerned is reputable and follows data protection law. The NHSX recommends checking providers are on the ISO Register. It also points users to the Information Commissioner’s Office guidance on deleting personal data, which covers putting information beyond use if it cannot be fully deleted.
Dr Kathryn Leask (right) is a medico-legal adviser with the Medical Defence Union (MDU)