General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.
1. FUNCTION
1.1 A health record is a document (in any format including paper and electronic) which is created or received by an organisation or person in the transaction of clinical activities, and which is maintained as evidence of these. The authenticity and reliability of records depends on them being created and handled in a properly managed and documented record-keeping system.
1.2 NHS Fife is dependent on its records to operate efficiently and account for its actions. This policy defines a structure for NHS Fife to ensure adequate records are maintained and they are managed and controlled effectively.
1.3 This document aims to set out the policy to be adhered to in relation to health records management within NHS Fife to ensure that health records are:
- properly controlled
- readily accessible and available for use, and eventually archived or otherwise disposed of
1.3.1 Taking into consideration:
- access, storage & retrieval
- retention & destruction schedules
- confidentiality
2. LOCATION
2.1 This policy is NHS Fife wide.
3. RESPONSIBILITY
3.1 NHS Fife Health Board
3.1.1 The Board is responsible for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirements.
3.2 Data Controller
3.2.1 NHS Fife Chief Executive has overall accountability for ensuring that health records management operates correctly/legally within the Board. Responsibility may be delegated for management and organisation of health records services to the Medical Director and Director of Health and Social Care who are responsible for ensuring appropriate mechanisms are in place to support service delivery and continuity. Health records management is key to this, as it will ensure appropriate and accurate information is available as required.
3.3 Caldicott Guardians
3.3.1 Caldicott Guardians are senior clinical managers of the Board responsible for protecting the confidentiality, privacy and fairness of patients and service-user information and enabling appropriate information-sharing.
3.3.2 Caldicott Guardians oversee that all procedures affecting access to person-identifiable health data are appropriate from the medical perspective.
3.3.4 NHS Fife has appointed three Caldicott Guardians as follows:
- Corporate Caldicott Guardian (Medical Director)
- Acute Services Caldicott Guardian (Associate Medical Director for Acute Services)
- Health & Social Care Partnership (HSCP) Caldicott Guardian (Associate Medical Director for Integrated Joint Services)
3.3.5 The Board’s Caldicott Guardians have a particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information.
3.3.6 The Caldicott Guardians have responsibility for:
- ensuring the Board is fulfilling all legal obligations in managing patients’ health records
- agreeing and reviewing internal protocols governing the protection and use of patient identifiable information by Board staff
- agreeing and reviewing protocols governing the disclosure of patient information across organisational boundaries, e.g. with social services and other partner organisations, contributing to the local provision of care
- contributing to the Board’s security and confidentiality policies
3.3.7 The Caldicott Guardian must be a key member of the broader Information Governance function with support staff, Caldicott or Information Governance leads e.g. Data Protection Officer, Freedom of Information leads, Health Records Manager and IT Security staff contributing to the work as required.
3.4 Information Governance and Security Steering Group (IGSSG)
3.4.1 Information Governance refers to the structures, policies (including this document) and practice of the NHS and its suppliers to ensure the confidentiality, availability and integrity of all records, and especially patient records, and to enable the ethical and safe use of them for the benefit of individual patients and the public good.
3.4.2 The purpose of the IGSSG is to provide assurance that information governance mechanisms are in place and effective throughout the whole of Fife NHS Board’s responsibilities, including appropriate and secure management of all types of personal and confidential data and the quality of data used by the Board.
3.4.3 The IGSSG must have representation from the key areas of the organisation owning or using information; key partners with whom NHS Fife systematically shares information should also be invited (e.g. Fife Council, Police Scotland and voluntary sector umbrella organisations).
3.4.4 It is also the responsibility of the IGSSG to provide strategic direction and support for Information Security Management System (ISMS) across the organisation in accordance with business requirements and relevant laws and regulations.
3.4.5 The NHSS Information Security Policy Framework 2015/17 establishes the need for the Board to expand the scope of the ISMS to cover the wider NHS in Fife.
3.5 Designated Officer
3.5.1 The designated officers (Divisional Head of Health Records, Mental Health and Learning Disabilities Administration Lead and Health & Social Care Partnership Leads) are suitably trained in health records practices. These officers have professional responsibility for the overall development and maintenance of health records management practices throughout the Board and for ensuring that related policies and procedures conform to the latest legislation and standards on data protection, patient confidentiality and health records practice.
3.5.2 All designated officers will have a designated member of staff who will manage the records on their behalf.
3.5.3 These officers are also accountable for the release of all patient clinical information for data subject access and medico-legal purposes. This release may be provided by nominated representatives.
3.6 Staff Responsibility for Record Keeping
3.6.1 All employees of NHS Fife who have access to patient health records whether creating, updating or storing, must comply with GP/D3 Information Governance and Data Protection Policy. This responsibility is established and defined within the Public Records (Scotland) Act 2011.
3.6.2 It is essential all staff adhere to the guidance outlined in the above mentioned policies. Failure to safeguard patient health records may lead to breaches of these policies, which may result in disciplinary measures for the employee and may also render the organisation liable for prosecution.
4. OPERATIONAL SYSTEM
4.1 An efficient records management system safeguards all records, whilst maximizing available storage and resources. It ensures compliance with legislation and reduces the risk of legal challenge and financial loss.
4.2 All health records created are considered to be public records under the Public Records Acts and must be kept in accordance with following statutory and NHS guidelines:
- Data Protection Act 2018
- General Data Protection Regulation (GDPR) 2018
- Networks and Information Systems (NIS) Regulations 2018
- Public Records (Scotland) Act 2011
- Medical Reports Act 1988
- The Computer Misuse Act 1990
- Access to Health Records Act 1990
- Human Rights Act 2000
- Scottish Government Records Management, Health & Social Care Code of Practice (Scotland) 2020
- Quality Improvement Scotland - Standards for Record Keeping
- Information Governance Standards
- National eHealth Strategy
- Caldicott Review of Patient Identifiable information, 2013
- Information Governance Records Management Guidance notes 1-9 27/08/2010
4.3 CLASSIFICATION OF RECORDS
4.3.1 Patient Health Record
4.3.1.1 A patient health record is a record created by or on the advice of a health professional relating directly to the physical or mental health of an identifiable individual and details the individual’s medical history, clinical findings, treatment and care, diagnostic test results, pre and post operative care, progress made and any medication prescribed (see Appendix 1 for definition of a 'health professional').
4.3.2 Health Record
4.3.2.1 A patient health record may include:
- multiple specialities, but exclude GP attendances – these will be detailed in the GP record
- X-ray and imaging reports, output and images
- photographs, slides, and other images
- microform (i.e. fiche/film)
- audio and video tapes, cassettes and digital files
This list is not exhaustive.
4.3.2.2 Not included are copies of documents created by other organisations such as the Scottish Government Health Directorates and predecessors, kept for reference and information only.
4.3.2.3 This policy sets out the best practice for NHS Fife in creating, using retaining and disposing of health records. It applies to records in all formats, of all types and in all locations.
4.4 AIMS OF HEALTH RECORDS MANAGEMENT SYSTEMS
4.4.1 Health Records Management Systems ensure that procedures are in place to bring together the health professionals and accurate, relevant, reliable patient documentation at the correct time and place to support patient care. To achieve this, all NHS Scotland employees should fulfil statutory and other legal requirements, ensuring patient safety and safe custody and confidentiality of patient information at all times.
4.4.2 Aims:
- to make health records readily available when needed - for continuation of care for the patient
- to ensure health records are accessible – so they can be easily found via the correct tracking location (for paper case notes) or via the relevant electronic system
- to ensure health care records can be easily interpreted – so the correct treatment/actions can be taken by the clinician / person responsible for the patient’s care
- to ensure health records contain factual information regarding the patient’s attendance/treatment - no entries should be deleted. In the event of any recording errors, a notation should be added below the error
- to ensure health records are securely stored - to prevent unauthorised access and inadvertent alteration and erasure. All health records should be tracked to their current location, either electronically or by use of tracer cards, to ensure the audit trail is accurate and tracks all movements of the health record.
- to ensure health records are retained and disposed of appropriately using consistent documented retention and disposal procedures, which include provision of appraisal and permanent preservation for health records with archival value
- to train staff adequately - so they are aware of the importance of compliance with legislation when handling patient information and health records and so they understand the contents of the health record and the multiple use of the health record.
For example:
- support patient care and continuity of care
- support evidence based practice
- support epidemiology
- meet legal and regulatory requirements
- assist medical and other audits
- support improvements in clinical effectiveness through research
4.5 HEALTH RECORDS LIFE CYCLE PROCESS
4.5.1 Health records are confidential documents and should be clearly identifiable, accessible and retrievable. They should be authentic, meaningful, authoritative, and adequate for their purpose and correctly reflect what was communicated, decided or done. They should be unalterable and after an action has occurred nothing from the health record should be deleted or altered. Information added to an existing hard copy health record should be signed and dated. Health records systems should be secure, and their creation, management, storage, transport and disposal should comply with current legislation.
4.5.2 Creation
4.5.2.1 A comprehensive health record is created and maintained for every patient attending health services to provide an up to date and chronological account of the patient’s care.
4.5.2.2 Patient demographic data for each registration should be recorded on the master patient index of the patient administration or departmental patient management system. The minimum patient demographic data should include surname, forename, sex, date of birth, home address, postcode, Community Health Index (CHI) number and departmental number.
4.5.2.3 NHS Fife should use the CHI number as the primary patient identifier.
4.5.2.4 Where there is more than one local identifier or case record per patient, a system should be in place to ensure that the existence of all other health records is known at all times by the relevant department.
4.5.2.5 Paper health records have a standard case record folder constructed of robust material to withstand handling and transport and with secure anchorage points to prevent loss or damage to documents. There should be no inside pockets or flaps as these can lead to misfiling or loss of documents.
4.5.2.6 There are methods for indicating alert or risk factors which are used consistently in all health records, with a designated place for healthcare professionals to record actual or suspected clinical alerts and hazards which are signed and dated.
4.5.2.7 There may be an indicator e.g. Power of Attorney on the outside of the folder but the confidential detail should be placed inside the folder.
4.5.2.8 There is a locally agreed format for filing of information within the health record which facilitates ease of access to all clinical information. Clear instructions regarding the order of filing should be contained within the folder or printed on the divider(s). Documents should be viewable in chronological order reflecting the continuum of patient care.
4.5.2.9 Machine generated reports and recordings, e.g. CTG, ECG and laboratory reports, are securely stored using a method that will minimise deterioration.
4.5.2.10 There are documented procedures for the management of access to electronic health records, where all electronic health record information systems comply with the GP/P2 Password policy.
4.5.3 Storage
4.5.3.1 Health records storage areas should provide a safe working environment with secure storage that allows health records to be retrieved at all times. These areas should only be accessible to authorised Administrative or Clinical staff.
4.5.3.2 Regular risk assessments should be undertaken in line with the organisation’s risk management strategy to ensure areas are safe for purpose:
4.5.3.3 Racking for storage of health records is stable, of strong enough construction to support the weight of health records and complies with current health and safety regulations.
4.5.3.4 There are safety step ladders and safety stools appropriate to the number of staff employed/size and use of the health records storage area.
4.5.3.5 There is a documented protocol for safe manual and object handling practices. All staff are fully trained in related manual handling.
4.5.3.6 There is a mechanism to ensure that all equipment used in the department conforms to appropriate legislation and a record of equipment checks is kept.
4.5.3.7 Health records storage areas must be able to accommodate current needs and annual growth of health records. The health records collection inventory demonstrates how this will be achieved.
4.5.3.8 Health records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of Health Records when required. The keys/access codes/access pass to storage areas that are locked are available to authorised staff at all times to facilitate retrieval of health records.
4.5.3.9 When paper health records are no longer required for current episodes of care, they may be placed in secondary storage areas, either on site or off site.
4.5.4 Scanning
4.5.4.1 Paper records may be scanned into electronic format to allow them to be uploaded into clinical systems for immediate access.
4.5.5 Transport
4.5.5.1 All patient identifiable information must be transported securely. Transportation methods must be fit for purpose and in accordance with individual departmental procedures. There are various methods employed for both manual and electronic records. (See policy GP R1-1)
4.5.5.2 For manual records use:
- single record Envopak carriers with seals
- multiple record Envopak carriers with seals
- sealed double envelopes
- purpose designed plastic boxes
4.5.5.3 For electronic record please refer to the following NHS Fife General policies:
- GP/A4 Acceptable Use Policy
- GP/B2 eHealth Remote Access Policy
- GP/D3 Information Governance & Data Protection Core Policy
- GP/D6 Data Encryption Policy
- GP/O2 Corporate Online Communications Policy
- GP/I5 Information Security Policy
- GP/M4 Media Handling Policy
- GP/M5 Mobile Device Management Policy
- GP/P2 Secure Use of Password Policy
- GP/S8 Digital and Information Incident Management Policy
- GP/V2 IT Malware Protection Policy
4.5.6 Management
4.5.6.1 Maintaining accurate health records is vital to patient care. A comprehensive health record should be maintained for every patient. Each health records system should have well defined procedures for the ongoing management of the health record from creation to final disposal in accordance with current legislation.
4.5.6.2 Information held must be safeguarded.
4.5.6.3 Whenever possible, separate areas are maintained for current and non-current health records in use within the organisation.
4.5.6.4 There are documented procedures for the safe storage and retrieval of health records, both manual and electronic.
4.5.6.5 There are documented procedures for booking health records out from the normal filing system which enable rapid retrieval of health records and prevents misfiles.
4.5.6.6 Tracer and tracking systems facilitate timely retrieval of health records.
4.5.6.7 There is a documented procedure for dividing unmanageable folders including cross-referencing of the volumes such that clinical staff may efficiently use them. Closed volumes are suitably labelled.
4.5.6.8 Contents of the health record are filed in the correct order according to the design of the health record folder and dividers. Documents are securely fastened within the folder.
4.5.6.9 The responsibility for filing of loose documentation is clearly defined.
4.5.6.10 There is a system to ensure that staff routinely remove poorly filed and torn health records to reassemble or re-cover.
4.5.6.11 There are documented procedures for the transportation of health records within and out with health board boundaries.
4.5.6.12 There are documented procedures for handling Data Subject Access Requests and other legal requests with clear responsibility for responding by fully trained dedicated staff who process requests efficiently and in accordance with the law.
4.5.6.13 Within our libraries there is a mechanism to help identify any misfiled health records, e.g. colour coding.
4.5.6.14 There are documented procedures for the retention, archiving or destruction of health records in accordance with national guidelines.
4.5.6.15 Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.
4.5.6.16 Health record case notes can be accessed by staff within the acute service from designated storage locations (location dependant on service) 24 hours a day, 7 days a week. Case notes tracking guidance is in place detailing the correct process for tracking the case notes’ location at any given time to ensure availability.
4.5.7 Archiving and Disposal of Health Records
4.5.7.1 There is a documented Policy for the Retention & Destruction of Health Records in accordance with the Scottish Government Records Management NHS Code of Practice (Scotland). The method of destruction must ensure that confidentiality is maintained at all times. The Policy specifies the timescale for retention for all types of health record and media, the procedure for transfer between media. Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.
4.6 LEGAL AND PROFESSIONAL OBLIGATIONS
4.6.1 All NHS health records are public records under the Public Records (Scotland) Act. The Board will take actions as necessary to comply with legal and professional obligations such as:
- General Data Protection Regulation (GDPR) 2018
- Scottish Government Records Management, Health & Social Care Code of Practice (Scotland) 2020
- The NHS Scotland Protecting Patients Confidentiality 2023
- Access to Health Records Act 1990
- Public Records (Scotland) Act 2011
And any new legislation affecting health records management as it arises.
4.7.1 The following core standards must be met across NHS Fife, and within each area/department/ward, with clear access procedures agreed locally:
- all entries in records must be recorded legibly in ink, dated and signed
- all records are stored securely with controlled access
- out with the main health records libraries, all confidential records are kept secure in locked filing cabinets or offices with controlled access.
- the main acute health records libraries will secure physical access through scan entry systems.
- records are filed in the manner most appropriate for effective management, timeous retrieval and compliance with NHS Fife Retention & Destruction Policy.
- protection from the risk of fire and flood must be considered in designating storage areas
4.8 RETENTION AND DISPOSAL SCHEDULE
4.8.1 It is a fundamental requirement that all of the Board’s health records are maintained for a minimum period of time for clinical, legal, operational, research and safety reasons. The length of time for retaining health records will depend on the record type.
4.8.2 NHS Fife has adopted the minimum retention periods set out in the Scottish Government Records Management NHS Code of Practice (Scotland) 2020 and is contained in a separate policy. The local retention schedule will be reviewed every 3 years or earlier in the light of legislative or Scottish Government changes. Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.
4.9 HEALTH RECORDS INVENTORY
4.9.1 NHS Fife requires to know what records are held, where they are kept and how the information contained within the records is being used. An up-to-date health records inventory will be maintained within each service and is held centrally within Information Governance. This will identify all record collections/information sets that exist within the organisations, the volume of records, the type of media on which they are held, their physical condition, their location, the physical and environmental conditions in which they are stored and the responsible manager.
4.9.2 Service Users should be made aware when new collections of records or information sets are created or when management arrangements or physical locations change.
4.10 HEALTH RECORDS MANAGEMENT SYSTEMS AUDIT
4.10.1 NHS Fife will regularly audit the records management practices for compliance with this policy. Auditing health records policies and procedures will be done on a systematic basis. The audit will compare current operational practice against defined procedures. The audit cycle will include self assessment against the Information Governance Standards.
4.11 HEALTH RECORDS PROCEDURES
4.11.1 The Divisional Health Records Manager and appropriate managers within each service are responsible for planning and documenting health records departmental local procedures, thus providing standardisation of work tasks throughout the departments. Other health records policies and procedures relevant to this policy are summarised in Appendix 2.
4.12 TRAINING
4.12.1 All staff employed by NHS Fife including volunteers and contractors should be given training on their personal responsibilities for health records keeping. This includes the creation, use, storage, security and confidentiality of health records. Appropriate training should be provided for all users of the health records systems to meet local and national standards. All new employees to the organisation will be given basic training as part of the organisation’s induction process. Additional training in the specifics of health records management will be provided where appropriate. Training is tailored to specific staff groups and functions including the following:
- all current relevant legislation and NHS standards
- all current relevant organisation policies and procedures
- Caldicott requirements
- patient confidentiality and the security of records, whether paper or electronic
- Access to Health Records Act 1990
- Scottish Government Records Management NHS Code of Practice (Scotland)
- secure destruction of confidential waste
- Individuals rights to access information (Data Protection Act 1998/Mental Health (Scotland) Act 2003)
- NHS Scotland Code of Practice on Confidentiality
- health records practitioners and personnel are pivotal to the management of health records systems and should receive customised training in health records practice. The procedure manual is a key management tool and should form the basis for all health record system specific training.
6. RISK MANAGEMENT
6.1 Failure to abide by this policy could lead to breach of the Data Protection Act, Freedom of Information Act and Caldicott recommendations.
6.2 It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.
7. RELATED DOCUMENTS
7.1 Appendix 1 Definition of a 'health professional’
7.2 Appendix 2 Health Records policies & procedures relevant to this policy
8. REFERENCES
- NHS Fife Health Records Retention and Destruction Policy
- Public Records (Scotland) Act 2011
- Medical Reports Act 1988
- The Computer Misuse Act 1990
- Access to Health Records Act 1990
- General Data Protection Regulation (GDPR) 2018
- Human Rights Act 2000
- CEL 31 (2010) Records Management Code of Practice (Scotland)
- Scottish Government Records Management, Health & Social Care, Code of Practice (Scotland) 2020
- Quality Improvement Scotland – Standards for Record Keeping
- Information Governance Standards
- National eHealth Strategy
- Caldicott Review of Patient Identifiable Information, 2013
- Information Governance Records Management Guidance notes 1-9 27/08/2010
- Retention and Destruction Policy of health records in accordance with