15 April 2013
A synopsis of the law pertaining to record keeping for dentists
In discussing how the law impacts on dental record keeping, the relevant legislation is the Freedom of Information (FOI) Acts 1997 and 2003 and the Data Protection Acts 1988 and 2003. The two regimes are designed to co-exist and in practice appear to do so.
There are material differences between the FOI regime and the data protection regime:
- Data Protection Acts apply to records held by a dentist in a public or private capacity.
- The FOI Acts apply only to records held by a dentist as an agent of a public body, i.e. records of GMS Scheme patients.
Are you a Data Controller or a Data Processor?
The starting point for an examination of the Irish Data Protection regime is with the definition of data controller. Members will need to ascertain whether they are considered to be a data controller because relatively significant obligations are bestowed on bearers of that title.
As a rule of thumb, if an individual or an organisation collects, keeps or processes any data about a living person in electronic form or in a structured manual filing system, then that individual or organisation is either a data controller or a data processor. The key factor in distinguishing between the two is control, i.e. does that individual decide the content of personal data and decide the use to which the personal data will be put. If the answer is yes, then that individual is a data controller. On the other hand, if that individual processes personal data but some other person or organisation makes the decisions regarding what to do with it then that person is a data processor.
Matters become more complex when dealing with requests for records under the data protection and FOI legislation. In this context the identity of the person making the decision whether or not to release a copy of the records (i.e. the data controller) depends on whether the records are public or private in nature. The situation is as follows:
- A dentist acting in a purely private capacity is a data controller.
- A dentist employed by the HSE/Hospital/Health Board but dealing with a private patient is a data controller.
- A dentist employed by the HSE/Hospital/Health Board in dealing with a public patient is not a data controller. In that case, the data controller is the hospital/clinic or HSE. However, the HSE/Hospital/Health Board is not entitled to release the records without obtaining confirmation from the dentist that the release of information is not likely to cause serious harm to the patient’s physical or mental health.
Data Controller responsibilities under the Data Protection Acts
Every data controller has key responsibilities in relation to the processing of data. These responsibilities can be summarised into eight principles which all data controllers should use as a checklist to ensure compliance with the Acts.
Data controllers must:
a. Obtain and process personal data fairly.
b. Keep personal data only for one or more specified, explicit and lawful purposes.
c. Process personal data only in ways which are compatible with those specified purposes.
d. Keep personal data safe and secure.
e. Keep personal data accurate, complete and up to date.
f. Ensure that personal data is adequate, relevant and not excessive.
g. Retain personal data for no longer than necessary for the specified purpose or purposes.
h. Give a copy of his/her personal data to the data subject on request.
Data Processor responsibilities under the Data Protection Acts
Data processors are subject to much less onerous obligations than data controllers. Their obligations concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss.
In a healthcare context, anybody who processes personal data relating to physical or mental health is required to register with the Data Protection Commissioner in respect of data held or processed by computer. All dentists storing patient medical records on computer must therefore register. A dentist who retains only manual records is not required to register, although they are still subject to the eight obligations discussed above.
Storage and security of records
The express consent of a patient to store their general records is not generally required as their consent is implicit by virtue of their attendance at the dentist. The Data Protection Commissioner does however consider it good practice to inform patients that the records will be stored and to tell them to what uses their records will be put.
The Data Protection legislation requires that appropriate security measures be in place which take account of the harm that would result from unauthorised access to the information. Given the highly sensitive nature of dental records, your members should be very conscious of this. From a practical point of view, offices should be locked and alarmed when not in use and computer monitors should not face towards windows or public access areas. Records should be disposed of securely. If dental records are saved onto portable devices such as a laptop computer, significant precautions should be taken, including encryption of the device to a standard that makes it impossible to access the records without the encryption key. Access to records by administrative staff should only be to the extent necessary to enable them to perform their functions. Dentists should consider implementing a system which identifies the user name that accessed a file, as well as the time of the access. The Data Protection Commissioner has stressed that patients are entitled to an assurance that their personal data will be treated on a “need to know” basis.
Despite best efforts there can be security breaches from time to time, for example where the patient’s records are lost or a laptop containing patient information is stolen. The Minister for Justice, Equality and Law Reform last year established the Data Protection Review Group on the subject of breaches of Data Protection. DPL understands that the Group are presently looking at implementing mandatory reporting of data breaches. Although not mandatory at present, there is a trend towards voluntary disclosure of security breaches and the Data Protection Commissioner has advised that this is best practice.
Retention of records
There is no legislative provision for minimum periods for which records should be retained. The Data Protection Acts require that personal data only be held for so long as the purpose for which it was collected remains.
The Dental Ethics Code of Practice issued by the Dental Council states that “Dentists have a duty to maintain adequate and accurate records of all matters relating to their treatment of patients. These records should be kept in a secure location and retained for a reasonable period, not likely to be less than ten years, before being destroyed.”
The National Freedom of Information Group for Health Boards recommended the following minimum retention periods for personal health records:
- General adults - eight years after last contact subject to understanding there is no evidence of any long term disability.
- Children - up to the patient’s 26th birthday.
- Mental health patients -20 years after cessation of treatment.
- Clinical Trial Patients 15 years after conclusion of treatment.
- Deceased patients – eight years after death.
From a legal point of view a Court action for negligence should be bought within two years of the incident, however this general rule is subject to a number of exceptions as you well know, including cases involving minors and persons of unsound mind. In addition, a Plaintiff may be able to circumvent the time limit on the “date of knowledge” principles, i.e. that s/he could not have been reasonably aware that he/she had a case until sometime after the incident. Our advice would be to retain dental records for at least ten years and in the case of children, up until the patient’s 21st birthday.
Access regime under the Data Protection legislation
Both the Data Protection Acts 1998 and 2003 and the Freedom of Information Acts 1997 and 2003 provide a patient with the legal right to be given a copy of his/her dental records.
The Data Protection Acts apply to information held by the dentist in both a public and a private capacity, i.e. a patient can apply under the Data Protection Acts for a copy of his/her records whether they are a private or a public/GMS patient.
In terms of the practicalities, it is important to note that although a dentist may ask the patient to pay a fee for a copy of the records, this charge cannot exceed €6.35. This is obviously not a particularly significant sum of money particularly in circumstances where there is a good deal of records to be copied. This highlights the fact that the data protection regime is designed to facilitate access and minimise restrictions. Once a request has been made and any fee charged paid, the requested information must be given within 40 days.
It is important to emphasise that the Data Protection Acts do not contain a right to be furnished with the original records and rather the patient is only entitled to a copy of his/her records.
With all rules there are exceptions and the right of access is not an absolute one. Dentists should deny patients access to some or all of their records where the following circumstances apply:
- Where release of the records would be likely to cause serious harm to the physical or mental health of the patient.
- Where legal professional privilege can be availed of. This would encompass medico legal reports.
- Where the request relates to the records of a third party (unless consent obtained or the requester is the guardian of the minor to whom the requested records relate).
- Where the records contain confidential expressions of opinion regarding the patient. You might note that a high threshold will be applied when relying on this exemption and it should be shown that the opinion concerned would not have been given “but for” the understanding of confidentiality.
In light of the various exceptions that might or might not apply to a request, DPL would advise that the dentist should be actively involved in the process of releasing records and not leave the job to an administrator/secretary.
Access regime under the Freedom of Information legislation
The Freedom of Information Acts are more limited than the Data Protection Acts and a patient can only apply under FOI for records held by the dentist in his capacity as an agent of a public body i.e. files on GMS patients. While dental records of patients covered by the GMS scheme remain under the physical control of the dentist, the dentist is not the data controller for the purpose of deciding whether access should be granted. The records must be furnished to the HSE/Health Board/clinic and the dentist should advise if there is any reason not to furnish the records, noting that the decision rests with the HSE/hospital/Health Board.
Where access to personal information including dental records is sought under the FOI regime, no fee is payable upon making the request. The decision on whether or not to grant access must be made within four weeks of the date of receipt of the application.
Like the access regime under the data protection legislation, there are exceptions to the right of access under FOI and these are set out in Part III of the FOI Act. The exemptions include information of a commercially sensitive nature, information subject to legal professional privilege and third party information of a personal nature. Most of the exemptions require consideration to be given to whether the public interest in disclosure of a particular record is better served and outweighs the potential harm arising from disclosure.
What to do if you receive a Data Protection or FOI Access request
a. Ascertain who is the data controller and therefore the correct decision maker in relation to the release of the records, bearing in mind whether the patient is a private patient or is attending the dentist under the GMS Scheme.
b. Comply with the procedural requirements. In this regard the dentist should bear in mind the maximum fees payable and the time frame allowed for responding to requests. The maximum time frames allowed under the legislation should be regarded as a long stop and dentists should strive to respond to a request as soon as possible.
c. Consider any relevant exemptions that might apply.
d. Respond to the data subject in writing. If access is being refused, the reasons for refusal should be set out in writing and the patient should be informed of their right of appeal to the Data Protection Commissioner/Information Commissioner.
Right to alteration
In addition to a right to access a copy of their records, patients have rights of correction, rectification and erasure in relation to information in their records that is inaccurate or excessive. If the request for alteration is straightforward, for example amending an incorrect address, there should be no issue with the amendment. As with all alterations of records, the dentist should of course annotate the records to record the date, time and reason for the amendment.
In other more complex requests for alterations, the dentist should exercise professional judgment and explain the reasoning to the patient as well as informing the patient of his right to bring the matter to the attention of the Data Protection Commissioner for resolution. Further advice can also be obtained from Dental Protection.
Transfer of records
Where a patient transfers to a new practice, the dentist should facilitate this by transferring a copy of the patient’s records to the new dentist with the patient’s consent. In such circumstances, the Data Protection Commissioner has previously stated that “the existing doctor should, however, maintain the patient information record accumulated at that time for an adequate period consistent with meeting legal and other professional responsibilities. During that period, the provisions of the Data Protection Acts continue to apply to that information.”
If a dentist is passing patient data on to a person or body acting in an agency capacity, for example a laboratory, then this is not a “disclosure” under the Data Protection Act and specific patient consent is not mandated. However the patient should be informed in advance that their records will be used in this way.
If a dentist is passing the patient’s records to another health professional for guidance and advice on clinical issues, the records should be anonymised. If the dentist wishes to pass on the full patient records, including identifying details, the express consent of the patient is required in advance except in cases of urgent need i.e. to prevent injury or damage to the patient’s health.
In respect of associates taking patient details away with them when they leave the practice it is important to understand that the spirit of the legislation is centred on patient consent. The views of the patient should be the guiding principle when dealing with records. Therefore before an associate takes away any details of their patients it would be appropriate to first obtain the express consent of the patients concerned.