Why keep records
Dental professionals are required to make and keep accurate dental records of care provided to patients. Dental Protection is frequently contacted by members who want to understand how long records should be retained by the practice.
There is a professional obligation to create records to document dental treatment that is provided to patients. There are a two of pieces of legislation that require practitioners to keep records. These are the Freedom of Information (FOI) Acts 1997 and 2003 and the Data Protection Acts 1988 and 2003 that are designed to co-exist.
There are material differences - Data Protection Acts apply to records held by a dentist in a public or private capacity, and the FOI Acts apply only to records held by a dentist as an agent of a public body, i.e. records of GMS Scheme patients.
Legal obligations about storage of dental records
The dentist must keep records safely and securely. Keeping them securely also requires that they are kept confidential (employed staff who have been instructed on your security policy are exempt). Access to the records by others must only be given if necessary, and with necessary and appropriate safeguards. The dentist is expected to make, and be able to demonstrate, an assessment of risk in deciding on appropriate security measures. The express consent of a patient to store their general records is not generally required as their consent is implicit by virtue of their attendance at the dentist. The Data Protection Commissioner does, however, consider it good practice to inform patients that the records will be stored and to tell them to what uses their records will be put. You can read more on the subject here
From a practical point of view:
- Offices should be locked and alarmed when not in use
- Computer monitors should not face towards windows or public access areas
- Records should be disposed of securely
- If dental records are saved onto portable devices such as a laptop computer, significant precautions should be taken, including encryption of the device to a standard that makes it impossible to access the records without the encryption key
- Access to records by administrative staff should only be to the extent necessary to enable them to perform their functions
- Dentists should consider implementing a system that identifies the user name that accessed a file as well as the time of the access.
Accurate dental records can help practitioners to reach a diagnosis, by providing detailed information about the changing oral health status of a patient. Detailed records can also help to prevent adverse incidents occurring, for example, if the records are not clear, the wrong tooth could be treated or a previously noticed carious cavity, overlooked.
Access to records
Patients have a statutory right to see records made about their dental care. Both the Data Protection Acts 1998 and 2003 and the Freedom of Information Acts 1997 and 2003 provide a patient with the legal right to be given a copy of his/her dental records. The Data Protection Acts apply to information held by the dentist in both a public and a private capacity, i.e. a patient can apply under the Data Protection Acts for a copy of his/her records whether they are a private or a public/GMS patient. Dental Protection advises that the dentist should be actively involved in the process of releasing records and not leave the job to an administrator/secretary.
Complaints and claims
Despite a practitioner’s efforts to ensure patients are satisfied with their treatment, complaints and claims may still arise. Without reference to contemporaneous records, a dentist will be heavily disadvantaged in defending allegations. Detailed records of treatment can make the difference between robustly defending or needing to settle a case.
How long should records be retained?
There is no legislative provision for minimum periods during which records must be retained. The Data Protection Acts require that personal data only be held for so long as the purpose for which they were collected remains. The Dental Ethics Code of Practice, issued by the Dental Council, states that ‘dentists have a duty to maintain adequate and accurate records of all matters relating to their treatment of patients. These records should be kept in a secure location and retained for a reasonable period, not likely to be less than 10 years, before being destroyed’.
From a legal point of view, a court action for negligence should be brought within two years of the incident. However, this general rule is subject to a number of exceptions, including cases involving minors and persons of unsound mind. In addition, a plaintiff may be able to circumvent the time limit on the ‘date of knowledge’ principles, i.e. that he or she could not have been reasonably aware of any problems until some time after the incident. The Dental Council states that in the case of adults they should be kept for eight years after the last treatment. For children and young adults they must be kept until the patient’s 25th birthday; or their 26th birthday if the young person was 17 when they finished treatment. If a patient dies before their 18th birthday; records must be kept for eight years.
Dentists who need to register
In a healthcare context, anybody who processes personal data relating to physical or mental health is required to register with the Data Protection Commissioner in respect of data held or processed by computer. All dentists storing patient medical records on computer must therefore register. A dentist who retains only manual records is not required to register but must comply with the Principles of the Act.
Are you a data controller or a data processor?
From the point of view of the Irish Data Protection regime, dental members need to ascertain whether they are considered to be a data controller because relatively significant obligations are bestowed on bearers of that title. As a rule of thumb, if an individual or an organisation collects, keeps or processes any data about a living person in electronic form or in a structured manual filing system, that individual or organisation is either a data controller or a data processor. The key factor in distinguishing between the two is control, i.e. does that individual decide the content of personal data and decide the use to which the personal data will be put? If the answer is yes, that individual is a data controller. On the other hand, if that individual processes personal data but some other person or organisation makes the decisions regarding what to do with it, then that person is a data processor.
Matters become more complex when dealing with requests for records under the data protection and FOI legislation. In this context, the identity of the person making the decision whether or not to release a copy of the records (i.e. the data controller) depends on whether the records are public or private in nature.
- A dentist acting in a purely private capacity is a data controller
- A dentist employed by the HSE/Hospital/Health Board (but dealing with a private patient) is a data controller
- A dentist employed by the HSE/Hospital/Health Board in dealing with a public patient is not a data controller. In that case, the data controller is the hospital/clinic or HSE. However, the HSE/Hospital/Health Board is not entitled to release the records.
Data controller responsibilities under the Data Protection Acts
Every data controller has key responsibilities in relation to the processing of data. These responsibilities can be summarised into eight principles which all data controllers should use as a check list to ensure compliance with the Acts.
Data processor responsibilities under the Data Protection Acts
Data processors are obliged to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss.
Transfer of records
Where a patient transfers to a new practice, the dentist should facilitate this by transferring a copy of the patient’s records to the new dentist with the patient’s consent. In such circumstances, the Data Protection Commissioner has previously stated that ‘the existing doctor should, however, maintain the patient information record accumulated at that time for an adequate period consistent with meeting legal and other professional responsibilities. During that period, the provisions of the Data Protection Acts continue to apply to that information’.
If a dentist is passing patient data on to a person or body acting in an agency capacity, for example a laboratory, then this is not a‘disclosure’ under the Data Protection Act and specific patient consent is not mandated. However, the patient should be informed in advance that their records will be used in this way.
If a dentist is passing the patient’s records to another health professional for guidance and advice on clinical issues, the records should be anonymised. If the dentist wishes to pass on the full patient records, including identifying details, the express consent of the patient is required in advance except in cases of urgent need, i.e., to prevent injury or damage to the patient’s health.
In respect of associates taking patient details away with them when they leave the practice, it is important to understand that the spirit of the legislation is centred on patient consent. The views of the patient should be the guiding principle when dealing with records.
The Dental Council states that a dentist must transfer patient records to another practice if they get clear instructions from a patient to do so . Dental Protection’s advice is to provide copies of the records and radiographs, or lend the radiographs to the patient’s new dentist on the understanding they will be returned.
Record keeping key points
- Obtain and process personal data fairly
- Keep personal data only for one or more specified, explicit and lawful purposes
- Process personal data only in ways which are compatible with those specified purposes
- Keep personal data safe and secure
- Keep personal data accurate, complete and up to date
- Ensure personal data are adequate, relevant and not excessive
- Retain personal data for no longer than necessary for the specified purpose or purposes
- Give a copy of his/her personal data to the data subject on request
- General adults – eight years after last contact subject to understanding there is no evidence of any long-term disability
- Children – up to the patient’s 26th birthday
- Mental health patients – 20 years after cessation of treatment
- Clinical trial patients – 15 years after conclusion of treatment
- Deceased patients – eight years after death