confidentiality and security. These guidelines cover all doctors. They are available at
The doctors’ representative bodies have issued a guide to Managing and Protecting the Privacy of Personal Health Information in Irish General Practice but this is not binding. The Information Commissioner has referred on a number of occasions to problems with GP medical records. The contract between GPs and the Health Service Executive (HSE) includes a general requirement to keep “adequate clinical records” but does not set any standards about the type of medical records to be maintained or the length of time for which they should be retained. There are arrangements for dealing with records when a GP ceases to practise for whatever reason but the Information Commissioner says these are “not very specific” and they “appear to lack a proper implementation mechanism”.
You may use the Data Protection Acts to get access to your GP records whether you are a private or a public patient. You may use the FOI Acts if you are a public patient, that is, if you have a medical card – see below.
Some hospitals store medical records indefinitely. Some have put old records on microfilm and then disposed of the originals. The Information Commissioner has referred in a number of annual reports to problems which people experience in relation to the loss of medical records. This is sometimes due to the amalgamation of hospitals or to fire.
The HSE’s Code of Practice for Healthcare Records Management was issued in 2007. It replaced the Policy for Health Boards on Record Retention Periods issued in1999.
The 2007 Code sets out detailed standards for the creation, maintenance and storage of health records. These standards are meant to apply to all healthcare facilities. It sets out the recommended retention periods for health records in publicly funded hospitals. The appropriate retention period depends on the type of records involved. General healthcare records should be retained for 8 years after treatment ceases or after the patient’s death. Children’s records should broadly be retained until they reach the age of 25 or 26. Some records must be retained for up to 30 years (for example, records which may be required in criminal proceedings).
Accessing your medical records
You may be able to access your medical records simply by asking your doctor, your consultant or the HSE for them. If that is not successful you may use the data protection or FOI legislation.
Information about your health may, of course, be held by a variety of other people and organisations, for example, by the Department of Social and Family Affairs if you are on a sickness or disability payment or if your carer is receiving a social welfare payment; by your employer, your school or a club to which you belong. However, we are concerned here only with information held by doctors and hospitals.
Data protection legislation
The Data Protection Acts 1988 and 2003 aim to protect the privacy of people about whom personal data is held. A person about whom personal data is held is a “data subject”.