Information Governance Records Management Guidance Note Number 002: NHS Scotland Personal Health Records Management Policy for NHS Boards

Records Management Guidance Note 002 - NHS Scotland Personal Health Records Management Policy for NHS Boards


1.1 Introduction

(Insert name of NHS Board) takes its responsibility towards patient confidentiality seriously and patient records should always be held in a secure environment and accessed on a need to know basis.

Health records are a valuable resource because of the information they contain. They are essential to the delivery of high quality evidence based health care. Health records are contemporaneous and form the basis for the organisation's accountability for clinical care. They are evidential documents and as such must comply with legislative requirements, professional standards and guidelines. It is essential to the operation of the organisation to be able to identify and locate information that is critical for current decision making and to determine which policies and procedures are followed during the delivery of clinical care.

Health records management is the process of managing records throughout their life cycle, from their creation, usage, maintenance and storage to their ultimate destruction or permanent preservation.

Legislation has a significant effect on record keeping arrangements in NHS organisations. NHS Scotland must ensure that health records management policies and procedures are fully compliant with legislation and government policy on the management of information, namely:

  • Public Records (Scotland) Act 1937;
  • Medical Reports Act 1988;
  • The Computer Misuse Act 1990;
  • Access to Health Records Act 1990;
  • Data Protection Act 1998;
  • Human Rights Act 2000;
  • Scottish Government Records Management NHS Code of Practice (Scotland);
  • Quality Improvement Scotland - Standards for Record Keeping; 99
  • Information Governance Standards;
  • National eHealth Strategy

This policy should be read in conjunction with the organisation's Health Records Management Strategy, which sets out how the policy requirements will be delivered.

1.2 Scope of the Policy

This policy sets out best practice for creating, using, retaining and disposing of health records. It applies to health records in all formats, of all types and in all locations used:

  • to support patient care and the continuity of care;
  • to support day to day corporate activities which underpin delivery of care;
  • to support evidence based practice;
  • to support epidemiology;
  • to meet legal requirements and regulatory requirements;
  • to assist medical and other audits;
  • to support improvements in clinical effectiveness through research.

1.3 Definition of a Health Record

A health record is anything that contains information, which has been created or gathered as a result of any aspect of the delivery of patient care, including:

  • personal health records (electronic, microfilm and paper based);
  • radiology and imaging reports, photographs and other images;
  • audio and video tapes, cassettes, CDROM etc;
  • computer databases, output and disks etc and all other electronic records;
  • material intended for short term or transitory use including notes and "spare copies of documents".

This list is not exhaustive.

The health record should be constructed to contain sufficient information to identify the patient, provide a clinical history, details of investigations, treatment and medication.

1.4 Aims of Health Records Management System

The aim of this health records policy is to ensure that procedures are in place to bring together the health professionals and accurate, relevant, reliable patient documentation at the correct time and place to support patient care. In achieving this aim, all NHS Scotland employees should fulfil statutory and other legal requirements, ensuring patient safety and safe custody and confidentiality of patient information at all times.

The aims of our health records management system are to ensure that:

  • health records are available when needed - from which the Health Board is able to form a reconstruction of activities or events that have taken place;
  • health records can be accessed - health records and the information within them can be located and displayed in a way consistent with the records' initial use and that the current version is identified where multiple versions exist;
  • health records can be interpreted - the context of the record can be interpreted: who created or added to the health record and when, during which business process, and how the health record is related to other health records;
  • health records can be trusted - the health record reliably represents the information that was actually used in or created by the business process, and the records integrity and authenticity can be demonstrated;
  • health records can be maintained through time - the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the health record is needed, perhaps permanently despite changes of format;
  • health records are secure - from unauthorised and inadvertent alteration and erasure. Access and disclosure are properly controlled and audit trails will track all use and changes to ensure that health records are held in a robust format which remains readable for as long as they are required;
  • health records are retained and disposed of appropriately - using consistent documented retention and disposal procedures, which include provision of appraisal and permanent preservation for health records with archival value;
  • staff are trained - all staff are made aware of their responsibilities for health record keeping and management.

1.5 Health Records Life Cycle Process

Health records are confidential documents and should be clearly identifiable, accessible and retrievable. They should be authentic, meaningful, authoritative, adequate for their purpose and correctly reflect what was communicated, decided or done. They should be unalterable and after an action has occurred nothing from the health record should be deleted or altered. Information added to an existing hard copy health record should be signed and dated. Health records systems should be secure and their creation, management, storage and disposal should comply with current legislation.

1.5.1 Creation

A comprehensive health record is created and maintained for every patient attending health services to provide an up to date and chronological account of the patient's care.

  • patient demographic data for each registration should be recorded on the master patient index of the patient administration or departmental patient management system. The minimum patient demographic data should include surname, forename, sex, date of birth, home address, postcode, Community Health Index ( CHI) number and/or departmental number;
  • the organisation should use the CHI number as the unique patient identifier;
  • where there is more than one local identifier or case record per patient, a system should be in place to ensure that the existence of all other health records is known at all times;
  • paper health records have a standard case record folder constructed of robust material to withstand handling and transport and with secure anchorage points to prevent loss or damage to documents. There should be no inside pockets or flaps as these can lead to misfiling or loss of documents;
  • there is a method for indicating alert or risk factors which is used consistently in all personal health records, with a designated place for healthcare professionals to record actual or suspected clinical alerts and hazards which are signed and dated. There may be an indicator on the outside of the folder but the confidential detail should be placed inside the folder;
  • there is a locally agreed format for filing of information within the health record which facilitates ease of access to all clinical information. Clear instructions regarding the order of filing should be contained within the folder or printed on the divider(s). Documents should be viewable in chronological order reflecting the continuum of patient care;
  • machine generated reports and recordings, e.g.CTG, ECG and laboratory reports, are securely stored using a method that will minimise deterioration;
  • there are dated documented procedures for the management of electronic health records;
  • all electronic health record information systems are password protected and passwords are changed at regular intervals.

1.5.2 Storage

Health records storage areas should provide a safe working environment with secure storage that allows health records to be retrieved at all times. These areas should only be accessible to authorised staff.

  • health records storage areas and office accommodation conform to all current legislation and guidance regarding health and safety;
  • regular risk assessments are undertaken in line with the organisation's risk management strategy;
  • racking for storage of health records is stable, of strong enough construction to support the weight of health records and complies with current health and safety regulations;
  • there are safety step ladders and safety stools appropriate to the number of staff employed/size and use of the health records storage area;
  • there is a documented protocol for safe manual and object handling practices. All staff are fully trained in related manual handling;
  • there is a mechanism to ensure that all equipment used in the department conforms to appropriate legislation and a record of equipment checks is kept;
  • access to health records storage areas is restricted to authorised personnel only. Health records should not be accessible to unauthorised persons nor left for any period where they might be accessed by unauthorised persons. The keys/access codes/access pass to storage areas that are locked are available to authorised staff at all times to facilitate retrieval of health records;
  • health records storage areas must be able to accommodate current needs and annual growth of health records. The health records collection inventory demonstrates how this will be achieved;
  • health records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of health records when required.

1.5.3 Management

Maintaining proper health records is vital to patient care. A comprehensive health record should be maintained for every patient. Each health records system should have well defined procedures for the ongoing management of the health record from initiation to final disposal in accordance with current legislation.

  • whenever possible, separate areas are maintained for current and non current health records in use within the organisation;
  • there are documented procedures for the safe storage and retrieval of health records, both manual and electronic;
  • there are documented procedures for booking health records out from the normal filing system which enable rapid retrieval of health records and prevent misfiles;
  • tracer and tracking systems facilitate timeous retrieval of health records;
  • there is a documented procedure for splitting fat folders including cross-referencing of the volumes such that clinical staff may efficiently use them. Closed volumes are suitably labelled;
  • there is a documented procedure relating to the return of patient held records to the health records department when the episode of care for an individual patient is complete;
  • contents of the health record are filed in the correct order according to the design of the health record folder and dividers. Documents are securely fastened within the folder;
  • the responsibility for filing of loose documentation is clearly defined;
  • there is a system to ensure that staff routinely remove poorly filed and torn health records to reassemble or re-cover;
  • there are documented procedures for the transportation of health records within and outwith health board boundaries;
  • there are documented procedures for handling subject access and other legal requests with clear responsibility for responding by fully trained dedicated staff who process requests efficiently and in accordance with the law;
  • there is a mechanism to help identify any misfiled health records, e.g. colour coding;
  • there are documented procedures for the retention, archiving or destruction of health records in accordance with national guidelines. The method of destruction must ensure that confidentiality is maintained at all times;
  • there is a set of performance indicators which demonstrate the efficiency of health records management. These should monitor such things as health record availability, use of temporary folders and timescales for receipt of health records at wards following emergency admission.

1.5.4 Archiving and Disposal of Health Records

There is a documented procedure for the retention, destruction or archiving of health records. See Annex D of the Scottish Government Records Management NHS Code of Practice (Scotland). The method of destruction must ensure that confidentiality is maintained at all times. The procedure specifies the timescale for retention for all types of health records and media and the procedure for transfer between media.

1.6 Legal and Professional Obligations

All NHS health records are public records under the Public Records (Scotland) Act. The Board will take actions as necessary to comply with legal and professional obligations such as:

  • The Data Protection Act 1998;
  • The Common Law Duty of Confidentiality; and
  • The NHS Scotland Confidentiality Code of Practice;
  • Access to Health Records Act 1990; and any new legislation affecting health records management as it arises.

1.7 Roles and Responsibilities

1.7.1 Data Controller

The Chief Executive Officer has overall accountability for ensuring that health records management operates correctly/legally within the Board. The Chief Executive Officer may delegate responsibility for management and organisation of health records services to the Chief Operating Executive or Executive Medical Director who is responsible for ensuring appropriate mechanisms are in place to support service delivery and continuity. Health records management is key to this, as it will ensure appropriate and accurate information is available as required.

1.7.2 Caldicott Guardian

The Boards' Caldicott Guardian has a particular responsibility for reflecting patients' interests regarding the use of patient identifiable information. The Caldicott Guardian has responsibility for:

  • ensuring the Board is fulfilling all legal obligations in managing patients' health records;
  • agreeing and reviewing internal protocols governing the protection and use of patient identifiable information by Board staff;
  • agreeing and reviewing protocols governing the disclosure of patient information across organisational boundaries, e.g. with social services and other partner organisations, contributing to the local provision of care;
  • developing the Board's security and confidentiality policies;
  • representing confidentiality requirements and issues to the Board, advising on annual improvement plans and agreeing and presenting annual outcome reports.

1.7.3 Records Management/Information Governance Steering Group

The Boards' Health Records Management/Information Governance Steering Group/Committee is responsible for ensuring that the Health Records Management Policy is implemented through endorsement of the Health Records Management Strategy.

1.7.4 Designated Officer

The designated officer (Head of Health Records Services/Health Records Manager) holds a health records qualification or is suitably trained in health records practices. This officer has professional responsibility for the overall development and maintenance of health records management practices throughout the Board and for ensuring that related policies and procedures conform to the latest legislation and standards on data protection, patient confidentiality and health records practice. This officer is also accountable for the release of all patient clinical information for data subject access and medico-legal purposes.

1.7.5 Staff Responsibility for Record Keeping

All NHS employees are responsible for any health records which they create or use. This responsibility is established and defined by the law (Public Records (Scotland) Act 1937). Furthermore as an employee of the NHS, any health records created by an employee are public records.

All Board staff whether clinical or administrative, who create, receive and use health records have records management responsibilities. All staff must ensure that they keep appropriate records of their work and manage those health records in keeping with this policy and with any guidance subsequently produced.

Everyone working for or within the NHS who records, handles, stores or otherwise comes across patient information has a personal common law duty of confidence to patients and to his or her employer. The duty of confidence continues even after the death of the patient or after the employee or contractor has left the NHS.

Breach of this policy will mean the organisation is not safeguarding information entrusted to it, which in some circumstances may render the organisation liable to prosecution. It is therefore essential that staff within the organisation with responsibility for records management comply with the policy otherwise they may be subject to disciplinary procedures.

1.8 Retention and Disposal Schedules

It is a fundamental requirement that all of the Boards' health records are maintained for a minimum period of time for clinical, legal, operational, research and safety reasons. The length of time for retaining health records will depend on the record type. The Health Board has adopted the minimum retention periods set out in Annex D of the overarching Code of Practice. The locally agreed retention schedule can be found in records management guidance note 003. The local retention schedule will be reviewed every 3 years or earlier in the light of legislative or Scottish Government changes.

1.9 Health Records Inventory

The Health Board requires to know what records are held, where they are kept and how the information contained within the records is being used. An up to date health records inventory will be maintained by the Head of Health Records Services/Health Records Manager. This will identify all record collections/information sets that exist within the organisation, the volume of records, the type of media on which they are held, their physical condition, their location, the physical and environmental conditions in which they are stored and the responsible manager. The Head of Health Records Services /Health Records Manager should be made aware when new collections of records or information sets are created or where management arrangements or physical locations change. A sample records inventory survey form can be found in records management guidance note 004.

1.10 Health Records Management Systems Audit

The Health Board will regularly audit the records management practices for compliance with this policy. Auditing health records policies and procedures will be done on a systematic basis. The audit will compare current operational practice against defined procedures. The audit cycle will include self assessment against the Information Governance, Quality Improvement Scotland and Patient Records and Information Management Accreditation Programme Standards (if the organisation subscribes to the accreditation and development of health records programme). (A summary of these standards can be found in records management guidance note 005).

Audit Cycle:

Audit Cycle

1.11 Health Records Management Improvement Plan

The Health Board has formulated an Improvement Plan identifying programmed activity for delivery of the Health Records Strategy. This identifies tasks related to each of the development areas with achievable milestones and timescales for implementation. Progress will be monitored through audit and compliance with the Information Governance and Patient Records and Information Management Accreditation Programme standards (if the organisation subscribes to the accreditation and development of health records programme). The Improvement Plan can be found in records management guidance note 006).

1.12 Health Records Policies and Procedures

The Head of Health Records Services/Health Records Manager is responsible for planning and documenting Health Records departmental policies and procedures thus providing standardisation of work tasks throughout the department. In this context a procedure is a structured, action orientated list of sequential steps involved in carrying out a specific job. It is a series of related steps designed to accomplish a specific task. All Health Records Departments should have a policy and procedure manual to ensure that all staff members are undertaking their duties in a consistent way. Health records policies and procedures associated with this document can be found in records management guidance note 007.

1.13 Training

All staff employed by the Health Board including volunteers and contractors are given training on their personal responsibilities for health records keeping. This includes the creation, use, storage, security and confidentiality of health records. Appropriate training should be provided for all users of the health records systems to meet local and national standards. All new employees to the organisation will be given basic training as part of the organisation's induction process. Additional training in the specifics of health records management will be provided where appropriate. Training is tailored to specific staff groups and functions including the following:

all current relevant legislation and NHS standards;
all current relevant organisation policies and procedures;
caldicott requirements;

  • patient confidentiality and the security of records, whether paper or electronic;
  • Data Protection Act 1998;
  • Access to Health Records Act 1990;
  • Scottish Government Records Management NHS Code of Practice (Scotland);
  • secure destruction of confidential waste;
  • individuals rights to access information (Data Protection Act 1998/ Mental Health (Scotland) Act 2003);
  • NHS Scotland Code of Practice on Confidentiality;
  • Patient Records and Information Management Accreditation Programme ( PRIMAP).

Health records practitioners and personnel are pivotal to the management of health records systems and should receive customised training in health records practice. The policy and procedure manual is a key management tool and should form the basis for all health record system specific training.

The Scottish Health Records Forum acknowledges the effort of the sub group in drafting this Policy for use across NHS Scotland. It is hoped the document will provide a framework which can be customised for use at individual NHS Board level.

Mr Robert H Bryden, NHS Ayrshire & Arran (Chair)
Miss May McConnell, NHS Ayrshire & Arran
Mrs Marilyn Horne, NHS Glasgow & Clyde
Ms Debbie Baird, NHS Ayrshire & Arran
Mrs Anne Allison, NHS Ayrshire & Arran
Mrs Margaret Kerr, NHS Ayrshire & Arran
Ms Fiona Crawford, NHS Ayrshire & Arran
Ms Fiona Hutchison, NHS Forth Valley


2.1 Definitions

Health Record Also referred to as:

Medical record
Case note
Case record
Patient record

Policy Strategy / plan / guidance / principal / course of action.

PRIMAP: The Patient Records and Information Management Accreditation Programme provides a structured process for internally assessing health record services against professionally endorsed services as well as an external peer review to highlight good practice, indentify problems, recommend solutions and promote continuous quality improvement.

Procedure: A structured, action orientated list of sequential steps involved in carrying out a specific job. It is a series of related steps designed to accomplish a specific task.

2.2 Acronyms


Community Health Index






Health Department Letter


Information Governance


Patient Records and Information Management Accreditation

2.3 References

Access to Health Records Act 1990:

Data Protection Act 1998:

The Management Retention and Disposal of Personal Health Records

Human Rights Act 2000

Information Governance Standards:

Medical Reports Act 1988:

National eHealth Strategy:

PRIMAP (Patient Records and Information Management Accreditation Programme)

Public Records (Scotland) Act 1937:

Quality Improvement Scotland - Standards for Record Keeping:

The Computer Misuse Act 1990:

Back to top