Physiotherapists in employment
When a physiotherapist is employed, the records he or she creates or contributes to belong to the employer.
Requests for access to see records will be made to the employer, who will follow the local policy, and process the request in accordance with the Data Protection Act or the Access to Health Records Act for deceased patients.
As the record is owned by the organisation, it controls access and release, not the individual who created the record, so it does not matter if the individual has moved on or not.
In the NHS, records are owned by the Secretary of State, and are managed locally by the associated health organisation or GP practice.
In cases in the NHS where there has been a decision to allow a patient to hold their own health record, the record is still owned by the NHS body providing care to the patient.
The record is stored with the patient until such time as that care has ended, at which point the record is returned to the NHS body.
Where a person is self-employed and a ‘sole practitioner’ i.e. not contracted to provide services on behalf of another (for example a private practice, a private hospital or even a NHS hospital), it is the self-employed physiotherapist who owns the notes.
In this case, the self-employed physiotherapist also has legal responsibility to register with the Information Commissioner and take on the burden of all Data Protection issues including storage, retention, security, processing and destruction of records. Failure to comply with such requirements can result in legal penalty.
Self employed physios contracted to provide services for/on behalf of a third party
Where a person is self-employed but is contracted to provide services for/on behalf of a third party, for example to a private practice or clinic, private hospital or NHS establishment, private company or industry, the self-employed physiotherapist is in effect working on a consultancy basis.
In this situation the Practice contracting with the self-employed physiotherapist is normally considered to 'own' the records, for the following practical reasons:
- In most circumstances the records are generated as a by-product of the 'contract' and in the first instance it would be the company that would be sued if something untoward happened, therefore it should be the company that retains the records. In these circumstances, the self-employed physiotherapist is also exposed to liability, so he/she must be able to access the records to defend him or herself. Having access to the records does not mean that they have to own the records.
- If the self-employed physiotherapist is absent from the Practice for some time, the patient is likely to wish to be treated by someone else within the Practice, and in these cases the other physiotherapist must have access to the notes, again making it essential that the Practice own the notes.
The Practice has the legal responsibility for correct registration for all data protection issues.
The means of transferring patient information securely between departments, practices or different health care providers must ensure that confidentiality is maintained throughout the process.
Guidance on the use of fax machines to transfer personal health information which is directly applicable in all contexts/settings has been issued by NHS Scotland.
In the case of emailing personal health information, there is much guidance available about using secure email systems.
The use of NHS Mail was mandated by NHS Scotland from October 2006 to ensure that all email communications concerning patient and sensitive data are made using NHS Mail (the only secure email system offering a high level of encryption available in NHS England and NHS Scotland).
The use of NHS Mail in both NHS England and NHS Scotland is endorsed by the CSP for the secure transfer of clinical information between NHS Mail users.
The NHS Chief Executive made a statement in 2009 that all person identifiable data must only be transmitted via email that has built-in encryption, or, if stored on a removable or mobile device (memory stick, laptop, PDA, CD-ROM, DVD, mobile phone etc), encryption software must be used to safeguard the information.
Indeed, the Information Commissioner has commented that, if mobile devices containing personal data are lost and have not been encrypted, his office will launch an investigation (Lowth M. Confidentiality in the modern NHS: Part 1. Practice Nurse. 2013; 43 (10): 48-51)
Encryption and personal data: Useful documents and websites
- NHS England: NHS England Confidentiality Policy June 2014
- Guidance on the implementation of encryption within NHS organisations
- NHS Wales: encryption code of practice setting out guidance for staff in this area (Lowth M. Confidentiality in the modern NHS: Part 2. Practice Nurse. 2013; 43 (10): 49-52)
- NHS Scotland has minimum standards on the protection of personal data carried on mobile devices