The Chartered Society of Physiotherapy The Chartered Society of Physiotherapy


View your shopping cart.

Legal, regulatory and employer responsibilities

File 139761Physiotherapy staff that are recording, accessing, and storing health records must be aware of the legal context within which they work, and comply with regulatory, national, professional body and local employer guidance on record keeping.

The Code of members' professional values and behaviour states that all members are responsible for 'adhering to all legal, regulatory and ethical requirements.'

Health records and the HCPC

In the UK, the Health and Care Professions Council (HCPC) regulates all Allied Health Professionals (including physiotherapists).

Two HCPC documents set out the responsibilities that all physiotherapists have in relation to meeting regulatory obligations in their record keeping practice:

  1. Standards of conduct, performance and ethics
  2. Standards of proficiency: physiotherapists (This sets out the minimum standards the HCPC consider necessary to protect the safety of the public. Standard 10 ‘Be able to maintain records appropriately’ should be reviewed in relation to record keeping.)

As part of the HCPC registration process, all physiotherapists must sign a declaration to confirm that they have read and will work to these standards in their practice.

Lack of adherence to these standards can lead to a physiotherapist being called to defend themselves in a HCPC Fitness to Practise hearing, and could ultimately lead to being struck off the HCPC register.

Health records and the law

Physiotherapy records are legal documents that may be called upon for a range of legal purposes.

The purpose of the physiotherapy record is to allow a third party reader to make a judgment based on the content of the record and therefore, the physiotherapy record may be the only robust defence against any claim or error, omission, act or negligence in the course of clinical practice.

The physiotherapy notes must be an accurate account of events at the time they are recorded. The assessment/intervention recorded must be factually correct at the time.

The burden of proof will depend on the specific setting and circumstance in which the notes are being scrutinised.

If there is no record made then the law may consider the events ‘not to have happened’ and look to other sources to make a judgment.

Patient access to records

The following Acts govern how a patient may request access to their records.

The Data Protection Act 1998 regulates the use of information about living individuals in relation to obtaining, processing, using and disclosing information.

It also sets out the right for living individuals to be informed that information is being held about them, and for what purposes the information will be processed. Review the eight Data Protection Principles.

The Access to Health Records Act 1990 and Access to Health Records (Northern Ireland) Order 1993 gives the right of access to a deceased patient’s health records by specified persons

  • The Access to Medical Reports Act 1988 (NHS Management Executive. Access to medical reports act 1988: chapter 28. London: HMSO, 1988.)

The Access to Medical Reports Act 1988 governs release of commissioned reports of living patients for employment or insurance purposes.

If a third party (for example an employer or solicitor) requires access to a patient’s health records then application must be under the Data Protection Act and can only be made with the patient’s express written permission, except where permitted by law, for example if the patient lacks the mental capacity to make a decision about releasing the records.

Health professionals: handling and use of information

The following Acts govern how a health professional must handle and use information.

Organisations, including self-employed individuals must be registered with the Information Commissioner and comply with the Act including the Data Protection principles and retention requirements.

The Information Commissioner’s Office has published useful guidance on the Data Protection Act, how to manage data losses, and good practice in capturing professional opinions in health records.

The Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002 gives people the right to access official information from public medical/health organisations.

These Acts apply to public authorities (for example, the NHS), companies that are wholly owned by public authorities, or any person or organisation exercising a 'public function', including voluntary organisations providing services under contract with local authorities and trusts.

There are time frames to be adhered to in providing a response to a freedom of information (FOI) request.

There are also some exceptions where information does not have to be supplied (repetitious or vexatious requests; information that is already in the public domain; commercially sensitive information; or patient record information that is protected under the Data Protection Act.

The Information Commissioner’s website has further details about FOI requests.

The Computer Misuse Act 1990 makes it an offence to gain unauthorised access to computer materials (including using another person’s username, password, login ID or smartcard without their permission to gain access to records).

The Human Rights Act 1998 sets out the 'right to respect for private and family life'. The contents of health records are classed as private and so are covered by the Act.


Back to top