Physiotherapy staff have a professional and legal obligation to keep an accurate record of their interactions with patients. These records are legal documents, which can be called upon in a variety of situations. Comprehensive patient records also help to drive high standards of patient care.
Poor record keeping poses a significant clinical safety risk and is the most common reason physiotherapists find themselves being referred to the Health and Care Professions Council (HCPC). All physiotherapists must meet the HCPC standards on record keeping.
A record can be in paper or electronic format, or a mixture of both, and should include all the information relating to the health status and management of the individual patient. Clinic letters or digital records are acceptable provided all elements of the assessment, intervention, judgment and treatment are recorded.
The level and complexity of record-keeping that you complete will vary according to the context of the intervention and the background health status of your client. The notes a physiotherapist chooses to keep for a patient attending a Pilates class will be more basic than, for example, those of a patient who has had a fall and has a complex medical history.
A good record will enable an independent reader to understand what conversations took place with a patient, what information was exchanged, the extent of any examination performed, what treatment was provided and what clinical reasoning decisions were made. The information must be clear to another health professional /the patient.
Members should only use short forms if there is an agreed list developed locally that is accessible to anyone entering information into, or viewing, health records. If records are being transferred elsewhere, the agreed list must be transferred with the record to aid subsequent understanding of the short forms that appear in the record.
Written records should be:
- legible and written in permanent ink
- signed at the end of the record (and name printed)
- paginated, including date of consultation and time when appropriate
- amendments should be dated, timed and signed and the original entry still clearly visible
Electronic recording systems should be able to:
- show who has made the record
- show revisions or amendments
- lock the notes
More detail around the specific standards expected of physiotherapists when keeping records can be found in section 6 of the CSP’s Quality Assurance Standards. This resource may be useful for helping you audit records.
Record-keeping considerations
Shared notes
Shared records are becoming increasingly common and are an acceptable practice, as long as physiotherapy staff ensure their interventions are properly documented. If record-keeping is delegated to a support worker, the physiotherapist must be confident in that worker’s competence.
It’s increasingly common for multiple clinicians to contribute to a shared record, which is acceptable practice. Physiotherapists must still ensure their interventions and decision-making are documented, using whatever system their employer provides. If the main medical record only allows for basic care notes and lacks space for full clinical detail, a separate physiotherapy record should be kept. Duplication should be minimised where possible.
Countersigning
Health Care Support Workers (HCSW) When you delegate or allocate a task to an HCSW, you are accountable for the decision and, as such, must be confident that they have the necessary knowledge, training and competency to carry it out. The HCSW is responsible for carrying out the task to the best of their ability and so they should enter what they do with the patient in the patient record. There is therefore no reason for the registered physiotherapist to countersign the record.
Students
Physiotherapists who are supervising students have a duty to make sure, as far as possible, that records completed by their students are clearly written, accurate and appropriate. The practice educator, physiotherapist or qualified member of the multidisciplinary team is responsible for the patient and professionally accountable for the actions of the student, who is performing delegated tasks. They must therefore countersign the record. There are circumstances when an HCSW can countersign a student’s record. In this situation, there must be local agreement to this approach; the HCSW must have competence in practice education and supervision, and the student must only be recording the tasks and activities they have undertaken that are in the scope of the supervising HCSW’s role.
Physiotherapists undertaking post-graduate training and/or returning to work
HCPC-registered physiotherapists (whether undertaking postgraduate studies or returning to practice after a career break) do not need to have their entries into the health record countersigned. Physiotherapists undergoing a formal return-to-work programme who are not yet HCPC registered must have their records countersigned, as they have not yet fulfilled the requirements of autonomous practice associated with HCPC registration.
GDPR and Subject Access Requests
GDPR is one of the set of Regulations that underpin the new Data Protection Act 2018. There is a significant focus on demonstrating compliance with the new laws and the penalties for data breaches are significantly increased. You can read more about GDPR and data ethics from a physiotherapy perspective here.
A Subject Access Request (SAR) is the way in which a person exercises their right under GDPR to find out what information an individual, organisation or business holds about them. An SAR may be made orally or in writing. If you receive an SAR you should verify the identity of the person making the SAR if you have any doubts as to who you are dealing with.
You have one month (30 days) to provide the information, and it is usually provided free of charge. You may be able to refuse to comply with an SAR if it is unfounded or ‘manifestly excessive’. You must document how you manage SAR requests.
People requesting records have no entitlement to the original records. You must retain your original records for the required length of time. People must be provided with a copy of their record in the format that they ask for.
GDPR has several exemptions in response to a SAR if:
- it is likely to cause serious physical or mental harm to the patient or another person
- it is requested by a third party and, the patient had asked that the information be kept confidential and/or has not given their permission for the records to be released
- it is restricted by Order of the courts
- it relates to adoption records, human gametes, embryo’s or relates to people born from IVF
You should still disclose the remainder of the records. Circumstances in which information may be withheld on the grounds of serious harm are extremely rare, and this does not justify withholding records because patients may find them upsetting.
Ownership of notes
When a physiotherapist or physiotherapy HCSW is employed, the records they create or contribute to belong to the employer. As the record is owned by the organisation, it controls access and release, not the individual who created the record, so it does not matter if the individual has moved on or not. The organisation or practice employing you must keep the clinical records securely on their premises. You must be given reasonable access to the records you create but must not take records with you when you leave that place of work.
Sole Practitioners / Self-Employed Physiotherapists
Where a person is self-employed and a ‘sole practitioner’, it is the self-employed physiotherapist who owns the notes. In this case, the self-employed physiotherapist also has legal responsibility to register with the Information Commissioner and take on the burden of all Data Protection issues including storage, retention, security, processing and destruction of records. Failure to comply with such requirements can result in legal penalty.
Self-employed physios contracted to provide services for/on behalf of a third party
Where a person is self-employed but is contracted to provide services for/on behalf of a third party, for example to a private practice or clinic, private hospital or NHS establishment, the self-employed physiotherapist is in effect working on a consultancy basis. In this situation the Practice contracting with the self-employed physiotherapist is normally considered to 'own' the records, for the following practical reasons:
- In most circumstances the records are generated as a by-product of the 'contract' and in the first instance it would be the company that would be sued if something untoward happened, therefore it should be the company that retains the records. In these circumstances, the self-employed physiotherapist is also exposed to liability, they must be able to access the records to defend themselves. Having access to the records does not mean that they have to own the records.
- If the self-employed physiotherapist is absent from the Practice for some time, the patient is likely to wish to be treated by someone else within the Practice, and in these cases the other physiotherapist must have access to the notes, again making it essential that the Practice own the notes.
The practice has the legal responsibility to register with the ICO. Thus, if you run your own physiotherapy business (including medico legal work), or you provide self-employed services to a physiotherapy business where you decide yourself how your patients are treated, you need to register with the ICO. If you are unsure whether you need to do so, you can take the ICO’S quick self-assessment test to find out.
Storage and retention
Records form a legal record of treatment and therefore must be retained safely and securely in accordance with the Data Protection Act 2018. Under GDPR regulations, data must only be kept for as long as necessary for the original reason it was collected.
Each UK country sets out minimum retention periods for NHS health records. The minimum retention periods apply to all formats/media that contain components of information relating to the health record. Retention schedules vary according to the type of record but, in general, for those with capacity it is usually:
- Eight years from the date of last treatment for adult records.
- Eight years after their 18 birthday or until 25 years of age for children.
Storage of electronic records
Just as with paper records, electronic records should be kept secure whenever practically possible. This could include password protection when records are static and encryption when sharing sensitive or identifiable information. Under GDPR, data about an EU citizen should remain in the EU unless the provider can demonstrate that they comply with certain regulations. This information is normally on the company’s privacy policy. The CSP cannot recommend any provider over another but it is essential that any systems being used by members comply with GDPR regulations.
Frequently asked questions about record-keeping
Can I share my records with other healthcare professionals involved in the patient’s care?
Yes. You must share information with other health professionals directly involved in the patient’s care in order to give appropriate advice and treatment. You don’t need the patient’s written permission to do this, but you should always seek to ensure that your patient is aware of the communication you have with other health professionals. The patient has the right to prevent you sharing information. If they do so, they should be informed of how this might affect continuity of care. However, if you feel that a patient is in danger to themselves or to others you may contact the patient’s doctor, even without the patient’s consent, and raise your concerns.
I work in the community. How do these guidelines fit with my practice?
Access and storage of patient records when out in the community can be problematic. Local policies should be put in place to ensure everything possible is done to keep records safe and secure. When you are using electronic devices, these should be password protected.
While our Quality Assurance Standards state that notes should be written ‘immediately after the contact with the service user or before the end of that working day’, this may not be practicalor possible in all situations. Local policies should be written that support good practice for circumstances such as this.
When a sole trader or self-employed physiotherapist retires or dies, what should happen to their patient records?
Once you retire, you must make suitable arrangements for storage of your patient records in order for you or your patients to be able to access them should the need arise in the future and to comply with data laws. Under GDPR regulations, you can only pass a patient's details on to another physiotherapist when you retire if they give explicit consent to be contacted in this way.
If guidance changes regarding the storage of notes, then it would be your responsibility to be up to date and adhere to the guidance for as long as the notes need to be retained.
After death, if you are a sole trader, the patient records will become part of your estate and will be dealt with under the administration of your will or letters of administration if you have no will. It is therefore important that your executors know that they will have to deal with your business as well as your personal life. If your business is a limited company and thus a legal entity in its own right, independent of you, you may wish to consider obtaining legal advice on how you should prepare/plan for business continuity/cessation of legal entities after the death of the natural owner of the legal entity.
After your death, patient records must still be stored and retained in accordance with data requirements. They must be accessible should any former patient request access to the records or if the records are required for any other purpose.
What should I do if there is a data breach?
It is the ICO that deal with data breaches, some of which must be reported to them. You will find further information and guidance on their website.