Q. Is it appropriate for practice support staff to have access to the patient's medical record?

A. Access to patient records should be regulated to ensure that they are used only to the extent necessary to enable the secretary or manager to perform their tasks for the proper functioning of the practice. In that regard, patients should understand that practice staff may have access to their records for:

• Identifying and printing repeat prescriptions for patients. These are then reviewed and signed by the GP.
   
• Generating a social welfare certificate for the patient. This is then checked and signed by the GP.
   
• Typing referral letters to hospital consultants or allied health professionals such as physiotherapists, occupational therapists, psychologists and dieticians.
   
• Opening letters from hospitals and consultants. These could be clinic letters or discharge letters. The letters could be appended to a patient's paper file or scanned into their electronic patient record.
   
• Scanning clinical letters, radiology reports and any other documents not available in electronic format.
   
• Downloading laboratory results and Out of Hours Coop reports and performing integration of these results into the electronic patient record.
   
• Photocopying or printing documents for referral to consultants, attending an antenatal clinic or when a patient is changing GP.
   
• Checking for a patient if a hospital or consultant letter is back or if a laboratory or radiology result is back, in order to schedule a conversation with the GP.
   
• When a patient makes contact with a practice, checking if they are due for any preventative services, such as influenza vaccination, pneumococcal vaccination, ante natal visit, contraceptive pill check, cervical smear test, overdue childhood vaccination, etc.
   
• Handling, printing, photocopying and postage of medico legal and life assurance reports, and of associated documents.
   
• Sending and receiving information via Healthmail, secure clinical email.
   
• Other activities related to the support of medical care appropriate for practice support staff.

All persons in the practice (not already covered by a professional confidentiality code) should sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.

GP Practice Software Management system should provide an audit log of when patient information has been accessed, and by whom. Such an audit log makes it possible for the data controller in a practice to detect any unauthorised access to personal health information.