Centennial Medical Care abides by the Data Protection Act 1998 and has a duty to look after all confidential patient information and to be clear about how CMC uses such information. To provide a service to patients it is necessary that both doctors and non-medical staff working at CMC have access to patient medical records and this access is kept to a necessary minimum.
We take information about you in order to respond to your queries and tailor our support to suit your needs.
We do not provide this information to any third parties.
How long health records are retained
All patient records are maintained digitally on a cloud based Patient Management System. Each user of the PMS has an individual login.
If any member of staff leaves then it is the responsibility of the Practice Manager to disable the login.
All pathology results and scans are scanned onto the patient record and then destroyed by shredding.
When a patient attends they have to complete a Patient Registration Form, which is scanned onto the patient notes.
This registration form and day sheets, which detail complete clinics are retained for a period of 6 months. All records are then destroyed confidentially.
Patients who have a concern about any aspect of their care or treatment at CMC, or about the way their records have been managed, should contact the Practice Manager.
Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way CMC has handled or shared their personal information:
The Information Commissioner's Office (ICO)
This is a Privacy Notice - also known as a Fair Processing Notice and is in accordance with the General Data Protection Regulation (GDPR) which comes into force in May 2018 and replaces the Data Protection Act 1998.
This notice describes how Centennial Medical Care (CMC) uses and manages the information it holds about its patients, including how the information may be shared with other organisations and how the confidentiality of patient information is maintained.
Personal data is information that relates to a living individual who can be identified from that data.
CMC holds personal data about its patients for the purposes of providing them with appropriate care and treatment.
CMC keeps records about the health care and treatment it provides to its patients.
This helps to ensure that patients receive the best possible care from CMC.
CMC may also use personal details to issue patient satisfaction surveys relating to the services used.
It helps patients because:
- Accurate, up-to-date information is important for providing the right care;
- If a patient has to see another doctor or is referred to a specialist within CMC, full details of the patient's medical records can be made available;
- Satisfaction surveys enable CMC to improve the way it delivers healthcare to its patients.
Patient information may be shared, for the purposes of providing direct patient care, with NHS organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.
In such cases, the shared data must always identify the patient for safety reasons.
For the benefit of the patient, CMC may also need to share patient health information with other private organisations and with social services which are also providing care to the patient.
However, CMC will not disclose confidential health information to third parties without the patient's explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.
CMC may also be asked to share basic information about its patients, such as names and addresses, which does not include sensitive health information.
Generally, CMC would do this where it is necessary to assist an organisation to carry out its statutory duties.
As it may not be practicable in such circumstances to obtain patients' explicit consent, CMC is informing its patients through this notice, which is referred to as a Fair Processing Notice, under the General Data Protection Regulation 2018.
- When the patient has implicitly consented to the sharing for direct care purposes;
Where patient information is shared with other organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.
Refusing or withdrawing consent
The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.
In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.
In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
Children’s personal data will be used in accordance with this Fair Processing Notice and with the consent of the parent/guardian.
A person of 17 years old and under is deemed as paediatric at CMC and therefore we will not process any data for the purposes of direct marketing.
It helps CMC:
- To plan, manage and audit the health services it provides;
- To prepare statistics on its performance;
- To teach and train healthcare professionals;
CMC is registered with the Information Commissioner's Office as a Data Controller reference ZA031325, as required by the Data Protection Act 1998.
Patients have the right to access personal information about them held by CMC, either to view the information in person, or to be provided with a copy.
Patient wanting to access their health records should request in person at CMC or e-mail firstname.lastname@example.org.
What kind of information CMC holds about patients
- Identity details - name, date of birth, NHS Number
- Contact details - address, telephone, email address
- Next of kin - the contact details of a close relative or friend
- Details of any outpatient appointments and/or GP appointments
- Results of any scans, X-rays and pathology tests
- Details of any diagnosis and treatment given
- Information about any allergies and health conditions
By providing CMC with their contact details, patients are agreeing to CMC using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).
All patient are asked to complete a registration form when they attend or to confirm existing details. There is an opt out/ in out box at the bottom of the form for direct marketing purposes. Whichever box the patient choses CMC will strictly abide by this request. If neither box is chosen then CMC will deem this as the patient is declining direct marketing.
Any e-mails sent will be blind copied in, so as not to divulge other patients registered at CMC.
There is an option on the marketing e-mail to opt out of further e-mails.
All e-mail addresses are held on Constant Contact, a direct cloud based marketing online company.
How patient records are kept confidential
Everyone working for CMC has to sign a Confidentiality Agreement.
Information provided in confidence will only be used for the purposes advised and consented to by the patient, except in circumstances where the law requires or allows CMC to act otherwise.
Under the Confidentiality Agreement, all CMC staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.
How patient records are shared
CMC shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:
- Disclosure to GPs, Consultants and healthcare practitioners for the purposes of providing direct care and treatment to the patient, including administration;
- Communication with medical insurance companies to assist in the processing of insurance claims
- Communication with a company we engage to invoice medical insurance companies for reimbursement.
- Disclosure to those with parental responsibility for patients, including guardians;
- Disclosure to carers without parental responsibility (subject to explicit consent);
- Disclosure to bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
- Disclosure to solicitors, to the police, to the Courts (including a Coroner's Court), and to tribunals and enquiries;
Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:
- When there is a Court Order or a statutory duty to share patient data;
- When there is a statutory power to share patient data;
- When the patient has given his/her explicit consent to the sharing;