Can someone from a different GP's access my medical records?

[Lelala]

just as the title says really

I am registered with a gp surgery

someone known to me works for a completely different gp surgery but seems to have knowledge of my medical information

are they able to access my medical records even though they work at a separate surgery?

I explained that access is determined by what is put on my smart card.

It is the practice manager who liaises with the smart card programmer though, so I wonder if there might be something fishy there. Unfortunately you do get crimes being committed in the NHS, just like anywhere else. Most commonly it is fraud/ stealing money/ drugs. Rare, but it does happen.

In my last job it was a source of endless frustration how difficult it was to get a full set of records. You'd think you could write to one place and they'd hit print. No. You have to write to the current GP, records aren't held by a previous GP, if they've been treated by more than 1 hospital you need to write to them individually. Older records are still held on paper and need to be manually photocopied, and physically transferred if there's a change of GP. There are moves to make it more centralised but it's not really happened yet.

Yes possibly.
But as healthcare professionals we are not allowed to look at any parents notes, unless we are involved in their direct care.
Looking at a friends notes would get us into trouble. Everything we look at has an electronic footprint- so you will need able to ask who has looked at your notes.

Yes, but is it possible? It would seem so.

Hospitals can see your records (as long as you have ticked that box on your registration forms). Other GP surgeries can't, unless they are linked - IE I belong to a surgery that is one of 3, so you can visit whichever one has an appointment.

It is unethical.
It is a sackable offence.
It is possible.
IME it is more possible for a practice manager than a HCA or receptionist, for example because of the difference in smart card permissions.

As endof said above "OP you need to contact the practice manager at your own surgery and ask for an audit by the Caldicott Guardian"

Raise your concerns and say it is possible that someone has accessed your records and you would like this investigated. See what comes of it from there. I am glad that we went over onto computerised systems as now there is a trail of who has accessed what information.

They can’t you have to have the role assigned to you. You can however go onto the SCR on the portal but it isn’t a full record

Either way, this person has not legitimately accessed a record by the sounds of things and this is why I only ever assigned ‘book appt’ only access to people from other surgeries if this ever came up and they can’t retrieve a record (working from a shared system)

OP, you don't have to mention who you think has accessed your record.
You can ask for an audit trail check.

Yes, they can. But there is an audit trail of who looks up your information.

@endofthelinefinally thank you for clarifying, I wasn't suggesting she names who she thinks did it. But knowing the right wording of the request helps so requesting an audit trail as suggested by you helps us non-medical people.

There's a lot of conflicting information on this thread.
If someone has a smart card and uses SystmOne in their role (including non clinical staff like admin), then they can see information relating to individuals from other gp's or other services. Eg physio who also use SystmOne.
Generally hospital information can't be seen because they usually use different electronic records. But if a hospital wrote a letter to the GP or health visitor for eg following an admission or out patient appointment then admin would scan that letter onto the record and it could be seen by whoever accesses the record. Some GP entries on SystmOne aren't able to be seen outside of that practice if the patient has requested limitations on their settings/consent to share.
Every time a record is opened on SystmOne it shows which smart card was used and for how long it was viewed even if no data is input. It's a very simple report to run. I occasionally click on the wrong record when there's a list but the digital footprint will show I'm in it for seconds and out as soon as I've realised my error. Someone looking at a record they shouldn't for any length of time will be caught if audited.
Your starting point is your own GP practice. You don't necessarily need a full copy of your record (unless you want it) via a subject access request just an audit and investigation by a nominated senior person whose role it is to undertake this.
I can only speak for SystmOne which is one of the biggest non hospital electronic record keeping systems but not every GP practice uses them.

"Have you read the Guardian news item linked above? It explains how the woman stallked by a hospital doctor found out that they'd accessed her GP's records (from California, so not even from within her NHS trust!)
You can do exactly what the stalled woman did."

@saraclara that's not what it says at all. Zero mention of California In fact absolutely no details are given of the victim as identities are protected. They would have been linked to the Trust in order to have a record. And no one can see anything without the trail. It will always timestamp who accessed when.

It is a very serious issue. When I was a nurse I had access to all levels of information because my job required it. I was not allowed to access records unless I had a legitimate clinical reason. I was not allowed to access my own records to check the results of the flu swab I had been asked to take- I had to ask a doctor to do it.

When I came into contact with patients who I knew for other reasons, I always went to my line manager, disclosed the reason I knew them (former colleague, relative, etc.) and asked for specific permission to access their records.

Each time you log into the system, there is an audit trail. You can view the audit trail. It tells you who has accessed the records (each user has a unique code), what records they viewed, and the time and date of access. So if I looked at a blood result, it would log it. If I then looked at different records and returned to the first patient's blood results, it would record my access again.

Each record is its own entity. A user may have a legitimate reason to access blood results, but not swab results. Or they may have legitimate reason to access admissions data, but not blood results. If questioned, the user would have to justify accessing each piece of information.

It may be technically possible, but this person would know what a massive problem it would be if they were caught.

I can only access records of patients registered at my practice, and the other practices in my PCN (primary care network) that I have been authorised access to.

My practice manager would have the same authorities. We have no authorisation on out smart cards to access records outwith our practices. So we can’t see patients records if they’re registered in another town, or a neighbouring practice that isn’t part of our PCN.

We can’t see hospital records, and as far as I’m aware they can only see a patients summary care record and only then if a patient has given consent for their summary record to be shared. Staff can access patients records if authorised to do so in their role, eg community staff nurses, dietitians, OT, physio, midwives, and I can see their entries.

An audit trail is kept electronically. It is entirely possible to access records without reason, but only if you already have the authorisation to do so and run the risk of being questioned why if it is flagged up.

I work in a gp surgery and can assure you that on our systems - the two main ones used - I can only see those patients that are registered with my surgery.

I worked in GP surgeries for 14 years until last year. I've only ever used the EMIS system and you can't access other patients records from another practice. If they're not registered, their name wouldn't come up. However, I can only speak from my experience and not sure about other systems.

Yes. I worked in a surgery where the receptionists would stay logged on to System 1 in busy times because it took too long to get onto the system if they logged out each time.
Other staff, practice nurses, GPs etc would also use the reception computers to quickly look patients details up without logging in under their own name.
If this is widespread then it would be very easy for someone working in one surgery to get information about an NHS patient in another area and impossible to know who had accessed this information.

Yes, because those are the permissions installed on your smart card. Everyone who is providing patient care has a smart card that is programmed specifically for their role.
That is why it is a very serious matter to share your smart card or password with anyone else.
Obviously a cleaner wouldn't have a smart card or a password.

That is really bad practice.

I don't know if anyone has explained that the smart card is a plastic card with a microchip that is physically slotted into a port on the computer. Then you have to input your unique password in order to access the system. It seems obvious, but maybe some people don't know exactly how it works.

@saraclara @Butterfly44 it says in the article at https://www.theguardian.com/society/2023/may/14/woman-medical-records-accessed-hospital-doctor-cambridge?CMP=Share_AndroidApp_Other very clearly that stalker doctor was able to access records from California on holiday.

@Lelala This answer by @endofthelinefinally is the most comprehensive correct answer you've had so far. Make it clear that you want the know about access by all individuals, not just ones in your own practice.

Looking at records without reason is a very serious breach of both professional guidelines AND contract of employment. We aren't even allowed to look up our own records.

People saying "I work in a GP surgery and I can only access our own patients" should actually be saying "I work in a GP surgery and the level of access my person profile is programmed into our system with means I can only access our own Patients".

With the right level of access it is possible to see other Patients' summaries. Eg, diagnosed conditions, medications, etc.