Intended for healthcare professionals


Should patients own their health records?

BMJ 2022; 377 doi: (Published 11 May 2022) Cite this as: BMJ 2022;377:o1182
  1. Angela Coulter, freelance researcher

It’s my body and my health so why can’t I be the legal owner of my medical record? This important question was debated during a series of webinars run by The BMJ on patient access to medical records.1 Most of those involved agreed that we should be able to access all data that’s held on us, including our full medical records, but the ownership question was more contentious.

Many webinar participants saw record ownership as key to rebalancing healthcare in a more person centred direction, empowering patients to take more control of their health and data. They argued that ownership would deliver benefits in terms of the ability to control access, to check and correct errors, to record health goals and concerns, and to monitor usage through an electronic audit trail.

Others asserted that most people don’t want the responsibility of holding, managing, and maintaining their records, as long as they can access them when they need to. Some felt that defining ownership of electronic data are impossible anyway and must not be used as a ploy to derail patient access to their records, which is more important.

Patients in the UK have had a right to view, but not own, their medical records since 1998, but a special request had to be made to a data controller—usually a general practice or hospital—to effect this and very few patients did so.2 Access became slightly easier in April 2015 when all GPs were contractually obliged to offer patients online access to certain sections of their primary care record, but not all of it.3 GP software providers made record access facilities available and many practices activated these, but little was done to advertise them, with the result that uptake was slow to develop—by 2021 only 7% of patients in England had accessed their medical records online.4

Meanwhile the law in relation to record ownership remains unreformed, with legal ownership vested in the organisation that owns the paper or database on which the record is stored. This leaves records in a highly fragmented state, with no central place where patients can access their full medical record, including hospital and other specialist notes, as well as those held by general practices. Each data controller can in theory allow access to the data they themselves hold but not that held by other bodies. In practice this leads to huge confusion about how and when records can be shared.

The government’s recent attempt to clarify the situation announced the vaguely worded intention to “bring citizens closer to their data,” but offered no means of giving them more control, relying instead on assurances that personal data will be shared between professionals working in different settings securely in a way that protects patients’ privacy.5 While privacy and data security is of utmost importance, the report completely fails to recognise that people may want to have more control so they can use their records to manage their own healthcare and to determine who can access it.

What do I want?

As a patient I can already access parts of my GP record on my mobile phone and it’s helpful to see vaccination records, test results and prescriptions, but the system blocks me from viewing the most useful items, namely diagnoses, consultations and letters between GPs and specialist providers. I want to be able to see my complete medical record securely on my tablet or smartphone. I can view my bank details this way, so why not my health details too?

With full interactive access to my medical record, I could check diagnoses and key dates in my medical history, correct any errors or misinformation, record health goals and advance directives, and make decisions about my care. I should also be able to control access to any sensitive items or those involving third parties, with the power to determine which specified professionals should be able to view these, or to remove them altogether.

It would be especially useful to be able to share my record when I need medical care away from home or when travelling abroad. It would also be useful to view an audit trail to monitor who has accessed the record and for what purpose. And I would like to be able to share specific items with third parties in the same way I can share my covid vaccination status via the NHS app, for example eye test results to prove to the licensing authority that I satisfy the medical standard for safe driving.

All of the above is technically possible. Presenters in the BMJ webinar series described systems in Sweden, the US and elsewhere where virtually all these facilities are currently available to patients via patient portals established for the purpose. We also heard from British GP, Dr Amir Hannan, who has done such a good job of enabling and encouraging his patients to access their online records, that about 80% of his patients now do so.

Clinicians sometimes worry that patients won’t understand what is in their notes or will become unnecessarily anxious, that the information may be too sensitive to share, or that it will generate increased workload. Experience in other countries has shown that these concerns are usually baseless.6 Patients both value and benefit from online access to their records, leading to improved understanding of health information, better relationships with clinicians, better adherence to treatment, better monitoring, more involvement in treatment decisions, and improved self-care.7

Perhaps the ownership question is a red herring. I don’t worry about the legal niceties of who owns my bank records because I know I have full control and I trust the bank to hold them securely. I don’t necessarily need to be the legal owner of my medical records, but I do want to be the recognised custodian, with much better access and control than I currently have. My bank treats me like a grown-up. Why can’t the health service do the same?


  • Competing interests: none declared.

  • Provenance and peer review: not commissioned, not peer reviewed.