Online Access Policy




Yalding Surgery recognises the benefits of patient online access and is committed to enabling patients access in an efficient manner whilst ensuring that appropriate checks and safe-guards are in place to ensure that the interests our patients are protected and that there is no misuse of the system. This document should be read in conjunction with the online registration pack and forms our online access policy. 

image depicting online access



Since April 2014, practices have been obliged to give patients the opportunity to view online information equating to their Summary Care Record (SCR) as part of the 2014-2015 GP contract. 

From March 31, 2016, it is a contractual obligation to give patients online access to coded information held in their medical records, including medication, allergies, illnesses, immunisations and test results. Patients will need to register online with the practice in order to gain access to this information. 

Additional funding of IT is now in place which will allow both people and practices to benefit from the latest digital technologies. All patients will have digital access to their full records from 2020. 


Eligibility Criteria for Online Access 

Any adult patient over the age of 16 will be able to have their own online access account. Patients over the age of 16 are deemed competent to manage their own account. 

Parents/guardians will be able to have an online access account for their children under the age of 11 (see Proxy Access). 

Adolescents between the ages of 11-16 will need to be considered on a case-by-case basis for either individual or parental access to online accounts and this access will need to be reviewed on a regular basis according to the needs of all parties. 

Formal carers may be given access to patients’ online accounts, where adequate consent is given by the patient. Parties possessing lasting power of attorney for health for a particular patient may apply to access that patient’s online account when they are unable to manage this themselves. 


Identity Verification 

Checks should be carried out by a responsible person to ascertain the patient’s identity and it must be confirmed they are gaining access to the correct record. Most general practice services rely on varying levels and methods of identity verification. Access to online services demands a more consistent and robust approach to ensure patient confidentiality while providing them with secure access to personal and sensitive data. A secure identity verification process is required before full access to appointment, repeat prescription ordering or record access services may be enabled for a patient. 

Every Practice is required to verify patient identity documentation, or individually vouch for each patient requesting access to online services. These processes need to be simple, quick, patient friendly and not overly demanding for the practice. An overview of the process is given below. 

There are three ways of confirming patient identity: 

  • Documentation 
  • Vouching 
  • Vouching with confirmation of information held in the applicant’s records. 


Most patients are able to prove their identities using documentation. Two forms of documentation must be provided as evidence of identity and one of these must contain a photo. Acceptable documents include passports, photo driving licences and bank statements or council tax statement. 
There will always be some patients (e.g. temporary residents, travellers or young people living with their parents) who do not have acceptable identity evidence. In these cases, vouching may be possible if individuals are well known to the practice. 
All reception staff are aware of the practice protocol and are authorised to perform verification of identity by presented documents. 



Vouching for a patient’s identity requires a doctor or member of surgery staff, who knows the patient well enough to verify that they are who they say they are, and that no deception is taking place. Consideration should be given to how long each patient has been registered with the practice as well as how many times the staff member has met them. Vouching might therefore be appropriate for patients who have been registered for a short period involving frequent appointments, and also for patients registered for a long time but seen less frequently. 

Doctors must judge each patient on a case-by-case basis while ensuring that the agreed policy takes into account the duration of registration and frequency of patient contact. 


Vouching with confirmation of information held in the applicant’s record 

In a situation where the applicant is not known sufficiently well by a doctor to vouch for them on this basis, their identity may still be verified by obtaining responses to questions from information held in the medical records. This should take place discreetly and ideally in the context of a planned appointment. It is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified. 


Practice protocol 

Online access is offered to or requested by a patient at registration with the Practice or to a patient who, although currently registered, is not well known to the Practice 

As the individual is not known to the Practice identity verification is required. 
The patient is given the registration pack and asked to return with appropriate documentation.  Reception staff may, if at times of high demand, need to take copies of the documentation and advise patients that they will be required to return to collect their password at a later date.  The registration form is scanned onto the patient’s records and code added to the patient record.  To avoid non-clinical information being stored in patient records personal documentation will not be scanned into those records. 

Online access is offered to or requested by an existing patient who is well known to the Practice 

As the individual is known well to the Practice identity can be vouched: this will usually be done by the patient’s usual doctor. 
The patient is given the registration pack and asked to return with appropriate documentation.  Reception staff may, if at times of high demand, need to take copies of the documentation and advise patients that they will be required to return to collect their password at a later date.  The registration form is scanned onto the patient’s records and code added to the patient record. 

Considerations/Approval of Access 

The practice will not approve on-line access to detailed coded information if it is deemed that it may cause physical and/or mental harm to the patient. 

On receipt of application, patient records will be checked by trained members of staff within the practice the names of which will be communicated internally. 
Named staff will be responsible for checking if patients are on certain registers for example, learning difficulties register, child protection register, mental health or have been identified as a possible victim/perpetrator of domestic abuse. Named staff will consult with the patients usual GP if required before access is granted /denied. 
Named staff will consider the following: 


Hiding sensitive consultations 

All domestic abuse consultation will be highlighted as confidential and will therefore be removed from online viewing. This must be made clear to patients that anything they say in relation to this during a consultation will not be viewable online. 
Any consultations of a sensitive nature may be highlighted as confidential. Access to online records will be on a patient by patient basis. 


3rd Party Information 

This practice will not share any information held within a clinical record that is deemed as 3rd Party Information without explicit consent from the 3rd Party. Any of our patients wanting access to these details must make the practice aware by submitting a Subject Access Request 


Proxy Access 

Proxy access refers to giving a third party access to online services on behalf of the patient and usually with the patient’s consent. To obtain formal proxy access a person must register at the Practice for online access to the patient’s record, though the proxy does not have to be a registered patient at the Practice. 

Patients may choose to share their login details informally with family, friends and carers (including a care home).The Practice has a responsibility to ensure that it is aware of the risks associated with doing this, including the disclosure of sensitive information when the patient registers for online services. 

The Practice may give formal proxy access to a representative or representatives of a patient who is not competent. The doctor should carefully weigh the balance of benefits to the patient against the risks described in this guidance of proxy access for a patient who lacks capacity. Only then should proxy access be granted; after discussion with the patient’s family or person(s) named in a power of attorney or a Court Appointed Deputy, and if, after the discussion, the doctor believes it to be in the patient’s best interests. This may be a time consuming process. 


When might proxy access be enabled? 

Before the Practice provides proxy access to an individual or individuals on behalf of a patient, an authorised member of staff at the practice must satisfy themselves that they have the explicit informed consent of the patient or some other legitimate justification for authorising proxy access without the patient’s consent. 
Adult patients with capacity may give informed consent to proxy access to the practice records about them. People aged 16 or above are assumed to be competent unless there is an indication that they are not. Young people under the age of 16 who are competent may also give consent to proxy access. This is discussed further below (heading Between the 11th and 16th birthdays) Legitimate reasons for the practice to authorise proxy access without the patient’s consent include: 

  • The patient has been assessed as lacking capacity to make a decision on granting proxy access, and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian 
  • The patient has been assessed as lacking capacity to make a decision on granting proxy access, and the applicant is acting as a Court Appointed Deputy on behalf of the patient 
  • The patient has been assessed as lacking capacity to make a decision on granting proxy access, and in accordance with the Mental Capacity Act 2005 code of practice, the GP considers it in the patient’s best interests to grant the requested access to the applicant
  • The patient is a child who is has been assessed as not competent to make a decision on granting proxy access (please see ‘Proxy access on behalf of children’ below). 

The identity of the person authorising access, and the reason, should be recorded in the patient’s practice record following the completion of a proxy consent form, which should be scanned and attached to the patient’s record. 

When someone is applying for proxy access on the basis of an enduring power of attorney, a lasting power of attorney, or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian. This is a free service. The result of the check should be recorded in the patient’s record. 


Young People 

For convenience throughout this document, the term parent is used to refer to anyone who has legal parental rights and responsibilities for a child, and family is used to refer to any group consisting of one or more parents and one or more children. The principles in this document are highlighted in RCGP’s Patient Online: The Road Map and The Information Governance Review section on online access to the record by parents and children. 
Children vary in the age at which they are able to make an independent and informed decision about who should have access to their record. Although this guidance recommends how to manage online access for children and young people with this natural variation in mind, different approaches may be taken in specific cases. For example, care has to be taken to determine who has parental rights for a child under 11, or a patient over 11 who is not competent to control access. The guidance around children below also reflects current General Practice Systems of Choice (GPSoC ) contractual requirements for system suppliers, which requires the suppliers to make automatic changes to the proxy access available to children’s records at these birthdays. The GPSoC contract requires GP system suppliers to make automatic changes to the proxy access available to children’s records at these birthdays. 

  • On the child’s 11th birthday, 3 months before the childs 11th birthday the GP computer systems will generate an email to parent/guardian to notify that their childs online service will be restricted on their 11th birthday. On their 11th birthday the proxy user will receive another email stating that their childs online services has been restricted and their child needs to register for online services in their own right or give proxy access to their parents/guardian. Parents may continue to have limited proxy access if the child has given consent and the Proxy Access form has been completed. A parent with proxy access will be able to manage certain elements of the young person’s record, such as demographic data, and make appointments and order repeat prescriptions, but they will not be able to see the young person’s past appointments or clinical record, although they would still be able to see the current repeat prescription record. 

Practices should be mindful of the benefits of access for most children and families, whilst also protecting the small number of children and young people who could be at serious risk of harm from their family if medical information (such as use of the contraceptive pill) is inadvertently disclosed. 

On the child’s 16th birthday, if their On Line account has a linked Proxy User the GP computer systems will automatically generate an email 3 months before the Childs 16th birthday computer. This is to notify the parent/guardian that their Childs online service will be restricted on their 16th birthday. On their 16th birthday the proxy user will receive another email stating that their childs online services has been restricted and their child needs to register for online services in their own right . However parents may be allowed proxy access to their child’s online services after careful discussion with the GP, or whoever is responsible for these decisions in the practice if it is felt to be in the child’s best interests. A proxy access consent form will have to be completed by both the 16 year old child and parent /guardian 


Proxy Access for care home staff

If care home staff teams or home care teams ask for proxy access to online services for one of their clients, then careful consideration must be given to the balance of the benefits and risks to the patient before granting access. The discussion with the patient about the benefits and risks of allowing proxy access, and their consent or legal justification if they lack capacity must be recorded. Where the patient does not have capacity, online access may be allowed following discussion with the patient’s family and care home staff, if it is felt by the doctor to be in the patient’s best interests.

Decisions of those with lasting powers of attorney for health and welfare or court appointed deputies, should also be respected. Proxy access should only be given to named individuals who have a legitimate reason to have access to the online services on behalf of patients they are caring for. Individual members of staff must have their own online service user accounts, with credentials issued following face-to-face identity verification at the practice in accordance with Identity verification guidance for general practice. They should be advised of the importance of not sharing their login credentials or allowing others to access their accounts. It should be clear and recorded in the patient’s records who is responsible for ensuring that staff, who are registered for proxy access maintain the confidentiality and security of the patients’ records. Consent should be obtained and recorded when proxy access is enabled for new members of staff. The practice must be informed and access revoked whenever a person with online access leaves the organisation. 


What level of access should proxies have? 

When consent to proxy access is obtained it is important that it is made clear to the patient exactly what services are being made available to the proxy, where the system allows for different levels of access. The options are: 

  • Online appointments booking 
  • Online prescription management 
  • Access to medical records. 

For records access it must be agreed and made absolutely clear to the patient and the proxy what record content will be made available to the proxy. It may be the whole record that the practice is allowing access to, if more than the summary information required under GMS and PMS contracts by 31 March 2015, or just a specified subset of the record available to the patient. For a patient with capacity, this is entirely their decision. When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, including someone holding a lasting power of attorney, or a to a court appointed deputy, it is the responsibility of the person authorising access to ensure that the level of access enabled is necessary for the performance of the applicant’s duties. For example, it may be appropriate to enable appointment booking and ordering of repeat prescriptions, but not full records access. Identity Verification Applicants for proxy access must have their identities verified in a face-to-face transaction, in the same way as applicants for access to their own record. Where proxy access is requested with the consent of the patient, the identity of the person giving consent for proxy access must be verified too. The person giving consent will normally be the patient, but may be someone else acting under a power of attorney or as a Court Appointed Deputy. It may also be the manager of a care home choosing members of staff to have access. Please refer to Identity Verification guidance for general practice published alongside this guidance.


Reviewing proxy access 

Where proxy access has been granted with the consent of the patient, the proxy access must be reviewed or withdrawn at the request of the patient. It should also be reviewed if the patient loses capacity to give consent, unless the patient consented before they lost capacity to an enduring proxy access that would continue after they lost capacity. Where proxy access has been enabled on behalf of an adult patient who lacks capacity, this should be reviewed should there be a change in capacity resulting in the patient re-acquiring capacity. Where proxy access has been granted to members of an organisation that has a duty of care for the patient, such as a care home or a home care team, access must be withdrawn if the patient leaves the care of that organisation. If must also be reviewed every time there are significant changes in the patient’s circumstances or a member of staff with proxy access leaves the organisation. In this case, the access details must be changed, although the organisation as a whole may continue to have access. As described above, the competence of young people between their 11th and 16th birthdays should be regularly assessed or on request by the patient or the proxies if someone has proxy access to their record and their involvement in decisions on continued access by proxies reviewed. Once a young person turns 16, the previous competence assessment by default is no longer applicable as they are assumed to have capacity unless there is an indication to the contrary. Access by proxies should be reviewed at this stage with all competent patients. 


Refusing proxy access 

Patients may be put under pressure to permit proxy access to their medical record or to order repeat prescriptions. If a GP or other health professional suspects that a patient is being coerced, they should try to establish the true position with the patient. If after discussion with the patient they still believe they have good grounds for suspicion that the patient is not giving access freely, they should tell the patient that they are not going to authorise or will withdraw proxy access. Practice staff registering a proxy must also be aware of signs to look out for. More information is available in Coercion guidance for general practice. 
Proxy access should not be granted in other circumstances, after discussion with the patient, if: 

  • Practice staff members believe a patient aged under 16 is competent to make a decision on access but that child has not given consent for proxy access to the person who is seeking it 
  • There is a risk to the security of the patient’s record by the person being considered for proxy access 
  • The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily; this should be recorded in the patient’s record 
  • The patient’s GP judges that it is not in the best interests of the patient. 

Promoting Patient Access to Online 

The Practice will promote the Patient Online Access service to all patients using a number of methods which will include: 

  • Display of posters within patient waiting area 
  • Practice website 
  • Practice newsletter 
  • Verbally with individual and groups of patients 

Information Governance guide