In the healthcare sector, records management is a critical function that ensures patient information is handled securely and efficiently. With the introduction of the General Data Protection Regulation (GDPR) and specific Irish legislation, healthcare providers must be vigilant in managing the retention and destruction of medical records. This blog post explores the retention requirements and durations for healthcare records under GDPR and Irish law, providing clarity for healthcare organisations.

Understanding GDPR and Its Impact on Healthcare Records

GDPR, which came into effect on 25 May 2018, is a comprehensive data protection regulation that applies to all EU member states, including Ireland. It sets out stringent requirements for the processing and retention of personal data, including healthcare records. Under GDPR, personal data should be:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, where necessary, kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Processed in a manner that ensures appropriate security of the personal data.

Retention Requirements under GDPR

GDPR does not specify exact retention periods for personal data, including healthcare records. Instead, it requires that personal data should not be kept for longer than is necessary for the purposes for which the data is processed. This means that healthcare providers must establish their own retention periods based on the purpose of the data processing and document these periods in their records of processing activities.

Irish Legislation on Medical Records Retention

In addition to GDPR, healthcare providers in Ireland must also comply with national legislation regarding the retention of medical records. The Health Information Bill 2024, once enacted, will provide a legal basis for digital health records in Ireland and will support Ireland’s obligations under the European Health Data Space (EHDS) Regulation. The Bill will also establish a ‘duty to share’ health information for patient care and treatment, which applies to all healthcare providers in Ireland.

Recommended Retention Periods

In the healthcare sector, particularly when dealing with sensitive information such as mental health records or records of children at risk, there are specific considerations for retention durations that must be taken into account. While GDPR provides a framework for data protection, it does not specify exact retention periods, leaving it to member states and professional guidelines to establish appropriate durations.

The Medical Council of Ireland and other professional bodies provide guidance on the retention of medical records. The generally recommended minimum retention periods are:

• Adult healthcare records: Eight years after last treatment or death.
• Children and young people: Until the patient’s 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, or eight years after the patient’s death.

These periods are designed to ensure that records are available for an appropriate period to support patient care, legal and professional requirements, and the defence of any legal actions.

Mental Health Records

For mental health patients, the retention of records may be influenced by the nature of the treatment and the potential need for future reference. The Mental Health Commission in Ireland recommends that records should be retained for a minimum of 20 years after the date of last contact or 8 years after the death of the patient, whichever is the sooner. This extended period reflects the potential long-term nature of mental health conditions and the need for continuity of care.

Children at Risk

For children at risk, the retention periods are often longer due to the vulnerability of the population and the potential for historical abuse investigations. The Child Care Act 1991 and the Children First: National Guidance for the Protection and Welfare of Children provide a framework for the protection of children’s data. It is generally advised that records for children at risk should be retained until the child reaches the age of 25, or 26 if the young person was 17 at the conclusion of treatment, or for 8 years after the patient’s death. This allows for any late-emerging issues to be addressed and for the records to be available for any legal proceedings that may arise.

Best Practices for Records Management in Healthcare

To comply with GDPR and Irish legislation, healthcare providers should:

• Conduct a data audit to identify all personal data held and the purposes for which it is processed.
• Establish and document retention periods for each category of personal data.
• Implement policies and procedures for the secure storage, retrieval, and destruction of records.
• Regularly review retention policies to ensure they remain up to date and compliant with legal requirements.
• Train staff on the importance of data protection and records management.

Conclusion

Effective records management is essential for healthcare providers to comply with GDPR and Irish legislation. By establishing clear retention policies and procedures, healthcare organisations can ensure that they handle patient data responsibly, maintain patient trust, and avoid potential penalties for non-compliance. DSM is here to assist healthcare settings with the digitisation and management of paper records, helping to streamline processes and ensure compliance with all relevant regulations.