This outcome is about ensuring that patient records are accurate, fit for purpose, held securely and remain confidential. The same applies to other records that are needed to protect their safety and wellbeing.

Outcome in plain English

Follow this good practice to cover everything in this section to Manage risk through effective procedures about records

21A Personal records of care, treatment and support should be properly managed by:

  • Maintain clear procedures that are followed in practice, monitored and reviewed
  • Create and maintain medical records for each person who uses the service
  • Document verbal communications about care on patient records
  • Maintain factual, clear and accurate records
  • Securely store and transfer all records; both internally and externally
  • Having secure information sharing protocols
  • Appropriate care is planned based on the persons' history
  • Having one record per patient
  • All relevant care givers should update and maintain the patient record
  • If the provider should close then all records should be maintained for the legally required period.
  • Follow all regulations when dealing with requests for information

The following records are to be kept for:

Record Type Period
Risk assessments Until a new one replaces it
General purchasing 18 Months
Purchasing of medical devices and medical equipment 11 years
General operating policies and procedures
(Current & Previous versions)
3 years
Incidents, events or occurrence 3 years
Use of restraint or the deprivation of liberty 3 years
Detention order 3 years
Maintenance of the premises records 3 years
Equipment maintenance records 3 years
Electrical testing 3 years
Fire safety 3 years
Water safety (legionella Testing) 3 years
Medical gas safety, storage and transport 3 years
Money or valuables deposited for safe keeping 3 years
Staff employment records 3 years
Duty rosters 4 years
Final annual accounts 30 years

21B Healthcare records should be kept or disposed of in accordance with the Data Protection Act 1998, and all other relevant standards


What the BMA says

Your practice is likely to be compliant if your practice does the following:

  1. Updates patient records at the same time as the events they are recording or as soon as possible afterwards
  2. Makes a note of important points from discussions with patients in their records
  3. Observes the Good Practice Guidelines for general practice electronic records version 4.  
  4. Follows the requirements of the Data Protection Act 1998 and Freedom of Information Act 2000 when a patient requests access to their records. The BMA has guidance on patients accessing health records.
  5. Follows the Department of Health’s Records Management NHS Code of Practice (Part 2)

Your practice has the following:

  1. A confidentiality protocol or an information governance protocol.


Primary Care Networks (PCNs)

Partnered with the NAPC, the largest PCN network in England


NAPC logo large

The leading independent resource for CQC compliance

home who reads us
If you are part of an NHS body or a Membership or Regulatory organisation, you may qualify to use our products as a Reference Standard.