Proxy access

Version 1.2, 10 August 2023

This guidance is part of the Information governance and data protection section of the Good practice guidelines for GP electronic patient records.

Some patients find it helpful for a second person to have access to their online GP record.  This is often a family member, medical next of kin, a close friend or a carer whom they trust to act on their behalf.  This is called proxy access.

Formal and informal proxy access

Patients may choose to share login information and/or information from their online records informally but should be made aware of risks to the security and confidentiality of their clinical record of doing this. 

The alternative of formal proxy access, which has to be set up by the GP practice, is subject to a number of checks and safeguards.

It is recommended good practice to have formal proxy access arrangements in place, wherever possible.

Formal proxy access


Informal proxy access

Proxy has their own account and login credentials


Proxy uses the patient’s account and login credentials

Proxy may be given a level of access tailored to the patient’s wishes and different from that of the patient, e.g. only enough access to order repeat prescriptions.


A patient may choose to have more than one proxy, and each can have a different level of access.


Proxy has exactly same level of access as the patient

GP computer system may offer an audit trail of who has accessed the patient’s account


No audit trail showing who has accessed the patient’s record, only that the record has been accessed through the patient’s online account.

If needed, the practice may withdraw the proxy access at any time without affecting the patient’s access

Practice can only withdraw the proxy’s access by switching off the patient’s access.  Patient’s access can be reinstated with a new set of login credentials


Setting up formal proxy access

Before a formal proxy access account is set up, a number of checks and safeguarding steps need to be taken.



Considerations and questions

Step 1 Coercion

Consider the possibility of coercion.  The patient should be asked to confirm they are willing for proxy access to be given.  Their response should be recorded on the consent form (Step 3 explains the situation were a patient does not have the ability or capacity to give this assurance).


Step 2 Consent

Can and does the patient explicitly consent to the sharing of online access to their record?  The patient should complete and sign the consent form which should be scanned into their record.


Step 3 Capacity

If the patient is judged by a GP to lack the capacity to consent (which must be a clinical decision) are there clear benefits to the patient of proxy access being granted?  Does the proxy have a legitimate reason to have proxy access (ideally because they have lasting power of attorney or a court appointment)?  Answers should be recorded clearly in the patient’s notes.


Step 4 Level of access

A proxy may have access to the patient’s record as well as to transactional services  such as appointment booking and repeat prescription requests. 


The level of access can be different from that of the patient, and agreed levels of access must be confirmed in the consent form and recorded in the patient’s notes.  Examples of these include:


·       able to view the patient’s SCR (summary care record)

·       able to view the patient’s DCR (detailed coded record)

·       able to view the patient’s full GP record


Where the patient lacks capacity to decide on the level of access, the authoriser must ensure the level of access is appropriate and necessary. 



Step 5 Security and confidentiality

A proxy must be given information about the importance of keeping the account secure and the information they have access to, confidential.


The patient record should also be reviewed for sensitive information, and this should be redacted if necessary. This will usually be redacted for both the patient and the proxy user as there are not usually multiple levels of redaction available depending on who is viewing the record


Step 6 Identity verification


Both patient and proxy must have their identities verified before any access can be set up.  The method of ID verification used must be in recorded in the patient’s notes.  Where record access is included in the application, it’s best to verify identities face to face.  Where patients and proxies have an email address and a mobile phone, identity verification can be assured by registering with an NHS login which simplifies the process from a practice point of view.

There are a number of circumstances where proxy access may be given without the consent of the patient.  In all instances, the lack of capacity must be confirmed by a clinician and a decision to enable proxy access made after careful consideration of:

  • the balance of risks and benefits to the patient
  • the views of the family (where it is possible to ask the family)

Where a patient is unable to give consent, proxy access may be agreed when:

  • the proxy has a lasting power of attorney for health and welfare granted by the Office of the Public Guardian
  • the applicant is acting as a Court Appointed Deputy on behalf of the patient
  • in accordance with the Mental Capacity Act 2005 code of practice, the GP considers it in the patient’s best interests to grant access to the applicant
  • the patient is a child under the age specified in the RCGP guidance and the person requesting access is a parent or other person with parental responsibility and there are no known reasons why proxy access should not be given

When someone is applying for proxy access on the basis of an enduring power of attorney, a lasting power of attorney, or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian.  This is a free service.  The result of checks should be recorded in the notes.

In the case of a child, for example, proxy access for people with parental responsibility should usually be switched off once the child reaches the age deemed appropriate in the RCGP guidance.  Furthermore, the RCGP guidance identifies the age at which the practice can have a discussion with both parties and agree further proxy access.

Refusing or withdrawing proxy access

Proxy access should not be granted or may be withdrawn if any of the following apply:

  • practice staff have good grounds for suspicion that the patient has not given consent freely
  • a patient of the age specified in the RCGP guidance is deemed competent to make a decision on access and they have not given consent to the proxy having access
  • there is believed to be a risk to the security of the online account posed by the proxy
  • the patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily, as recorded in the notes
  • the patient’s GP assesses that it is not in the best interests of the patient
  • at the request of the patient
  • if required by or as part of a legal process

Reviewing proxy access

Proxy access should be reviewed:

  • routinely, in case patient or proxy circumstances change
  • if the patient loses capacity to give consent (unless this possibility was previously discussed, and the outcome of the discussion recorded in the notes)
  • where proxy access was given on behalf of an adult patient lacking capacity and the degree of capacity changes for the better
  • when a young person reaches the age identified in the RCGP guidance

Proxy access for children and young people

Online access by children and young people is the subject of a separate topic in this guidance.

Proxy access and the NHS App

Patients of SystmOne and EMIS Web practices will see proxy access entitlements in the NHS App but only where these have been switched on by the practice.  It is not possible to set up proxy access through the NHS App.

You will need to check your system to see how proxy access works as there are likely to be differences between systems. See the section on proxy access for care home staff for more information.

Proxy access by care home staff

NHS England has published guidance on how care home staff can access patient records as proxies, to support repeat prescribing and dispensing for residents. The guidance includes a step-by-step guide to creating proxy access accounts for care home staff. 

Other resources include an application for online access template and a checklist for GP practices.

The process is summarised in the flow diagram below:

A number of benefits from building these links have been documented by GPs, care homes and pharmacies as summarised in the table below:


  • Patients are recommended to apply for formal proxy access if they want someone else to have access to their record.
  • Patients may have more than one proxy and can decide the level of access appropriate for each proxy.
  • The importance of keeping personal information secure should be explained to patients and their proxies.
  • Proxy access may be possible when a patient does not have the capacity to consent to it.
  • Proxy access may be refused or withdrawn by a practice when there are concerns about safeguarding or coercion or a change in the capacity to consent.
  • Access to children’s records is subject to specific rules based on specific age thresholds, set out in the RCGP guidance.
  • Care home staff can be given proxy access to residents’ records for ordering repeat prescriptions.


  • Provide patients with information about proxy access.
  • Brief staff about proxy access issues and processes.
  • Produce a practice proxy access protocol.
  • Review access by a proxy to a patient’s record regularly.
  • Record decisions about proxy access requests in the patient’s record.
  • Ensure your proxy access application processes are up-to-date and provide safeguards for patients (for example, include identity checks and assess the risk of coercion).
  • Talk to your local care homes and pharmacies about proxy access for care home staff.
  • ensure proxy access settings are checked, preserved or protected when migrating to other clinical systems or when receiving GP2GP record transfers

Other helpful resources