UK telehealth services must maintain comprehensive records covering clinical consultations, prescribing decisions, dispensing activity, patient communication, and operational events. Retention periods vary by record type and category — most clinical records have multi-year retention requirements. This piece walks through what records to keep and for how long.
Clinical records — the core requirement
Clinical records cover the patient's medical history, consultation outcomes, prescribing decisions, clinical reasoning, and ongoing care. UK clinical record retention is set by NHS guidance and Records Management Code of Practice — typically 8 years from end of treatment for adults, longer for children (until age 25 or 26 depending on category), and indefinite for certain categories (cancer, mental health).
Telehealth services should maintain clinical records to the same standard as in-person practice. Records should be timely, comprehensive, and auditable. They are the primary evidence at any inspection or complaint review.
Dispensing records
GPhC requires dispensing records covering prescription receipt, dispensing decisions, pharmacist sign-off, and supply to patient. Minimum retention is 2 years for most prescriptions, longer for controlled drugs (minimum 2 years from final supply, with the CD register itself retained for 7 years).
Dispensing records support audit, complaint review, and pharmacovigilance investigation. They should integrate with clinical records for a complete picture of care.
Communications and patient correspondence
Communications between patient and clinician — consultation messages, follow-up correspondence, written advice — form part of the clinical record and should be retained accordingly. SMS, email, and in-app chat that materially affects care should be archived in the clinical record, not just the messaging tool.
Communications retention is sometimes overlooked. Services that rely on third-party messaging tools without integration into the clinical record discover gaps at audit time.
Complaint and incident records
Complaint records — including the complaint, investigation, outcome, and remedial actions — must be retained per CQC and professional body requirements. Typical retention is 10 years, though some categories require longer. Incident records — clinical errors, adverse events, safeguarding concerns — have similar retention requirements.
These records often inform regulatory inspections and are scrutinised by the regulator if a serious complaint or incident arises.
Operational governance records
SOPs, training records, audit reports, clinical governance meetings, supplier records, financial records relevant to clinical operations — all need appropriate retention. Most operational records have 6-year retention as standard, with some categories longer.
These records support the demonstration of well-led services at CQC inspection and similar regulatory engagements.
Data protection and the retention overlay
UK GDPR overlays the medical retention frameworks. Personal data must not be kept longer than necessary for the purposes processed. Retention policies must be documented in the privacy notice and DPIA, including specific retention periods by data category.
The interaction matters: clinical records have a minimum retention from the clinical framework, but UK GDPR requires they not be kept indefinitely without justification. The policy must articulate both the minimum and the upper bound.
How PExpo handles records
PExpo's clinical workflow includes integrated record retention covering clinical, dispensing, communications, and operational records under documented retention policies. The framework aligns with UK clinical, GPhC, and UK GDPR requirements.
See our brand model page for the operational scope and our DPA for the data handling details.
Clinical record retention in UK telehealth is typically 8 years for adult patients, longer for paediatric and certain category-specific records. Document the retention policy and align it with both clinical frameworks and UK GDPR.
Records are the primary evidence at any inspection or complaint review. Services that integrate clinical, dispensing, and communications records find audits straightforward. Services that scatter records across tools find them painful.
UK telehealth services must maintain comprehensive records — clinical, dispensing, communications, complaint, and operational — with retention periods set by clinical and regulatory frameworks and overlaid by UK GDPR. Documented retention policy is required. See our brand model page for how PExpo integrates record retention and our dpa page for the data handling detail.
Frequently asked questions
How long do I keep adult clinical records?
Typically 8 years from end of treatment, though category-specific requirements vary. Records Management Code of Practice and NHS guidance set the framework, which private services align with.
Can I delete records when a patient leaves the service?
No — clinical record retention applies regardless of whether the patient continues with your service. UK GDPR requires you not keep records longer than necessary, but the clinical retention framework typically sets a minimum that runs from end of treatment.
Does PExpo retain records on my behalf if I am a clinic or brand customer?
PExpo retains operational records covering the dispensing it performs. The clinic or brand retains the clinical records for the consultations it conducts. The split is documented in the contractual relationship and DPA. See our DPA page.