Do we need to disclose mental-health notes in a subject access response?

In most cases yes — the right of access under GDPR Article 15 covers mental-health and other special-category records held about the patient. Limited exemptions can apply where disclosure is likely to cause serious harm to the patient or to another person; those are clinician-led decisions and should be recorded against the case. Ghost gives you the workspace to capture the decision, redact third-party identifiers, and evidence what was disclosed and why.

Does Ghost replace our EPR or clinical system?

No. The clinical record stays in the EPR. Ghost is the privacy operations layer beside it — where a subject access request is intaken, identity-checked, scoped, redacted, and answered. Exports from the EPR land in Ghost as files; the EPR remains the system of record.

How are X-rays and imaging exports handled?

Imaging attached to the patient is the patient’s personal data and falls within the right of access. Ghost lets you upload exports (PDFs, JPEG/PNG, DICOM converted to PDF), redact metadata containing third-party identifiers like a referring clinician’s name, and include them in the response pack at a format the requester can open. Larger pack assembly is supported on Solo DPO and DPO Team.

Are you HIPAA-certified?

No. Ghost is built to GDPR and UK Data Protection Act 2018 standards. We support workflows for HIPAA-covered organisations and will sign a Business Associate Agreement on request, but Ghost is not HIPAA-certified. For US operations, work with your privacy counsel on whether Ghost’s controls satisfy your specific covered-entity or business-associate posture.

Does Ghost integrate with our EPR or scheduling system?

Most healthcare teams operate Ghost via file export from the EPR rather than an integration. Files (PDF, CSV, DICOM-as-PDF, scanned correspondence) are uploaded into the case, redacted inline, and delivered through a time-limited link. For programmatic event delivery, Ghost emits an outbound webhook stream on DPO Team that your platform can consume.

Can our Caldicott Guardian / IG lead access cases?

Yes. Invite them as a member with the appropriate role — Operator for handling cases, Read-only for review. Every action against a case is in the append-only audit log, so the IG lead can see what was decided without sitting in the inbox.

How much does it cost?

Free: 1 active case, manual PDF redaction up to 5 pages per file, 10 redactions per month. Solo DPO is €49/month for one user; DPO Team is €149/month with up to 10 seats, AI-assisted redaction, the full audit log, and the Article 30 register. Annual billing saves ~20%.

Ghost

For healthcare teams

Privacy ops at clinical scale.
Defensibly.

Subject access against clinical records mixes special-category data, third parties, and a one-month statutory clock. Ghost is the workspace where the response is intaken, redacted, delivered, and evidenced — without leaving the EPR.

EU-hosted · Append-only audit log · BAA available · Built to GDPR and DPA 2018 standards.

Start 30-day free trial Try the redaction demo

Ghost — Subject access request

Ghost privacy request workspace: case detail with identity verification, tasks, and documents

1 month

Article 12 response window

72 hours

Breach notice to the supervisory authority

Article 9

Special-category data conditions

Hosted infrastructure

The clinical privacy workflow

Pull the record. Redact. Disclose. Evidence.

A patient — or a coroner, an insurer, a solicitor — asks for what you hold on them. The clinical record is in the EPR. The work is what happens between export and disclosure. Four steps; one workspace.

Step 01

Log and verify

Intake the request through a branded form; verify identity before any disclosure. The one-month statutory clock under Article 12 is tracked from the moment the request is identifiable.

Step 02

Scope and collect

Pull exports from the EPR, imaging, correspondence, and any administrative records caught by the request. Ghost holds the case; the EPR stays the clinical system of record.

Step 03

Redact third parties and exempt material

Mask identifiers of other patients and clinicians, withhold material under recognised exemptions, and capture the clinical rationale next to the redaction. AI-assisted detection on Solo DPO and DPO Team; manual redaction on every plan.

Step 04

Deliver and evidence

Send via a signed, time-limited link. Keep an append-only audit trail of every step — intake, identity check, redaction decision, delivery — exportable as an evidence pack when the regulator or counsel asks.

Privacy request manager

The statutory clock starts the moment you log it.

A branded intake form for patients and representatives, identity verification before any disclosure, task assignment across clinical and information-governance teams, and the Article 12 deadline tracked automatically on every case.

Branded intake for patients and authorised representatives
Identity verification before any disclosure
Article 12 deadline tracked automatically
Tasks assignable to clinical, IG, and DPO members

Explore privacy requests

Ghost — Privacy request manager

Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

Redaction for clinical records

Third-party detail out. Clinical content in.

Upload EPR exports, imaging metadata, referral letters, and incident reports. AI-assisted detection surfaces names, addresses, identifiers, and contact details for review — you accept, reject, or refine every box. PDF rendering and redaction are client-side; files do not leave your browser.

PDFs, scanned letters, and imaging exports
AI-assisted PII detection on Solo DPO and DPO Team
Client-side rendering — files stay in your browser
Rationale captured next to every redaction decision

Try the redaction demo

Ghost — AI-assisted redaction

Ghost redaction workspace with AI-detected PII boxes ready for review on a PDF

Article 30 register and audit log

The evidence regulators ask for — already written.

Records of processing for patient care, employee data, research, and operational systems. Lawful-basis tracking under Article 6 and Article 9. An append-only audit log on every case and record. When the supervisory authority, an internal reviewer, or counsel asks how a decision was reached, the answer is already on record.

Article 30 register with completeness score
Article 9 conditions and lawful basis on every activity
Append-only timeline per case
Audit pack export when the regulator or counsel asks

Inside the Compliance Hub

Ghost — Compliance Hub

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What healthcare teams ask us first

Three questions every clinical IG team raises.

“Does this replace our EPR?”

No. The EPR stays. Ghost handles what happens after export — intake, redaction, disclosure, audit. Clinical systems are left to be clinical systems.

“Who controls disclosure decisions?”

Your clinicians and IG team do. Ghost gives them a workspace to capture the decision, redact third-party detail, and evidence what was disclosed. The clinical judgement remains yours; Ghost makes it defensible.

“What about HIPAA / NHS DSPT?”

Ghost is built to GDPR and DPA 2018 standards and supports workflows that sit inside HIPAA and NHS DSPT obligations. A BAA is available; the DSPT is your organisational evidence to maintain. Ghost is one of the controls you can point at when evidencing privacy operations specifically.

Pricing

Plans for clinics, providers, and healthtech.

Start on the trial. Upgrade when subject access volume — or procurement — requires it.

Free

Run a single subject access request end-to-end before you commit.

€0/forever

1 active case
Manual redaction (PDF, up to 5 pages/file)
10 redactions per month
1 Article 30 register entry

Solo DPO

For information governance leads and DPOs running the privacy programme themselves.

€49/month

Unlimited cases and redactions
AI-assisted PII detection
Article 30 register + append-only audit log
€39/mo billed annually (save 20%)

Start 30-day trial

DPO Team

For clinical groups, providers, and healthtech with a multi-person privacy function.

€149/month

Up to 10 seats (€10/extra seat)
Role-based access (Admin, Operator, Read-only)
Outbound webhooks for SIEM / chat / ITSM
BAA available on request
€119/mo billed annually

Start 30-day trial

Compare every feature on the full pricing page.

Healthcare redaction guide

How to handle third-party clinician detail, mental-health records, and imaging metadata when responding to a subject access request — written for IG leads and DPOs.

Read the guide

FAQ

Frequently asked questions

The next clinical DSAR is already in someone’s inbox.

Set up the response process before it lands. 30-day free trial — no credit card, EU-hosted, BAA available on request.

Start Free Trial

The regulatory landscape for healthcare teams

Health data is special-category data under Article 9 of Regulation (EU) 2016/679 (GDPR), with stricter conditions for lawful processing than non-special data. The right of access under Article 15, the deadlines under Article 12, the DPIA obligation under Article 35, and the breach-notification duty under Article 33 all apply.

In the UK, the Data Protection Act 2018 sets the domestic regime, supervised by the Information Commissioner’s Office (ICO). NHS organisations operate under additional information-governance frameworks (the NHS Data Security and Protection Toolkit, Caldicott principles for confidentiality, and Records Management Code of Practice retention guidance). Ghost is designed to sit alongside these frameworks rather than replace them.

Healthcare providers operating in the US under HIPAA face an overlapping but distinct regime. Ghost supports workflows for HIPAA-covered organisations and will sign a Business Associate Agreement on request; it does not claim HIPAA certification. Ghost does not provide legal advice — speak to your information governance lead or counsel about the regimes that apply to your organisation.

Privacy ops at clinical scale.
Defensibly.

EU-hosted · Append-only audit log · BAA available · Built to GDPR and DPA 2018 standards.

The evidence regulators ask for — already written.

Privacy ops at clinical scale. Defensibly.