7 March 2019
A patient’s right to access their own medical records from their GP is a long-established principle supported and strengthened by data protection law, most recently the General Data
Protection Regulation (GDPR).
Under the updated data protection regime a patient’s request to access their records (commonly known as a subject access request (SAR) must now be processed free of charge and within one month.
Requests on the rise
Medical practices have reported a significant rise in SARs since the GDPR came into effect in May last year, which is a similar trend in other sectors. Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims. Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.
SARs are designed to be ‘purpose-blind’ because access is a cornerstone right of data protection, so GPs cannot query the reason for a patient or their representative requesting the information. However, we do appreciate the administrative impact of the increased workload on GP surgeries. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.
With this in mind we’ve put together some practical advice and tips for dealing with requests:
- Practices may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available. The Government is committed to increasing access to online patient records in GP surgeries, and to support this aim we are working with health sector organisations to explore new ways for people to access their information online or at their surgery.
- Practices can provide the SAR response electronically (subject to safeguards such as encryption). A surgery only needs to print paper copies if it is asked to do so and this is reasonable.
- If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
- While the costs of providing initial copies need to be borne by the GP practice, it’s worth knowing that further copies can be charged for.
Requests from legal representatives
Where a SAR is made on behalf of a patient by their legal representative and is accompanied by the patient’s clear authority for that specific request, it should be treated in the same way as if it was made directly by the patient. The British Medical Association (BMA) have worked with the legal profession to create a standard form which legal representatives can use, which can be found in their guidance.
Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework.
When practices receive requests from a third parties they can consider the following:
- Before responding ask for evidence that the third party has the clear, specific authority of the data subject to exercise their right of access. A general authority to act on the data subject’s behalf, or to request the sharing of personal data, is not sufficient.
- If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought.
- In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient who can then make their own choice about what information they pass on to their representative.
Requests from insurers
Insurers may also request patient information from GPs as part of managing policies and assessing claims.
A separate framework – the Access to Medical Reports Act 1988, commonly known as AMRA - already exists as a mechanism for the insurance industry’s access to tailored medical reports used as part of underwriting policies or assessing claims. This route allows practices to charge insurance companies a fixed fee for access to patient information and includes important safeguards for patients.
We would expect insurers to use this mechanism in most instances and we have previously worked with the industry to formalise this understanding. This led to the Association of British Insurers creating principles for their members to follow which can be accessed here.
GPs can currently find further advice within our guidance on the right of access under GDPR, and also in the British Medical Associations’ recently updated guidance on access to health records. The ICO will continue to work with key stakeholders to ensure that GP practices can provide critical patient care and uphold people’s information rights.