- Posted Wednesday July 18, 2018
The new Data Protection Act enshrined GDPR into UK law and also brought up a number of questions for GP practices, especially when it comes to the matter of when (or if) it’s possible to charge for access to patients’ records.
Under the DPA 2018, patients have the right to request access to their own medical records under a Subject Access Request without charge, including situations where they give consent for a third party such as a solicitor or insurer to access the data.
Key points for general practice staff to bear in mind are:
- GDPR applies to both digital and physical (paper) records
- Information is subject to confidentiality obligations that already exist, e.g. between a doctor and patient
- GDPR only applies to living people, but the Access to Health Records Act (AHRA) extends to deceased individuals
Requests from solicitors
A patient can authorise their solicitor to make a SAR, and these requests should be treated as if they were made from the patient themselves - the solicitors are effectively acting on the patient’s behalf.
A solicitor can request access to a patient’s full medical record as long as they provide the patient’s written consent. The solicitor may need to access the whole record in order to assess which parts of the patient’s medical history are relevant to their case, including for compensation or insurance claims.
Requests from insurers
Insurance companies do not have the same privileges to access patient records as solicitors – the ICO has said insurance companies using SARs to obtain full medical records is an abuse of the process. The DPA 2018 says that any information that is shared in a SAR must be relevant and not excessive in relation to the purpose for which the data is processed.
If an SAR is received from insurers, GPs should contact the patient to explain the implications and the extent of the disclosure, and should provide the information to the patient themselves instead of directly to the insurance company.
As GPs are the Data Controllers for the Practice, they would be liable for any breach of the DPA, and as such should be wary of what information is shared. This doesn’t mean that GPs can refuse to respond to a SAR from an insurance company, but it does mean they need to stay vigilant and compliant.
The DPA has made it a criminal offence to make a SAR in order to access information about individuals’ convictions and cautions, and a clause will soon be enacted to extend this to cover using medical records to access this information. If you suspect that a SAR from an insurer is trying to collect information about an individual’s criminal record then it should be reported to the ICO and the Association of British Insurers.
To charge or not to charge…
Where a request is made from an appropriate party for a medical report or record that already exists, then this can be made under a Subject Access Request, without charge. You can however charge what the DPA 2018 describes as a ‘reasonable fee’ if the request is ‘manifestly unfounded or excessive’. This term is subjective, and depends on the practice’s interpretation. If you decide to charge for a SAR for this reason, you should be 100% sure you are justified in doing so.
Another circumstance where you can charge for a SAR is where an individual or body makes repeated request for the same information. You can even refuse to provide information that has already been requested and provided several times (although there’s no definition of precisely what ‘several’ means).
If the request means you will have to create a medical report or interpret the information in a medical record or report, this would place it under the Access to Medical Reports Act (AMRA) – and in these circumstances a fee would be payable. This is because both of these requests mean new materials need to be created, something not included under a Subject Access Request. SARs are all about accessing existing information about a patient.
The need for clarification
Manifestly unfounded or excessive requests – you can refuse to provide this information or you can provide the information, and state the charges for providing this information.
The BMA have asked for clarification on what ‘manifestly unfounded and excessive’ means in practice. The ICO responded by saying: “A charge to cover administrative costs can be made for additional copies but we await guidance on what will constitute a ‘reasonable’ fee”. Again, there’s no definition of what ‘manifestly’ or ‘unfounded’ means in DPA terms, leaving it open to interpretation.
However, the ICO have said that “a SAR for the whole medical record would never be considered excessive for the purposes of imposing a charge.” That means a patient asking for their whole medical record cannot be classified as an excessive request.
From some of the chatter amongst legal groups, there is an option in the DPA 2018 that may allow for charging fees for SARs in the future, but we’ll have to wait and see whether we get further clarification on this topic.
How to provide the information
The ICO are in favour of ‘electronic SARs’, and guidance seems to indicate that if the request is made electronically, you can provide the information in the same way, meaning USB drives or CDs are acceptable. However, it’s best to agree the best medium with the data subject first.
In terms of physical records and posting them out to patients, the ICO’s has said that: “The Practice may also request that the physical response is picked up by the requestor from the surgery but if the requestor refuses to do so, the Practice cannot withhold the data and must send it on”.
NHS Patient Online is a good, paper-free method for distributing SARs. Providing a secure portal for data subjects is recommended by the GDPR regulations.
If you refuse to provide the details requested in a SAR, then you need to be prepared to fully explain your decision. It might be an opportunity to discuss what information the third party actually needs – do they really want access the whole of their medical records, or is there a particular piece of information that they require?
If a SAR or other request is refused, you need to explain why, and within the deadline period. Reasons may include:
- The personal data also includes information about third parties (bear in mind it would still be reasonable to include clinicians’ details);
- Sharing the information could result in harm to the data subject or any other person;
- It includes information about a child or non-capacitous adult, which they would not expect to be disclosed to the person making the request;
- It includes legally privileged data;
- Information is subject to a court order;
- Sharing data would prejudice regulatory activities
Access to deceased patients’ records
The BMA’s updated guidance Access to Health Records released at the end of June 2018 says:
“…the ethical obligation to respect a patient’s confidentiality extends beyond death… Health professionals should therefore counsel their patients about the possibility of disclosure after death and solicit views about disclosure where it is obvious that there may be some sensitivity. Such discussions should be recorded in the records.”
It goes on to confirm that if a request is made to a GP practice to access the deceased person’s records (and they are not currently held by PCSE or local health boards), then the practice should respond to the request under the AHRA processes.
The GDPR does not apply to data concerning deceased individuals. However, the BMA document Access to Health Records points out that legislative changes to the Data Protection Act 2018 has also amended the Access to Health Records Act 1990, which now states access to the records of deceased patients and any copies must be provided free of charge.
FPM are asking PMs to let us know whether their GP practice has seen an increase in Subject Access Requests since GDPR's implementation. Please take a moment to answer our quick poll and see how your situation compares to follow PMs'.
Keep an eye on the FPM Policy Library for more documents to help your GP practice stay GDPR compliant, and head to our GDPR Toolkit area for access to even more resources.