Secret-Diary-of-a-Practice-Manager-3.jpg

GDPR and accessing medical records - A practice manager's guide

The new Data Protection Act enshrined GDPR into UK law and also brought up a number of questions for GP practices, especially when it comes to the matter of when (or if) it’s possible to charge for access to patients’ records.

Under the DPA 2018, patients have the right to request access to their own medical records under a Subject Access Request without charge, including situations where they give consent for a third party such as a solicitor or insurer to access the data.


Key points for general practice staff to bear in mind are:

  • GDPR applies to both digital and physical (paper) records
  • Information is subject to confidentiality obligations that already exist, e.g. between a doctor and patient
  • GDPR only applies to living people, but the Access to Health Records Act (AHRA) extends to deceased individuals


Requests from solicitors

A patient can authorise their solicitor to make a SAR, and these requests should be treated as if they were made from the patient themselves - the solicitors are effectively acting on the patient’s behalf.

A solicitor can request access to a patient’s full medical record as long as they provide the patient’s written consent. The solicitor may need to access the whole record in order to assess which parts of the patient’s medical history are relevant to their case, including for compensation or insurance claims.


Requests from insurers

Insurance companies do not have the same privileges to access patient records as solicitors – the ICO has said insurance companies using SARs to obtain full medical records is an abuse of the process. The DPA 2018 says that any information that is shared in a SAR must be relevant and not excessive in relation to the purpose for which the data is processed.

If an SAR is received from insurers, GPs should contact the patient to explain the implications and the extent of the disclosure, and should provide the information to the patient themselves instead of directly to the insurance company.

As GPs are the Data Controllers for the Practice, they would be liable for any breach of the DPA, and as such should be wary of what information is shared. This doesn’t mean that GPs can refuse to respond to a SAR from an insurance company, but it does mean they need to stay vigilant and compliant.

The DPA has made it a criminal offence to make a SAR in order to access information about individuals’ convictions and cautions, and a clause will soon be enacted to extend this to cover using medical records to access this information. If you suspect that a SAR from an insurer is trying to collect information about an individual’s criminal record then it should be reported to the ICO and the Association of British Insurers.


To charge or not to charge…

Where a request is made from an appropriate party for a medical report or record that already exists, then this can be made under a Subject Access Request, without charge. You can however charge what the DPA 2018 describes as a ‘reasonable fee’ if the request is ‘manifestly unfounded or excessive’. This term is subjective, and depends on the practice’s interpretation. If you decide to charge for a SAR for this reason, you should be 100% sure you are justified in doing so.

Another circumstance where you can charge for a SAR is where an individual or body makes repeated request for the same information. You can even refuse to provide information that has already been requested and provided several times (although there’s no definition of precisely what ‘several’ means).

If the request means you will have to create a medical report or interpret the information in a medical record or report, this would place it under the Access to Medical Reports Act (AMRA) – and in these circumstances a fee would be payable. This is because both of these requests mean new materials need to be created, something not included under a Subject Access Request. SARs are all about accessing existing information about a patient.


The need for clarification 

Manifestly unfounded or excessive requests – you can refuse to provide this information or you can provide the information, and state the charges for providing this information.

The BMA have asked for clarification on what ‘manifestly unfounded and excessive’ means in practice. The ICO responded by saying: “A charge to cover administrative costs can be made for additional copies but we await guidance on what will constitute a ‘reasonable’ fee”. Again, there’s no definition of what ‘manifestly’ or ‘unfounded’ means in DPA terms, leaving it open to interpretation.

However, the ICO have said that “a SAR for the whole medical record would never be considered excessive for the purposes of imposing a charge.”  That means a patient asking for their whole medical record cannot be classified as an excessive request.

From some of the chatter amongst legal groups, there is an option in the DPA 2018 that may allow for charging fees for SARs in the future, but we’ll have to wait and see whether we get further clarification on this topic.


How to provide the information

The ICO are in favour of ‘electronic SARs’, and guidance seems to indicate that if the request is made electronically, you can provide the information in the same way, meaning USB drives or CDs are acceptable. However, it’s best to agree the best medium with the data subject first.

In terms of physical records and posting them out to patients, the ICO’s has said that: “The Practice may also request that the physical response is picked up by the requestor from the surgery but if the requestor refuses to do so, the Practice cannot withhold the data and must send it on”.

NHS Patient Online is a good, paper-free method for distributing SARs. Providing a secure portal for data subjects is recommended by the GDPR regulations.


Request denied

If you refuse to provide the details requested in a SAR, then you need to be prepared to fully explain your decision. It might be an opportunity to discuss what information the third party actually needs – do they really want access the whole of their medical records, or is there a particular piece of information that they require?

If a SAR or other request is refused, you need to explain why, and within the deadline period. Reasons may include:

  • The personal data also includes information about third parties (bear in mind it would still be reasonable to include clinicians’ details);
  • Sharing the information could result in harm to the data subject or any other person;
  • It includes information about a child or non-capacitous adult, which they would not expect to be disclosed to the person making the request;
  • It includes legally privileged data;
  • Information is subject to a court order;
  • Sharing data would prejudice regulatory activities


Access to deceased patients’ records

The BMA’s updated guidance Access to Health Records released at the end of June 2018 says:

…the ethical obligation to respect a patient’s confidentiality extends beyond death… Health professionals should therefore counsel their patients about the possibility of disclosure after death and solicit views about disclosure where it is obvious that there may be some sensitivity. Such discussions should be recorded in the records.”

It goes on to confirm that if a request is made to a GP practice to access the deceased person’s records (and they are not currently held by PCSE or local health boards), then the practice should respond to the request under the AHRA processes.

The GDPR does not apply to data concerning deceased individuals. A fee can be charged for supplying a copy of deceased patients’ records, but it must not exceed the cost of making and posting the copy. Health professionals may charge a professional fee to cover the costs of giving access to the records of deceased patients that is not covered by legislation.


FPM are asking PMs to let us know whether their GP practice has seen an increase in Subject Access Requests since GDPR's implementation. Please take a moment to answer our quick poll and see how your situation compares to follow PMs'.


Keep an eye on the 
FPM Policy Library for more documents to help your GP practice stay GDPR compliant, and head to our GDPR Toolkit area for access to even more resources.

 

  • 1

Comments

Adrian Wise 18/07/2018

I'm looking at one of these solicitor requests now. Could I get patient set up with Patient Access and give access to all records, including text, and documents, etc, etc and ask them to log in and download them selves? Or do I raise an invoice showing SAR foc and administration and postage £50.00 (or whatever is reasonable to cover my costs)

Paul Drinkwater 18/07/2018

So a solicitor sends in a SAR request and wants copies of all the patients notes, we allow access to this information and will not charge a fee for this information as consent from the patient is included, now what do we do in a situation where there is no means to send this information electronically and it must be posted? I don't see why I as a GP practice should foot the postage bill for this when really this is a private request and not NHS work. The ICO have said that we are allowed to request the patient to collect the documents as they are the data subject however if the solicitors state that they are not happy for the patient to collect it or the patient refuses to post it to them where do we stand? Shall i just start paying postage for every Tom Dick and Harrys request and shut up shop now as this is not a financially viable option for us.


Leave a Comment

Categories

Upcoming Events

There are currently no events scheduled.

Jobs

Practice Business Manager - East Grinstead

Closing Date: 30 November 2018

Salary: In the range of £50,000- £60,000 pro rata depending upon experience

Practice Manager - Cheltenham

Closing Date: 29 November 2018

Salary: £38,000 - £45,000 (DOE)

Finance/ HR Manager - Lichfield, Staffordshire

Closing Date: 26 November 2018

Salary: Salary £12.50 -£16.00/hour depending on experience

Assistant Practice Manager - London, SE16

Closing Date: 5 December 2018

Salary: £22 – 25k depending on experience.

Operations Manager - Hertfordshire

Closing Date: 23 November 2018

Salary: Depends on skills and experience in region of £30-40,000 pro rata

Practice Manager/ Business Manager - Chester

Closing Date: 30 November 2018

Salary: SALARY DEPENDING UPON EXPERIENCE AND QUALIFICATIONS (MINIMUM £40,000 pa)

Part-Time Practice Manager - London, NW11

Closing Date: 23 November 2018

Salary: Circa £45k pa pro rata.

Practice Manager - London, N11

Closing Date: 16 November 2018

Salary: Up to 65 K per annum dependent on experience

Deputy Senior Manager - Hammersmith & Fulham, London

Closing Date: 28 February 2019

Salary: Highly competitive and negotiable depending on experience

Practice Business Manager - East Grinstead

Closing Date: 30 November 2018

Salary: In the range of £50,000- £60,000 pro rata depending upon experience

Practice Manager - London, N11

Closing Date: 16 November 2018

Salary: Up to 65 K per annum dependent on experience

Practice Manager - Chingford, London E4

Closing Date: 17 November 2018

Salary: Circa £50,000 depending on experience

What others are viewing now

Latest Forum Posts

Fetching latest posts...