Blog: Why the right of access to patient data needn’t be a headache for GPs

8 Mar 2019 01:05 PM

Blog posted by: Jovian Smalley, Group Manager – Engagement (Public Services), 07 March 2019.

A patient’s right to access their own medical records from their GP is a long-established principle supported and strengthened by data protection law, most recently the General Data Protection Regulation (GDPR).

Under the updated data protection regime a patient’s request to access their records (commonly known as a subject access request (SAR) must now be processed free of charge and within one month.

Requests on the rise

Medical practices have reported a significant rise in SARs since the GDPR came into effect in May last year, which is a similar trend in other sectors. Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims. Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.

SARs are designed to be ‘purpose-blind’ because access is a cornerstone right of data protection, so GPs cannot query the reason for a patient or their representative requesting the information. However, we do appreciate the administrative impact of the increased workload on GP surgeries. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.

With this in mind we’ve put together some practical advice and tips for dealing with requests:

Requests from legal representatives

Where a SAR is made on behalf of a patient by their legal representative and is accompanied by the patient’s clear authority for that specific request, it should be treated in the same way as if it was made directly by the patient. The British Medical Association (BMA) have worked with the legal profession to create a standard form which legal representatives can use, which can be found in their guidance.

Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework. 
When practices receive requests from a third parties they can consider the following:

Requests from insurers

Insurers may also request patient information from GPs as part of managing policies and assessing claims.

A separate framework – the Access to Medical Reports Act 1988, commonly known as AMRA - already exists as a mechanism for the insurance industry’s access to tailored medical reports used as part of underwriting policies or assessing claims. This route allows practices to charge insurance companies a fixed fee for access to patient information and includes important safeguards for patients.

We would expect insurers to use this mechanism in most instances and we have previously worked with the industry to formalise this understanding. This led to the Association of British Insurers creating principles for their members to follow which can be accessed here.

Next steps

GPs can currently find further advice within our guidance on the right of access under GDPR, and also in the British Medical Association's recently updated guidance on access to health records. The ICO will continue to work with key stakeholders to ensure that GP practices can provide critical patient care and uphold people’s information rights.