How to respond to a subject access request for medical records

MDU medico-legal adviser Dr Ellie Mein explains the steps practices need to take when patients request access to their medical record.

(Photo: Getty Images)
(Photo: Getty Images)

Patients have a legal right to request access to their medical records and this has been the case for many years. However, some general practices have concerns about how best to respond to a subject access request, which is the name for such a request.

More now than ever, patients are aware of their right to access their personal information and therefore it is vital that your data controller can appropriately deal with such requests.

Subject access requests (SARs) are governed by the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) which only cover living patients. It’s important to note that requests for a deceased person’s records are subject to the Access to Health Records Act, 1990.

Complying with the law

The DPA enshrined the GDPR into UK law. All healthcare and other organisations have to comply with this legislation which introduced several significant changes to the way a SAR should be handled under the previous law. The changes included:

  • The SAR does not have to be in writing but can also be verbal and even by social media.
  • The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. More detail is given on this below.
  • You need to provide the information within one calendar month rather than the previous timeframe of 40 days.
  • In Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records. In England, Wales and Northern Ireland competence is assessed on a case by case basis. An older child may have capacity to consent and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes disclosure is necessary to protect the child or young person, or someone else, from risk of death or serious harm.
  • You should document access requests, reasons for any delay in providing the information and if requests are 'manifestly unfounded or excessive'. You should also document information provided about the right to complain to the ICO or judicial remedy.

Free access

There is currently no concise definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients as set out in Good medical practice and the GMC's guidance on confidentiality.

It may be helpful to discuss such cases with the DPO and you can also get advice from the MDU or your own medical defence organisation.

In October 2020 the Information Commissioner's Office (ICO) published the right of access detailed guidance to help identify what is a manifestly excessive request. It expands the definition and clarifies what needs to be considered when deciding upon a reasonable fee in these circumstances.

Another question that is often asked is whether insurance companies, solicitors or other third parties should be charged when requesting a patient’s records. Usually these organisations should not be charged if requesting records, with patient consent, under a SAR. However, other requests for information or reports by third parties should be dealt with in the usual way.

Access limitations

There are only limited situations in which you should deny or limit access to a patient’s records following a SAR. The two main exemptions relate to information that is likely to cause serious harm and that relating to third parties.

Access can be limited or denied if it would be 'likely to cause serious harm to the physical or mental health or condition of the data subject or any other person', unless it is information of which the patient is already aware. In such cases, there must first be an assessment by the doctor responsible for the person's clinical care.

It’s important to make a record of the assessment to ensure patient safety and in case you are later asked to justify why certain information was or wasn’t redacted. Your medical defence organisation can help you to decide whether it is reasonable to limit access to a patient’s record.

Information about third parties should be redacted, unless you are able to get consent from the person named. Information about the patient written by other healthcare professionals involved in their treatment may be disclosed. The MDU has further advice on third party redactions on GPonline here.

Communicating with patients

According to the ICO your organisation needs to be satisfied and have confirmed the identity of the requester (or the person the request is made on behalf of). The time limits for responding to a SAR only begin when the organisation receives the requested verification. This verification should however be requested promptly.

The ICO’s guidance also confirms that: ‘You are expected to give the individual additional information to aid their understanding, if the requested personal data is not in a form that they can easily understand. However, this is not meant to be onerous and you are not expected to translate information or decipher unintelligible written notes.’

In relation to medical records this may require acronyms to be spelled out or medical jargon to be explained in lay terms. Practices should also be prepared to explain diagnoses and treatments in more detail.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins


Already registered?

Sign in

Follow Us:

Just published

Viewpoint: Why NICE guidance on domestic abuse needs to be updated

Viewpoint: Why NICE guidance on domestic abuse needs to be updated

Dr Vasumathy Sivarajasingam explains why screening for domestic abuse should be standard...

PCNs opt out of phase 2 of COVID-19 vaccination programme over workload pressure

PCNs opt out of phase 2 of COVID-19 vaccination programme over workload pressure

Some PCNs have opted out of phase 2 of the COVID-19 vaccination programme, with others...

UK COVID-19 vaccination programme tracker

UK COVID-19 vaccination programme tracker

GPs across the UK are playing a leading role in the largest-ever NHS vaccination...

CVT risk from COVID-19 infection 'significantly higher' than from vaccines, study suggests

CVT risk from COVID-19 infection 'significantly higher' than from vaccines, study suggests

The risk of cerebral venous thrombosis (CVT) following COVID-19 infection is eight...

‘Warm and kind’ retired Derbyshire GP dies from COVID-19

‘Warm and kind’ retired Derbyshire GP dies from COVID-19

Retired Derbyshire GP Dr Om Prakash Chawla, who was known for his warmth and kindness,...

GPs can learn from pandemic to strengthen relationship with patients, says RCGP chair

GPs can learn from pandemic to strengthen relationship with patients, says RCGP chair

General practice can build on changes to care during the COVID-19 pandemic to strengthen...