Patients have a legal right to request access to their medical records and this has been the case for many years. However, some general practices have concerns about how best to respond to a subject access request, which is the name for such a request.
More now than ever, patients are aware of their right to access their personal information and therefore it is vital that your data controller can appropriately deal with such requests.
Subject access requests (SARs) are governed by the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) which only cover living patients. It’s important to note that requests for a deceased person’s records are subject to the Access to Health Records Act, 1990.
Complying with the law
The DPA enshrined the GDPR into UK law. All healthcare and other organisations have to comply with this legislation which introduced several significant changes to the way a SAR should be handled under the previous law. The changes included:
- The SAR does not have to be in writing but can also be verbal and even by social media.
- The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. More detail is given on this below.
- You need to provide the information within one calendar month rather than the previous timeframe of 40 days.
- In Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records. In England, Wales and Northern Ireland competence is assessed on a case by case basis. An older child may have capacity to consent and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes disclosure is necessary to protect the child or young person, or someone else, from risk of death or serious harm.
- You should document access requests, reasons for any delay in providing the information and if requests are 'manifestly unfounded or excessive'. You should also document information provided about the right to complain to the ICO or judicial remedy.
There is currently no concise definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients as set out in Good medical practice and the GMC's guidance on confidentiality.
It may be helpful to discuss such cases with the DPO and you can also get advice from the MDU or your own medical defence organisation.
In October 2020 the Information Commissioner's Office (ICO) published the right of access detailed guidance to help identify what is a manifestly excessive request. It expands the definition and clarifies what needs to be considered when deciding upon a reasonable fee in these circumstances.
Another question that is often asked is whether insurance companies, solicitors or other third parties should be charged when requesting a patient’s records. Usually these organisations should not be charged if requesting records, with patient consent, under a SAR. However, other requests for information or reports by third parties should be dealt with in the usual way.
There are only limited situations in which you should deny or limit access to a patient’s records following a SAR. The two main exemptions relate to information that is likely to cause serious harm and that relating to third parties.
Access can be limited or denied if it would be 'likely to cause serious harm to the physical or mental health or condition of the data subject or any other person', unless it is information of which the patient is already aware. In such cases, there must first be an assessment by the doctor responsible for the person's clinical care.
It’s important to make a record of the assessment to ensure patient safety and in case you are later asked to justify why certain information was or wasn’t redacted. Your medical defence organisation can help you to decide whether it is reasonable to limit access to a patient’s record.
Information about third parties should be redacted, unless you are able to get consent from the person named. Information about the patient written by other healthcare professionals involved in their treatment may be disclosed. The MDU has further advice on third party redactions on GPonline here.
Communicating with patients
According to the ICO your organisation needs to be satisfied and have confirmed the identity of the requester (or the person the request is made on behalf of). The time limits for responding to a SAR only begin when the organisation receives the requested verification. This verification should however be requested promptly.
The ICO’s guidance also confirms that: ‘You are expected to give the individual additional information to aid their understanding, if the requested personal data is not in a form that they can easily understand. However, this is not meant to be onerous and you are not expected to translate information or decipher unintelligible written notes.’
In relation to medical records this may require acronyms to be spelled out or medical jargon to be explained in lay terms. Practices should also be prepared to explain diagnoses and treatments in more detail.