Health professionals often receive requests from people who wish to access health records.
These requests can include requests from patients to view or obtain copies of their own health record using GDPR subject access request rights or the requests might come from third parties, such as the police.
Sometimes the requests are for access to the records of deceased patients.
Access to health records guidance
Our guidance covers the following areas:
- defining a health record
- advice on record-keeping
- subject access requests
- requests for access on behalf of others
- requests by the police
- requests by insurers
- requests for access to the records of deceased patients
- records retention.
Solicitors using SARs to request patient data
A patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a GP will be able to lawfully decline.
Provided the solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR from the solicitor should be treated in the same way as if it was made directly by the patient.
Past medical histories are highly relevant in compensation or insurance claims.
What about insurers?
There is a clear distinction between a SAR from a solicitor who is acting in their interests of the patient and a SAR from an insurance company.
The ICO has said that the use of SARs by insurance companies to obtain full medical records is an abuse of SAR rights.
Read our guidance on SARs from insurers
A SAR for a legal claim
The purpose of the SAR should not affect whether or not GPs should comply. There is no requirement under the GDPR for the patient (or solicitor acting on their behalf) to state the purpose of the SAR.
In short, SARs are ‘purpose-blind’.
Charging a fee
Under GDPR, SARS are generally free of charge. Only if the SAR is considered to be ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged.
The circumstances when a fee can be charged are rare and should be on a case by case basis.
The ICO has advised that a request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee, or refuse the request.
Postage costs for SARs should not be charged for, unless they are 'unfounded or excessive'.
Differences between a SAR and a request under the Access to Medical Reports Act
- If the request from the solicitor is for a copy of/some of the patient’s medical record, it is a SAR.
- If the request is asking for a report to be written or it is asking for an interpretation of information within the record this request goes beyond a SAR and a fee can be charged.
- It is okay for GPs to ask the nature of the request from the solicitor.
- If the solicitor confirms that they are seeking a copy of the medical record then this should be treated as a SAR and complied with in the usual way.
Solicitors attending the practice
Provided the patient has given written consent to the full medical record being accessed, the GDPR does not prevent a solicitor from attending a practice in order to make a copy of the medical record.
The practice must ensure that before the solicitor accesses the record it is reviewed to ensure that third party information and information which might cause serious harm to the patient or another individual is removed.
The practice would also need to be able to offer facilities where the viewing wouldn't cause risks to confidentiality.
Practices cannot, however, insist that solicitors attend in person to take copies if they don't want to.
Solicitors can take photos of the record with the patient's consent.