Introduction
Under the terms of the data protection act, we as the “data controller” have a responsibility to ensure the confidentiality and integrity of the information we hold about you. Furthermore, as your doctor we have a responsibility to ensure the confidentiality of matters of a sensitive medical, psychological, and emotional nature.
A subject access request requires us as data controller to give you as the “subject” access to all data we hold about you. This includes every recorded encounter you have had with any GP or nurse in the surgery as well as copies of all hospital letters, test results and prescriptions issued.
Insurance Companies
Insurance companies require medical information from yourself and ourselves to assess your risk of illness, death and disability. There is a system in place for GPs to give a pertinent summary of all relevant medical information (excluding information of a sensitive or irrelevant nature) by way of an industry approved General Practitioner’s Report (GPR). The format of this report was agreed by the Association of British Insurers and the British Medical Association. This system has been in place since then and a fee is paid by the insurance company to ourselves to ensure a prompt efficient service.
Lately some companies have been using the SAR system to obtain patients’ full medical records. We have reason to believe that this may be done to reduce costs to the insurance company. More worryingly, we are concerned that our patients may not have received adequate explanation that their full record will be given to the insurance company, or that there is a simpler system in place whereby we can provide a GP report (or GPR) which releases only the relevant information.
Once we release a medical record to a third party we are no longer the data controller for that information, and we have no control over how that information is stored, used, or shared. As a result, we no longer respond to subject access requests by insurance companies. We have written to your insurance company to suggest that they submit a request to us for a GP report.
Should you wish to submit a subject access request to have copies of your full medical record under the terms of the data protection act, you may do so. Your medical records are held on a combination of paper (for older records) and computer (for new records). We will be able to liaise with you directly to provide this information within forty days. If however, you wish us to provide a standard report, we recommend that you contact your insurance company directly to express your preference for a General Practitioner’s Report (GPR).
Update
The Information Commissioner’s Office (ICO) has recently ruled on the use of SARs by insurance companies to obtain full copies of patient medical records. In brief the ICO determined that the use of SARs in this way was inappropriate and has written to the Association of British Insurers (ABI) to advise them of this. In light of the ICO ruling, the British Medical Association (BMA) have produced a Focus On Subject Access Requests for Insurance Purposes guidance document.
As a result we will no longer supply insurance companies with full copies of your medical records.