It is a long-established position, supported by data protection law, that patients’ are entitled to access their own medical records from their GP, a position only strengthened by the introduction of the General Data Protection Regulation (GDPR). Under the new regime, a patient’s subject access request (SAR) must be processed free of charge within 1 month of receiving the request, and the GP cannot question the reason for the patient’s request.
The aim of the new regime under GDPR is to promote transparency and compliance, whilst balancing this with the need for medical professionals to do their jobs as efficiently as possible and maintain a high level of patient care.
Since the introduction of GDPR, there has been a significant increase in the number of SARs across all sectors, which has increased the administrative burden on GPs to process such requests. However, many of the practices of GP practice staff which were used to ease the burden of dealing with SARs under the previous regulations will continue to be valid.
In light of the above, GP Practices could consider the following to assist in reducing the administrative burden of receiving a SAR:
• Practices may be able to comply with a SAR by offering the patient online access to their health records;
• SAR responses can be provided electronically (with the appropriate safeguards, such as encryptions), hard copies need only be provided if the patient reasonably requests it;
• If the Practice holds extensive amounts in relation to the data subject, they can request the patient, or their representative, clarifies what information is required in order to satisfy the SAR.
It is worth noting that whilst the initial copies of the SAR response must be borne by the Practice, further copies can be charged for.
As well as SARs received directly from patients, GP Practices are likely to receive SARs from third parties, such as legal representatives. When a SAR is received from a third party, Practices must request evidence of the data subject’s clear and specific authority for the third party to exercise their rights of access. General authority to act on the patient’s behalf will not be sufficient.
If Practices consider the information requested by the third party as being more than necessary or excessive, the GP can check with the patient that they are aware of the scope of the SAR, or provide the data directly to the patient and allow them to decide what should be passed on to the representative. Insurers are likely to continue requesting the information they require from GPs under the Access to Medical Reports Act 1988.
As can be seen from the above, although the introduction of the GDPR has resulted in an increase in SARs for GP Practices to deal with, there are ways in which this obligation can be managed so as to balance a high standard of patient care whilst upholding patients’ information rights.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.