It is estimated that insurers pay out more than £77m every day, including claims from those who had experienced a health emergency such as an injury or serious illness.
Given the large sums involved, insurers often seek information from policyholders’ GPs to help them assess claims or determine the correct premium level. However, as with all requests for personal information, practices should be wary about what they disclose and ensure they have proper consent.
The following scenarios have prompted calls to the MDU’s advice line.
We have received a subject access request for medical records from an insurance company acting on behalf of a patient. How should we respond?
A tailored GP report will enable the insurer to obtain the information they need, while respecting patient’s rights to confidentiality. It should not usually be necessary for an insurance company to see a patient’s complete medical records as this is likely to include irrelevant information and processing such personal information is likely to be in breach of the Data Protection Act.
In 2015, the Information Commissioners Office (ICO) expressed concern about the inappropriate use of subject access requests (SARs) by the insurance industry. It states on its website that the right to make a subject access request was ‘designed to ensure individuals can access information held about them within a specified time period and at a nominal cost. This right was not designed to underpin the commercial processes of insurers.’
The ICO advises GPs to ‘explain to patients, in broad terms, the implications of making a subject access request (SAR) so they can make a more informed decision on whether they wish to exercise their rights under the Data Protection Act’. If the patient wishes to make an SAR, it recommends that GPs respond directly to patients, rather than insurance companies.
- Click here for full details of the BMA's updated advice on subject access requests from insurance companies
Do we need to seek direct consent from the patient?
The practice must ensure appropriate consent has been given. The insurer should usually provide a consent declaration (which can be in electronic form) but if in doubt you may still want to confirm this with the patient. It’s important the patient understands what information will be included, the potential consequences of such a disclosure and that you may not conceal or withhold any information.
Should we show patients the report before sending it to their insurer?
Patients are entitled to see insurance reports under the Access to Medical Reports Act 1988 and in most cases it’s advisable to give them the opportunity to see it before it is sent to the insurance company, unless they have already indicated they don’t wish to see it.
The exceptions are if viewing the report would be likely to cause serious harm to the patient or anyone else or reveal information about another person who does not consent. Get advice from your medical defence organisation if you think this might be the case.
If, on seeing the report, the patient objects to the contents, for example because of a factual inaccuracy you may amend it if you are in agreement. Alternatively, you can add a commentary stating that the patient disagrees with the content. You should not amend it simply because the patient has asked you to do so, and you should not cross anything out.
Can relevant information be withheld from a report at the patient’s request?
The GMC says that doctors must ensure that any documents they sign are ‘not false or misleading’ by taking reasonable steps to check information is correct and not deliberately omitting relevant information.
Explain to the patient that you are unable to withhold relevant details and you cannot complete the report if asked to withhold information.
If the patient refuses consent in these circumstances, the report cannot be sent but they will need to know that the insurer is likely to draw its own conclusions.
What should we do about requests relating to deceased patients?
The patient's right to confidentiality extends beyond their death. If they had previously said that access should not be given, a note should have been made on their records and their wishes should usually be respected.
You could also ask the insurer if the patient had given consent on their policy application form, although if this was a long time ago or you are not certain that their consent is valid, it may be appropriate to seek the views of the executor or administrator of the patient's estate or their next of kin.
Rights of access to the records of deceased patients are covered by the Access to Health Records Act 1990 and the Access to Health Records (Northern Ireland) Order 1993 rather than the Data Protection Act 1998.
It’s important to consider the extent of the disclosure and its relevance. You must not release information that the deceased made clear they did not want released, nor should you release information about third parties or which is likely to cause serious harm to somebody’s physical or mental health.