For some time insurance companies have been obtaining full medical records for patients by using subject access reports (SAR) under the Data Protection Act 1998, rather than asking for a report from the applicant’s GP.
The BMA has sought advice on this matter from the Information Commissioner’s Office (ICO). As a result the ICO has written to the Association of British Insurers saying that processing of full medical records by insurers is likely to ‘fall foul’ of the Data Protection Act.
What should practices do?
The ICO’s view does not mean that GPs can refuse to respond to SARs for insurance purposes outright, however. The BMA is seeking further clarification on this, but it is currently providing the following advice to practices:
If a practice receives a SAR from an insurance company the GP should contact the patient and explain the implications of the request and the extent of the disclosure.
The ICO says that the GP should provide the SAR information to the patient themselves rather than the insurance company.
The BMA has produced a template letter for GPs to send to patients, which offers the individual a choice between a SAR, which they themselves would be able to provide to the insurer, or asking their insurance company to seek a GP report.
The BMA expects that insurance companies will discontinue the use of SARs and will revert to requesting medical reports.
Practices are able to apply for a fee for completion of these reports in line with the work associated with this and should agree this fee in advance with the requestor.
SAR requests for non-insurance purposes
This guidance relates to SARs for insurance purposes only. Under the Data Protection Act an individual is entitled to make a SAR via a third party. The BMA guidance says such that when the third party is acting on behalf of the patient, such requests are appropriate.
Electronic consent for GP reports
The BMA guidance also says that when practices agree to provide a GP report for an insurance company, electronic consent is acceptable. However, GPs must satisfy themselves that the patient has consented to the report and, if in doubt, check with the patient before providing the report.