The GDPR will bring many changes to general practice. One of the greatest concerns for practice managers is how the new subject access obligations can be met, without having a detrimental effect on staff workload and resources.
Subject access requests: Initial steps
Patients make subject access requests for various reasons, including keeping a record for personal reference, to jog their memory of distant events, or to investigate a potential complaint or claim. Patients do not need to provide practices with the reason for their request.
You should ensure that the person making the request is in fact the patient to whom the record relates. If you are in any doubt, it is reasonable to ask the patient to provide more information, such as their date of birth, a passport or a birth certificate. It is reasonable to ask the patient to put their request in writing, for example by emailing the practice.
Do you have to provide an electronic copy of the records?
The Information Commissioner’s Office (ICO) guide to the GDPR, including specific references to an individual’s right of access to information. The GDPR states that if a subject access request is made electronically, you should provide the information in a commonly used electronic format.
Patients who make requests in writing may also wish to receive their information electronically. However, if patients request their information in paper format, this should be accommodated.
The GDPR also recommends that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
Most practices now provide patients with online access to their records if they request this. You should clarify with the patient if there is a specific time period of records they wish to review, or whether they would prefer to review the entire record. You should only provide access to the full historical record (ensuring that any third-party information is removed - see below) if the patient asks for it.
How long do you have to comply with the request?
Information must be provided without delay and at the latest within one month of receiving the request, rather than the previous 40 days.
You may be able to extend this period by a further two months where requests are complex or numerous. Should you require more time, you must inform the patient within one month of the receipt of the request and explain why the extension is necessary.
Can you charge a fee?
In most cases you will no longer be able to charge a fee for providing copies of medical records to patients. However, the ICO states that you can charge a ‘reasonable fee’ to cover administrative costs, when a request is ‘manifestly unfounded or excessive’, particularly if it is repetitive.
You may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that you can charge for all subsequent access requests.
You may need to justify any charges, if a patient were to complain to the ICO.
What about requests from solicitors or insurance companies?
These are still subject access requests and the requirements are therefore the same as if a patient requested the information. You should ensure that the patient has signed appropriate consent for the disclosure of their personal data to solicitors or insurance companies.
As for requests from individuals, practices can only charge for requests that are ‘manifestly unfounded or excessive’ or requests for the same information already provided to that requester.
Can you refuse to comply with a subject access request?
The GDPR states that you can refuse requests that are ‘manifestly unfounded or excessive’. If you refuse a request, you must tell patients your reasons within one month, and inform them of their right to make a complaint to the ICO.
What information should be redacted?
Third-party information should be removed before access to the records is provided. Third party information is that which discloses information relating to or provided by a third party who has not consented to that disclosure, for example, information provided by relatives in confidence.
Usually, the identity of treating clinicians is not considered as third-party information except when there are personal details about them. For instance, if a patient’s record states that Dr A saw the patient as Dr B was sick, this information should be redacted because it is clearly confidential information relating to Dr B’s health.
You should also consider redacting any information that, if released, may cause serious harm to the physical or mental health of the patient, or to any other person. However, such circumstances are rare.
5 steps to take now
- Familiarise yourself with the ICO guidance on subject access requests here.
- Provide staff training on the changes to subject access requests.
- Update your practice protocol to reflect the GDPR changes.
- Consider allowing extra resources in the first few weeks, to ensure you can meet any patient demand within the new turnaround times.
- Ensure patients are aware of their right of access as part of your practice privacy notice.
Dr Rachel Birch is medico-legal adviser at Medical Protection
|Read more on the GDPR