TO DISCLOSE or not to disclose – that may be the question but what’s the answer? Deciding how to comply with the numerous types of requests for access to medical or dental records from various sources is a regular feature of general practice today. Patients, police, lawyers, social workers, insurance companies – the list is endless. And some requests can be quite unusual and the appropriate response not entirely obvious.
At MDDUS our medical and dental advisers receive calls on a regular basis from practice managers or practitioners seeking advice on how to respond to such requests. We encourage members to get in touch with specific queries but it is helpful and important to have an overview of the legal framework behind records requests.
WHAT AND WHAT NOT TO DISCLOSE
The Data Protection Act 1998 gives all patients the right of access to all computerised and manual records which contain information about their physical or mental health. This Act will be very familiar to many practice managers and stipulates a 40-day turnaround from the request being received in writing by the data controller. But what are you to give access to? In the legal team we sometimes are provided with records which have been recovered by patients and handed over to their solicitors to commence a claim. In those records we will see documents which should not form part of the clinical record and may in fact be prejudicial to a claim. Only disclose records of clinical relevance and do not include:
• correspondence with the MDDUS medical or dental adviser
• GMC/GDC correspondence
• correspondence with solicitors/DVLA/insurance companies
• case conference notes.
AUTHORITY TO DISCLOSE
It’s also important to know who has made the request and if they are authorised to do so. Requests do not always come from patients and it’s important to check that the authorisation is valid and is signed and dated.
In requests for access to children’s records, check that the person making the request has parental rights. Generally speaking parents can exercise their parental rights and responsibilities without the consent of the other parent and this would include access to records. However, some parents have had their rights restricted or removed and it’s important to check that the request is valid. This is particularly the case with unmarried parents. If the father’s name is not on the birth certificate and he has not been granted parental rights by agreement or by court order then he is not entitled to have sight of his child's records. Equally important is to consider the age of the child as he or she may be legally competent to consent to the release of the records.
Requests of course don’t just come from patients. In our compensation culture solicitors will regularly write for either access to their client’s records or for a report on their condition. Again the golden rule is carefully check the request and ensure you have a signed and valid mandate from your patient. Only provide what is requested and don’t provide all the records if you are only asked to provide records from a certain date or relating to a specific illness or accident. If in doubt ask the MDDUS or consult your patient.
Similarly, orders from the courts can require you to produce records. Read the court order carefully as there will be time limits and instructions as to how the records are to be disclosed and to whom. Make sure that you only provide the records which the order requests.
Access can be denied to the records in some circumstances, particularly if:
• Disclosure would cause serious harm to the physical or mental health of the patient or any other person.
• Information was provided on the basis that it would not be disclosed to the person making the request.
• Information was obtained following an examination which the patient consented to on the basis that it would not be disclosed.
• Information is in the records which the patient has expressly indicated should not be disclosed.
REQUESTS BY POLICE
The police have specific powers to request records in terms of section 29 of the Data Protection Act when they are in the course of a criminal investigation. There is a tension here between the Act and the GMC advice which requires the crime to be “serious”. It is unlikely in these circumstances that the police will agree to you seeking consent from the patient if you have a concern about whether the crime falls into the serious category. In such a scenario it would be important to keep notes of any discussions with the police, to contact the MDDUS for advice, to record this advice and only to comply with the request if it is then deemed appropriate. As long as you have acted in good faith and taken appropriate advice, the GMC should be satisfied that you have complied with Good Medical Practice. The next edition of Practice Manager will feature an article on dealing with police requests for patient information.
Remember that if you are in doubt about a disclosure request it’s always better to ask for some guidance. Hefty fines can be imposed by the Information Commissioner if personal data gets into the wrong hands. Hertfordshire County Council were fined £100,000 for faxing information about a child abuse case to the wrong recipient. Our advisers are only a phone call away.
Lindsey McGregor is a solicitor at MDDUS
(This article was modified on June 9, 2011)
Below are examples of some typical disclosure requests.
A practice manager contacts the MDDUS over a patient who died last year. The practice has received a request from the insurer of the trustee in bankruptcy to release the deceased’s medical records. The Access to Health Records Act 1990 applies to the records of a patient who has died. Anyone who has a claim arising out of the patient’s death including a trustee in bankruptcy may apply for access to the records. This would include an executor. However, there are exemptions on what can be disclosed and the practitioner must be satisfied that only information directly relevant to the claim is disclosed. The following must also be considered:
• Did the deceased request non disclosure of the records?
• Are third parties identified?
• Will disclosure result in serious harm to a third party’s physical or mental health?
• Was information provided on the basis that it was confidential?
• Do the terms and conditions of the insurance policy provide evidence of consent to release the records?
A dentist, Mr B, contacts the MDDUS as he has been asked by the father of two patients aged 12 and 15 to disclose their records. The parents are separated with the daughter residing with the mother and the son with the father. The father anticipates that the mother will refuse to consent. The children in this scenario could request access to their own records and this might be one route to suggest, however this draws the children into a dispute which could arise between the parents. Given the father claims to have parental rights, Mr B does not require to seek the mother’s consent but to be sure he could ask to see the birth certificates. Given the ages of the children Mr B should seek their consent unless there is a question of competence.
Dr H receives a request for access to records of children by a father who is in prison, convicted of murdering his wife. He still has parental rights. However the maternal grandparents also have parental rights. One child is 15 but the other is 7. The GP practice confirms proof of parental rights from the grandparents and properly seeks their views in relation the younger child. The older child should be able to refuse on her own behalf if judged competent to do so. The GP could have also refused access on the basis of the serious harm test referred to earlier.