A GP surgery receives a subject access request from a patient – Mr Jason D – wanting a copy of his full medical records in regard to a complaint he made to the practice two months previous. The surgery complies fully under the requirements of the Data Protection Act and a week later sends the copy records.
Mr D phones the surgery and angrily demands to speak with one of the partners. The practice manager takes the call. Mr D states that in looking through the records he has come across a letter written two months ago by one of the GPs – Dr K – to an insurance company. It relates to an insurance claim for a back injury at work and subsequent treatment for depression. The letter also refers to appended medical records for the previous two years. Though Mr D’s name appears at the top of the letter none of the details apply to him. He is now upset and worried that his own personal medical records may have been sent to the insurance company. The practice manager says she will investigate.
Later on day nine
The practice manager pulls Mr D’s medical files and finds the letter in question. Checking the reference number on the letter she discovers it refers to a different patient – Mr Jason O – who had suffered an injury at work. The report was requested in order to process the resulting insurance claim. The practice manager phones the insurance agent dealing with the case who confirms that the appended medical notes do indeed appear to be those of Jason D not Jason O. The practice manager phones Mr D back and admits that there does appear to have been an inappropriate disclosure of his medical records.
The practice receives an official letter of complaint from Mr D alleging breach of the Data Protection Act 1998. He demands an explanation of how this happened and exact details of the records sent. He also wants proof that the copy records held by the insurance company have been either returned or securely destroyed/removed from their computer system.
ANALYSIS/OUTCOME: Further investigation is conducted by the practice manager and this results in an adverse incident report detailing the events that led to the breach. The case began with a request for information by the insurance company on the medical status of Jason O in relation to his back injury at work. The request included a permission form from Mr O consenting to the disclosure.
a medical secretary. The correct reference number relating to the insurance query was included in the letter but there was some obvious confusion with both patients having the same first name. This may have been related to an interruption either during the dictation or transcription of the letter.
The letter was returned to Dr K who signed it without recognising the error. Seeing Mr D’s name at the top of the letter the secretary appended the wrong medical records and posted the material to the insurance company. A third error occurred at the insurance company when the processor failed to notice that the medical records did not refer to the subject of the claim – Mr O. Fortunately the claim was still pending when the error was discovered.
In rectifying the error the practice contacted Mr O and informed him of the mistake and made an unreserved apology to both patients – admitting breach of the Data Protection Act. In the adverse incident report it pledged to review working practices at the surgery to minimise unplanned interruptions to doctors and secretaries undertaking administrative tasks. It developed a new protocol for document management – including steps to ensure that file attachments are appended and stapled to letters before signature.
The incident was also subject to review and discussion among staff at a practice meeting with the internal report concluding: “This is a stark reminder to us all, to thoroughly check our own work and that of our colleagues”.
- Minor administrative errors can lead to major adverse incidents.
- Carefully check all subject access requests against guidelines set out by the ICO (Information Commissioner’s Office; see page 7 in this issue).
- Develop document protocols that guard against disclosure errors.