Vaccination passports add to demand for records access

ONE certain result of the coronavirus pandemic is that all of us have developed a heightened awareness of own health and medical history. This, combined with an increased emphasis on data protection and GDPR, has led to a rise in requests for access to medical records. Such requests could be set to further increase should ‘Covid passports’ become mandatory for foreign travel.

The relaxation in travel restrictions across the UK means that healthcare organisations need to prepare for more calls/contacts from patients regarding vaccination passports. Some practices are exploring the use of apps in managing these requests to reduce the potential burden – but this is not without risk.

Since April 2020, there has been a contractual obligation between NHS England and GP practices to allow patients online access to their medical records, facilitated via an NHS app. NHS England advised that vaccination status would be available on the NHS app to individuals from 17 May 2021. Those who do not have access to the app can also request this information by calling the NHS on 119 for a paper copy.

NHS England have also highlighted the importance of data quality in minimising impact on GP workload. Where a vaccination has been coded inaccurately this will prevent a vaccination certificate from being provided, and so patients will need to contact GP practices to have these errors corrected.

In Scotland, NHS Inform are also able to provide vaccination status, either by letter or online by logging in with the unique username printed on the original vaccination invitation letter. However, they warn that only people intending to travel within the next 21 days should be requesting this information. They state that access for everyone else will become available “very soon”.

How digital vaccination passports are managed will depend on which platform or app is being used and such capability is not yet available to patients in all parts of the UK – but in time it is likely such access will be required.

Pulse has reported that certain apps, such as myGP, may be able to provide this information without involvement of practices. However, there are concerns from GPs that automatic approval for access to records could risk information being disclosed inadvertently, and thus clinical review of the records is still likely to be required, with the added burden that facilitating such requests would entail.

At MDDUS we have seen an increase in calls relating specifically to this issue, and in particular what information it is advisable to disclose if patients only require evidence of vaccination status. No obvious shortcut for approving and providing such information has yet emerged.

Practices dealing with any request for access to records need to be aware of the key data protection issues involved.

Subject access requests

Patients have the legal right to view personal information held about them by any health and care organisation. Any such request is commonly known as a data subject access request (SAR), and the Information Commissioner’s Office (ICO) provides specific guidance on how organisations should handle such requests. GMC Confidentiality guidance also recognises the importance of respecting, and helping patients exercise, their right of access to their health records.

Only the data subject (the patient) or a representative acting with their consent can make a subject access request. Therefore it is vital first to confirm identification of the individual making the request and that any third party acting on behalf of a data subject has consent to be given access to the personal data.

Managing risks

There are circumstances when organisations can refuse to provide access or disclose information to a data subject or their representative. Information provided about the patient from a third party who has not provided consent to release should be redacted. Also, any information that may cause serious harm or distress to the patient if disclosed should also be redacted. The ICO has published guidance on how to disclose information safely and includes further information on redaction processes.

It is important to be clear what information the patient requires and to provide this in a way that is both suitable and secure. Once you establish what information is required it may be possible to allow access from a certain date onwards, thereby reducing the redaction process. Access to older records may be more easily provided in print form and redacted as necessary.

Managing the process

Experienced non-clinical staff within a practice may be delegated to start the selection and redaction process but decisions should be reviewed by a clinician before disclosing records to the patient. This is important to prevent any potential seriously harmful information not immediately obvious to a non-clinician being disclosed. There are a number of commercial companies that offer vetting and redaction services and, while this may sound very tempting on efficiency grounds, practices must consider their risks and legal obligations under GDPR before agreeing to such third-party sub-contracting arrangements.

Patients have a right of access to accurate information and it is important to take steps to consider and, where necessary, correct any factual discrepancies.

Organisations must comply with a subject access request within one month of receipt of a request and, depending on demand, this may be difficult to comply with, particularly by healthcare organisations also coping with the impact of Covid-19. The ICO says that the one month timescale can be extended by two months if the request is complex or if there are a number of requests from the individual. It also recognises the additional pressure some organisations are under and has stated that it will take a proportionate view of complaints raised in this matter.

Action points

• Be aware of regulatory guidance on disclosing patient information.
• Be satisfied you have confirmed the patient’s identification or gained their consent if the request is by a representative, before granting access to personal information.
• Ensure staff are aware of the policy in place for access and the requirement to redact information, as per GDPR.
• Ensure any redaction process is reviewed by a clinician before disclosure.
• Known inaccuracies must be reviewed and rectified promptly if appropriate.

Kay Louise Grant is a risk adviser at MDDUS