Disclosure of patient records has become an increasingly complex legal area, and knowing how to respond appropriately to different types of access requests poses an ongoing challenge for busy practices. Requests can come from patients themselves, the police, lawyers, social workers and insurance companies – and the appropriate response is not always straightforward.
Requests from patients
Patients have rights under the Data Protection Act 2018 to make a subject access request (SAR) for personal information held about them, including “data concerning health”. This is defined as personal data relating to the physical or mental health of an individual, including the provision of care services which may reveal information about their health status. Such requests may be made either verbally or in writing and the practice has one month to respond. Nothing in the legislation prevents a doctor sharing personal information on an informal basis with a patient, for example if a single document is requested, such as a copy of a test result.
When supplying copies of medical or dental records for any approved disclosure, it is important to check that only records which contain the patient’s personal data are disclosed. For example, if health data contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing. You should not normally withhold information that identifies a health professional, such as a doctor, dentist or nurse, carrying out their duties.
You can refuse to comply with an SAR for health data if this would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’.
Documents which should not be disclosed
If the patient has pursued a complaint against you, made a referral to your regulator, or intimated a claim against you, then as a general rule correspondence with your legal advisers will not be disclosable. For example, correspondence with solicitors acting on your behalf, any draft expert reports and draft witness statements would be unlikely to be disclosable and would be protected by legal privilege . You should ensure that this documentation is not stored in the patient’s medical records to prevent erroneous disclosure.
If you are unsure whether documentation should be disclosed, seek advice from MDDUS in the first instance.
Disclosure of a child’s records
A person requesting access to the clinical records of a child under the age of twelve (or older and lacking capacity) must have valid parental rights, or the request must be subject to other lawful authority (e.g. if the child is subject to a care or supervision order). Parents can generally exercise parental rights and responsibilities without the consent of the other parent. Some parents may have had their rights restricted or indeed removed.
People over the age of 16 in England, Wales and Northern Ireland are considered legally competent to consent to the release of their own records; under-16 children can consent if deemed to fully understand the nature of the request (Gillick competent). In Scotland, anyone aged 12 or over is presumed to be legally competent. Practices should take this into consideration when a request is received from a parent.
Requests from solicitors
Another common source of requests is solicitors acting on behalf of patients in clinical negligence claims, and occasionally acting on behalf of defendants seeking information from the notes of victims for the purpose of criminal investigation, or defence of a civil claim. Here, it is vital that you first carefully check that you have been provided with a signed and dated mandate from your patient confirming their consent. It is the solicitor’s responsibility to provide this evidence.
You should only provide what has been requested, for example in relation to a particular illness or treatment or restricted to specified dates. Third-party or potentially harmful information should be redacted. If you are in doubt, or suspect that you are being asked to disclose excessive personal information, contact the patient and make them aware of your concerns. You can also contact MDDUS for advice.
Requests from insurance companies
An SAR would not be appropriate if an insurance company is requesting the documents (as the third party’s interests are not aligned with the patient’s) - for example, if an insurance company requests access to health data to assess a claim. Such requests should be limited to a specific medical report, providing only the information the insurer needs (Access to Medical Reports Act 1988). The patient must be given up to 21 days to view the content of the report and provide consent before it is released to the requesting company.
Court orders can compel you to produce a copy of records. It is important to read the order and specification of documents carefully as there may be specific time limits and instructions on how the records are to be provided and to whom.
The police have a legal duty to carry out criminal investigations, which may include requests for patient records or specific information that would otherwise be classed as confidential to the patient. There is a tension between this and current regulatory advice. For example, the GMC states that the crime being investigated should be ‘serious’, but the definition is not always straightforward (see Note 23 of GMC Confidentiality). It is unlikely that the police would agree to seeking consent from the patient beforehand in criminal investigations. Where you are uncertain if the circumstances come under the ‘serious crime’ category, such as assault or rape, it is important to contact MDDUS for advice (and record that advice) before deciding whether to comply with the request. You should also keep accurate notes about any discussion you have with the police.
Social workers may also request access to records during child protection investigations, and practices should carefully follow local child protection procedures and guidelines to ensure that vital information is appropriately and timeously shared with the relevant authorities. However, this does not mean that such requests should be made informally (for example, over the telephone), unless it is an emergency situation. You should always consider the need for consent and only breach if there is a valid reason to do so. For example, it may not always be appropriate to share information about a third-party adult without consent.
The definition of personal data only relates to living individuals, so solicitors cannot use an SAR to obtain information about a deceased patient. To obtain records of a deceased patient (for example, when acting on behalf of the executor of a will or a person with a valid claim arising out of the patient’s death), solicitors may be able to access this information under the Access to Health Records Act 1990 or the Access to Health Records (Northern Ireland) Order 1993 . See Patient confidentiality after death for more information and contact MDDUS for specific advice on assessing such requests.
Denying access to records
There are specific non-statutory conditions where access to patient records can legitimately be denied. These include:
- disclosures that may cause serious harm to the physical or mental health of the patient or any other person
- information provided on the basis that it would not be disclosed to the specific individual making the access request
- information obtained following an examination consented to by a patient but on the basis that it would not be further disclosed
- sensitive information in the record which the patient has specifically indicated should not be disclosed, or in the opinion of the doctor or dentist would likely be the case even if not stipulated by the patient.
This can be a complex area to navigate and we would always strongly advise that if in doubt about a request, seek guidance from MDDUS before disclosing. The penalties under DPA for improper disclosure are significant if personal data gets into the wrong hands.
- Take time to consider the legitimacy of requests received.
- Consider whether specific patient consent is necessary or valid.
- Carefully check the identity of the person or party requesting access to the records.
- If unsure, seek advice from MDDUS before disclosing information
Alan Frame, risk adviser, MDDUS