Access to Medical Records
The law states that organisations must, when requested by an individual, give that person access to their personal health information and, occasionally, certain relevant information pertaining to others. To do this, they must have procedures in place that allow for the easy retrieval and assimilation of this information.
Application for third-party access to healthcare information
To maintain confidence in our patients, at Hightown Surgery we will not divulge any medical information about you unless it is legally appropriate, or we have your consent to do so.
Disclaimer:
It is also your responsibility to keep us informed as to who can access and discuss specific areas of your medical record as detailed on the form. Should your circumstances change, it is your responsibility to advise this practice.
Hightown Surgery relinquishes all responsibility should the above information become incorrect if not updated.
Third party information
Patient and organisational records may contain confidential information that relates to a third person. This may be information from or about another person. It may be entered in the record intentionally or by accident.
It does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters.
All confidential third-party information will be removed or redacted. This will be reviewed and highlighted by the appropriate responsible clinician or data controller. If this is not possible then access to the information will be refused.
Subject Access Requests – FAQs
How do I make a request
SARs are predominantly used for access to, and the provision of, copies of medical records.
This type of request need not always be in writing (e.g., letter, e-mail).
Patients (data subject) can also use of a SAR application form which allows you to specify the date range or specific part of your medical record that you require.
Click this link for the SAR application form
Requests may be received from the following:
- Competent patients
May apply for access to their own records or authorise third party access to their records.
- Children and young people
May also apply in the same manner as other competent patients. This organisation will not automatically presume a child, or young person has capacity under the age of 16. However, those aged 13 or over are expected to have the capacity to consent to medical information being disclosed.
- Parents
May apply to access their child’s health record providing this is not in contradiction of the wishes of the competent child.
- Individuals with a responsibility for adults who lack capacity
Are not automatically entitled to access the individual’s health records. This organisation will ensure that the patient’s capacity is judged in relation to the particular decisions being made.
- Next of kin
Have no rights of access to health records.
- Police
In all cases, the practice can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statutes (e.g., Road Traffic Act 2006).
Nevertheless, health professionals have a power under the Data Protection Act 2018 and the Crime Disorder Act 1998 to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:
-
- To protect the patient or another person’s vital interests, or
-
- For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g., when the seriousness of the crime means there is a pressing social need for disclosure)
Only information that is strictly relevant to a specific police investigation should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.
- Court representatives
A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied when the responsible clinician is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
- Patient representatives/solicitors
A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf for copies of their medical records.
We will carry out further checks and ask for express written consent from you before we disclose SAR information to anyone other than our patient.
- Requests for insurance medical reports
SARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at this organisation is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report and pay the appropriate fee. This work does not form part of our NHS contract and is therefore chargeable.
Is releasing the SAR ‘processing personal data’?
Disclosing SAR information directly to our patient (the data subject) is a legal obligation under Article 15 of the GDPR – it is a data subject right.
Disclosing the SAR information, with or without the data subject’s consent (or form of authority), to a third party is processing of personal data. It would be transfer of confidential medical information from one data controller to another (a third party). Such disclosure to a third party is not a legal obligation.
Timeframe for responding to requests
In accordance with the UK GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the SAR.
In the case of complex or multiple requests, we may extend the response time by a period of two months. In such instances, we will inform you why a processing extension is required.
Should the request involve a large amount of information, we will ask you to specify what data you require before responding to the request. As data controllers we are permitted to ‘stop the clock’ in relation to the response time until clarification is received.
Fees
With regard to the UK GDPR, SARs are generally free of charge. Only if the SAR is ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged.
Chargeable fees for a SAR
Should a SAR be initiated from a solicitor and they are asking for a report to be written, or the request is asking for an interpretation of information within the record, this request goes beyond a SAR and therefore a fee can be charged. The organisation may ask the nature of the request from the solicitor to confirm if this should be charged for or not.
If the solicitor confirms that they are seeking a copy of the medical record, then this will be treated as a SAR and complied with in the usual way.
Method of response to requests
We will notify you when the SAR is available for collection in person from the practice. You will need to show suitable ID before the information will be released to you.
When collection your SAR information we will require formal identification through two forms of ID, one of which must contain a photo.
Acceptable documents include passports, photo driving licences and bank statements but not bills.
When a patient may not have suitable photographic identification, vouching with confirmation of information held in the medical record will be considered.
We are under no obligation to post, fax, courier or deliver in any other way a printed SAR to an individual’s home or any other address.
If you require the information sent in electronic format, we will require this in writing, and you will need to acknowledge/agree that you understand the risk receiving your personal data in an unencrypted means.
If you intend to release information from your SAR to a third-party, please ensure you read through your GP record so that you know the sensitive information it contains and ensure that what you chose to share is relevant and appropriate to your claim/case.
It is for you to determine what information from your GP record you wish to provide to a third-party organisation.
iGPR
Our practice has decided to outsource some of our medical reporting work to an NHS Digital accredited company called iGPR.
iGPR Technologies Limited will be processing medical reports and subject access requests and providing online access via their secure encrypted portal.
Refusal to comply with a request
This practice will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations we will inform you of:
- The reasons why the SAR was refused
- Their right to submit a complaint to the ICO
- Their ability to seek enforcement of this right through the courts
Each request must be given careful consideration and, should it be refused, this must be recorded and the reasons for refusal justifiable.
Being the data controller, the ICO details that an organisation has the right to refuse any online access or SAR although any such refusal will be within the allotted timescale and the reasons for the refusal will be given.
Denial or limitation of information
Access will be denied or limited when, in the reasonable opinion of the responsible clinician, access to such information would not be in the person’s best interests because it is likely to cause serious harm to:
- The person’s physical or mental health, or
- The physical or mental health of any other person
- The information includes a reference to any third party who has not consented to its disclosure
A reason for denial of information will be recorded in the medical records and when possible and appropriate, an appointment will be made with the patient to explain the decision.
If you disagree with the actions being taken, then you have the right to make a complaint to the Information Commissioners Office (ICO) at:
Address: Information Commissioner’s Office
Wycliffe House
Water Lane
WILMSLOW
SK9 5AF
Telephone: 0303 123 1113