On 25 May 2018 General Data Protection Regulation came into law whereby most processing of personal data by organisations has to comply with it.
GP practices frequently receive requests from people wishing to view or acquire copies of their health records or those of others.
The BMA has produced extensive guidance on this for practices which covers the following areas:
- defining a health record
- advice on record-keeping
- subject access requests
- requests for access on behalf of others
- requests by the police
- requests by insurers
- requests for access to the records of deceased patients
- records retention.
If you have any queries do not hesitate to contact us in the LMC office to discuss.
Solicitors using SARs to request patient data
A patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a GP will be able to lawfully decline.
Provided the solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR from the solicitor should be treated in the same way as if it was made directly by the patient.
Charging a fee
Under GDPR, SARS are generally free of charge. Only if the SAR is considered to be ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged.
The circumstances when a fee can be charged are rare and should be on a case by case basis.
The ICO has advised that a request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee, or refuse the request.
Postage
Postage costs for SARs should not be charged for, unless they are 'unfounded or excessive'.
Online access guidance for clinicians and practice managers document here - Courtesy of University of Bristol.
Accelerated access to GP-held patient records 2023
From 31 October 2023, practices are contractually obligated to provide online records access for their patients. GPC England has written guidance to address common questions, key deadlines and practical considerations to extending online access:
- Flowchart - Patient Accelerated Access to Records decision making tool for practices
- Data Protection Impact Assessment (DPIA)
You may also find these additional resources useful:
- Template text message for practices
- Example webpage for practice website (linked to from text message)
- Application form for online access to the practice online services
LMC Statement September 2023