GPs can refuse insurers’ requests for patient records, commissioner’s office rules

Insurance companies requesting GPs release their patient’s entire medical record under the Data Protection Act are abusing fundamental rights enshrined in EU law, the Information Commissioner’s Office has ruled.

GPs are no longer obliged to comply with requests from insurers even when a patient has given consent and could even be in breach of the law themselves, the Information Commissioner said in a letter to the Association of British Insurers seen by Pulse.

Last year, Pulse reported that the ICO had launched an investigation into the use of ‘Subject Access Requests’ by British insurers seeking medical information to underwrite insurance policies.

As a result of this investigation, it ruled that ‘using individuals’ own data protection rights to side step the current statutory arrangements designed to meet the insurance industry’s needs, and including important safeguards for individuals, is not the appropriate approach.’

The GPC, which has previously raised the issue, said their concerns have been ‘vindicated’ by the ‘clear and unequivocal decision’.

Pulse originally reported that insurers had been using SARs to make insurance applications ‘quicker and smoother’, adding that they are ‘recognised across the insurance industry as a way to gather medical evidence’.

However, the ICO’s letter revealed that insurers could potentially be in breach of four of the DPA’s principles by making subject access requests in this way.

By doing so, it states, insurance companies potentially contravene principles around patients giving informed and explicit consent, data being kept longer than necessary and data security.

It adds that GPs – as the current data controllers – could also be in breach of the DPA if they release the whole record, including information not pertinent to the insurance report in question.

The letter states: ‘The Commissioner takes the view that the use of subject access rights [provided for under Article 8 of the EU Charter of Fundamental Right] to access medical records in this way is an abuse of those rights’.

The ICO concludes: ‘Using individuals’ own data protection rights to side step the current statutory arrangements designed to meet the insurance industry’s needs, and including important safeguards for individuals, is not the appropriate approach.’

Responding to the letter, Dr Paul Cundy, who first raised the issue with the ICO said: ‘We are obviously very pleased to have been vindicated with such a clear and unequivocal decision from the information commissioner. GPs must now provide PMARs and can decide how much to charge for them.

‘I suspect it would now be sensible for the ABI and the GPC to sit down to consider a new agreement.’

Pulse has approached the ABI for comment and is awaiting a response.