This site is intended for health professionals only

At the heart of general practice since 1960

pulse june2020 80x101px
Read the latest issue online

GPs go forth

ICO wades in over insurer asking for full GP records

The Information Commissioner’s Office is to question a major insurance provider after learning that it has been requesting patients’ full GP records to underwrite some insurance policies rather than only relevant information.

An ICO spokesperson said it would be contacting insurer Aviva to ‘understand more’ about their use ‘subject access requests’ for collecting medical information on patients and ‘how these accord with the [Data Protection] Act’.

Meanwhile, Aviva confirmed to Pulse that it has been using the method - with customer consent - for ‘almost 12 months’.

An ICO spokesperson said: ‘The Data Protection Act provides individuals with a right to make a subject access request to find out what information is held about them and to hold organisations to account. These requests are powerful and lead to all of the information held by an organisation being disclosed.’

‘There are already specific means for insurers to find out relevant medical information with appropriate safeguards. We will be contacting Aviva to understand more about their use of subject access requests and how these accord with the Act.’

However, Aviva said the choice for how access to medical records was obtained was left to the customer and that subject access requests were used only with their written consent.

A spokesperson said: ‘If a customer discloses information which requires confirmation from their doctor, they have a choice about how we obtain this information. The customer can choose whether we receive a medical report - under the Access to Medical Reports Act - or they can make a subject access request to their doctor - under the Data Protection Act - in accordance with their legal right to obtain access to their medical information.’

‘Subject access requests which obtain a person’s full medical history, are recognised across the insurance industry as a way to gather medical evidence. They can help to provide a quicker, smoother application journey for customers. Customers are under no obligation and we will only use this approach if they have signed a health records consent form which enables us to do so. This form includes a tickbox option which customers can select if they do not wish Aviva to receive a full copy of their health records by way of a subject access request.’

According to Aviva, the method is preferred in many cases because it requires less work on the part of the GP and can therefore speed up the process of obtaining insurance cover.

The spokesperson said: ‘They are a preferred option for some insurers as they tend to return information to the insurer much quicker than a tailored medical report, which requires more involvement from the GP. The BMA has also advised doctors to comply with requests from insurers for full medical records.’

‘Obtaining a customer’s full medical history also means that the likelihood of receiving an incomplete report is greatly reduced when the insurer requests full medical information. This can help to minimise any delays to the customer, and ensure that they obtain cover as quickly as possible. It has been our practice to allow customers to select either method for almost 12 months and each option is fully explained to the customer within the declaration that they sign when providing us with the necessary consent to approach their doctor.’


Readers' comments (5)

  • Please feel free to use our practice's standard reply:

    Thank you for your medical records subject access request.
    We formally decline to undertake this.
    We draw your attention to paragraph on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013 (

    ‘12.12 Access to patient records from insurers and mortgage providers

    The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage. The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent.
    In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only “adequate, relevant and not excessive” personal data about an individual. This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose.
    The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.’

    We suggest that you apply for a PMA report in the normal way.Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.We cannot guarantee that the patient may withhold part of their medical record.You have a duty not to hold any more information than you require.
    I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.

    Unsuitable or offensive? Report this comment

  • I complained about this to ICO and Aviva - the reply from the ICO was well if the patient consented then you have no choice.

    Unsuitable or offensive? Report this comment

  • Excellent comment

    Unsuitable or offensive? Report this comment

  • In our experience patients are NOT aware that they have signed to release their entire medical record to the insurance company. When we write to them - prior to release of records - explaining this patients nearly always ask us not to forward their records. Our letter to patients includes the following paragraph:
    "It is not uncommon for patients to agree to their entire record being disclosed, having not appreciated what this will entail. Whilst we have a copy of your consent to disclose your entire medical record to xxxxx, before we release this we need to be satisfied that you fully appreciate the extent of the disclosure and the content of the record."

    Unsuitable or offensive? Report this comment

  • GPs are gate keepers. Disclosure of third party information is not allowed. Does it include psychiatric and psychologist reports? I also discover that patients are unaware that they have allowed full disclosure of all their records. It is not doctors that see this information. Where is it held? Can it be shared by other insurance groups? Too many unanswered.questions.

    Unsuitable or offensive? Report this comment

Have your say