Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

How should I respond to insurance company requests for patient records?

GPs are being warned not to provide full patient records at the request of insurance companies after the Information Commissioner Office (ICO) ruled they could be breaking data protection laws. Here’s our guide to dealing with subject access requests (SARs) without falling foul of the rules

Since 1988, an insurance company wishing to obtain medical information as part of the process of providing illness or life cover can ask for a tailored report from the patient’s GP with the patient’s consent.

But concerns have been raised about some insurance companies using a different route to obtain a patient’s full medical record.

The issue relates to ‘subject access requests’ known as SARs. Under section 7 of the Data Protection Act, this gives individuals the right to access all the information an organisation holds on them.

In some cases insurance companies have been making SARs on the patient’s behalf, and in doing so may be given access to the patient’s full medical record.

The BMA had written to the ICO asking for clarification amid fears that complying with such requests would be in breach of data protection law by disclosing information over and above that needed.

What has the ICO advised?

After carrying out an investigation into the practice, the ICO has sent a letter to the Association of British Insurers as well as issuing a statement warning that SARs should not be used in this way.

It concluded that the rights of individuals laid down in the Data Protection Act was ‘not designed to underpin the commercial processes of the life-insurance industry’.

The ICO goes as far as to say that using SARs to access medical records in this way is inappropriate and ‘an abuse of those rights’. This is mainly because it breaches a key principle contained in the Act that information must be ‘adequate, relevant and not excessive’, in relation to its intended purpose. Insurance companies have also been warned about how they process medical records they receive from GPs.

What should GPs do if they receive a SAR for insurance purposes?

The BMA has updated its advice on this issue. It warns GPs not to comply with any SARs they receive for insurance purposes as they may well be breaching data protection law if they do.

If such a request is received, practices should return them to the insurer as being inappropriate and the BMA has provided a template letter that practices may wish to use.

Previously GPs had been advised by the BMA that upon receiving a SAR they should write to the patient, giving them the option of having their medical record sent directly to them so they could choose whether or not to pass this on. This advice no longer stands.

How should GPs be providing information to insurers?

Practices should now fulfil requests only for medical reports, setting out only the information the insurance company needs to see, for which they can charge a fee. It is however expected that insurance companies will stop requesting SARs in response to the ICO ruling.

What if a patient requests to see their full record?

The advice from the ICO is that GPs should explain to patients the implications of making a SAR and their rights under the Data Protection Act.

But in its statement the ICO said the latest advice did not stop individual patients requesting access to their medical records in this way.

Rate this article  (4.33 average user rating)

Click to rate

  • 1 star out of 5
  • 2 stars out of 5
  • 3 stars out of 5
  • 4 stars out of 5
  • 5 stars out of 5

0 out of 5 stars

Readers' comments (4)

  • Dear All,
    This is what we do when we get a life insurance report request

    1) is it a PMAR? if yes go to 6), if no go to 2)
    2) is it an SAR? if yes go to 3), if no read it again!
    3) write to the patient explaining that a SAR is inappropriate and excessive and that there is a specific law and a specific report (the PMAR) that deals with such requests. Ask the patient to explicitly advise you whether they want you to do a PMAR or a SAR report. Go to 4).
    4) If they want a PMAR go to 6) otherwise go to 5)
    5) if they want a SAR send the patient the full medical record and ask them to forward the bits they want to send to the insurer. Ends.
    6) do a PMAR. Ends.

    So far 100% of patients have opted for the PMAR.


    Regards
    Paul C

    Unsuitable or offensive? Report this comment

  • 5.a.
    ask patient to pay for SAR before work done

    Unsuitable or offensive? Report this comment

  • Dear 1:03pm.
    No, the insurer pays whatever way.

    Unsuitable or offensive? Report this comment

  • good luck getting paid by the insurer!

    Unsuitable or offensive? Report this comment

Have your say