Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

How should I respond to insurance company requests for patient records?

Read our updated guide to the changes to the BMA advice

What should GPs should do if they receive an Subject Access Request (SAR) for insurance purposes?

The BMA has said that GP practices should take steps to ensure they meet their obligations to process SARs legitimately and remain compliant with other principles of the Data Protection Act.

If such a request is received, practices should contact the patient to explain its implications and the extent of the disclosure. The patient should then be given a choice between an SAR, whereby the full medical record is provided to the patient to share with the insurer as they wish, or asking their insurance company to instead seek a tailored GP report directly from the practice.

The BMA has provided a new template letter that practices may wish to use for this. The advice reverses previous advice from the BMA - based on a ruling from the Information Commissioner’s Office - that said GP practices should not to comply with any SARs they receive for insurance purposes, and to return the request to the insurer as being inappropriate.

It is still expected that the newer ICO ruling will encourage insurance companies to stop requesting SARs, and that they will instead revert to requesting tailored GP reports.

What if the patient wants to respond via email?

The new guidance says electronic consent from the patient is also acceptable, as the Electronic Communications Act gives legal status to electronic signatures, though practices should take care that the patient has consented to the report, by checking with the patient if there is any doubt.

What about SAR requests from third parties for non-insurance?

The new guidance advises that under the Data Protection Act, a patient is entitled to make an SAR via a third party acting on their behalf, such as a solicitor. In such cases, the ICO says a practice must be ‘satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement’.

Have your say

IMPORTANT: On Wednesday 7 December 2016, we implemented a new log in system, and if you have not updated your details you may experience difficulties logging in. Update your details here. Only GMC-registered doctors are able to comment on this site.