Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

GPs can refuse insurers' requests for patient records, commissioner's office rules

Insurance companies requesting GPs release their patient’s entire medical record under the Data Protection Act are abusing fundamental rights enshrined in EU law, the Information Commissioner’s Office has ruled.

GPs are no longer obliged to comply with requests from insurers even when a patient has given consent and could even be in breach of the law themselves, the Information Commissioner said in a letter to the Association of British Insurers seen by Pulse.

Last year, Pulse reported that the ICO had launched an investigation into the use of ‘Subject Access Requests’ by British insurers seeking medical information to underwrite insurance policies.

As a result of this investigation, it ruled that ‘using individuals’ own data protection rights to side step the current statutory arrangements designed to meet the insurance industry’s needs, and including important safeguards for individuals, is not the appropriate approach.’

The GPC, which has previously raised the issue, said their concerns have been ‘vindicated’ by the ‘clear and unequivocal decision’.

Pulse originally reported that insurers had been using SARs to make insurance applications ‘quicker and smoother’, adding that they are ‘recognised across the insurance industry as a way to gather medical evidence’.

However, the ICO’s letter revealed that insurers could potentially be in breach of four of the DPA’s principles by making subject access requests in this way.

By doing so, it states, insurance companies potentially contravene principles around patients giving informed and explicit consent, data being kept longer than necessary and data security.

It adds that GPs – as the current data controllers - could also be in breach of the DPA if they release the whole record, including information not pertinent to the insurance report in question.

The letter states: ‘The Commissioner takes the view that the use of subject access rights [provided for under Article 8 of the EU Charter of Fundamental Right] to access medical records in this way is an abuse of those rights’.

The ICO concludes: ‘Using individuals’ own data protection rights to side step the current statutory arrangements designed to meet the insurance industry’s needs, and including important safeguards for individuals, is not the appropriate approach.’

Responding to the letter, Dr Paul Cundy, who first raised the issue with the ICO said: ‘We are obviously very pleased to have been vindicated with such a clear and unequivocal decision from the information commissioner. GPs must now provide PMARs and can decide how much to charge for them.

‘I suspect it would now be sensible for the ABI and the GPC to sit down to consider a new agreement.’

Pulse has approached the ABI for comment and is awaiting a response.

Readers' comments (15)

  • After an accident some years ago one of the 'top' road side repair companies was also acting as the insurer. They demanded the full record of a person who had very confidential information on record or otherwise the claim would not be payed out. The full record was sent to the solicitor who was acting for the company and was read by his secretary without consent. It was then sent to the local branch of the company which was ten minutes from the person's home. . this was only aqdmitted after questions were asked as to what had happened to the file. Following a phone call to the local office the head administrator offered to shred the file but had obviously read the whole contents with who knows who else in that office. The medical examiner and his secretary read it as well plus after a complaint to head office, the head of that office and his secretary. By the way the medical examiner who was appointed to examine the claimant was also found later to be acting for the insurance/road repair company. The pay out was made after enormous additional distress was added to the suffering caused by the accident. The GP was far too quick to comply even though the person naively gave consent thinking non relevant material would be blacked out

    Unsuitable or offensive? Report this comment

  • Fantastic news. The parasites can now take a running jump, or pay appropriately for a medical report.

    Unsuitable or offensive? Report this comment

  • This is long overdue - well done Commissioner.

    Unsuitable or offensive? Report this comment

  • Guys, before celebrating - you do realize they can ask for access under DPAfor appropriate information i.e. it is our job as the data controller to tease out the requested information with max charge of £50 (as per DPA).

    I'm afraid this means more work with no pay.

    Unsuitable or offensive? Report this comment

  • very good news

    Unsuitable or offensive? Report this comment

  • We are users of EMIS, and requests for insurance reports are now coming through on iGPR. This system appears to extract the entire clinical record.
    The fee for this is £10, with a £10 'bonus' if provided within a deadline.
    I wonder, what is the value of this information to life insurance companies?

    Unsuitable or offensive? Report this comment

  • Anon at 12:42pm. You are wrong.
    The patient can ask for the notes but will have to pay the £50 access. The insurer cannot though can ask the patient to. The insurer risks the patient redacting some of their records though.

    Unsuitable or offensive? Report this comment

  • Hello Anonymous on 24th July 12:58,
    To be precise:
    1. patient needs to give valid consent to both doctor and another party (insurer)
    2. the fee of up to £50 can be charged (can be less, but not more than commercial rate of photocopying)
    3. redacted notes can be provided by doctor(s) or patient's legal representative or patient
    The laws that apply are Data Protection Act 1998, SI relevant to DPA , NHS and medical records, Human Rights Act, European Convention on Human Rights. Any redaction has to be within the law and not fraudulent.

    Many surgeries overcharge by asking for £50 fee always (and that is not the law). Poor people on benefits cannot afford that.

    Doctors4Justice

    Unsuitable or offensive? Report this comment

  • Yes we get £10 from insurers for a lot of work copying posting registered mail
    I hate it wasting doctors time as staff won't post as queue

    Unsuitable or offensive? Report this comment

  • Doctors 4justice are right
    Just do it free
    Poor can't pay till a large compensation is paid

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page

Have your say

IMPORTANT: On Wednesday 7 December 2016, we implemented a new log in system, and if you have not updated your details you may experience difficulties logging in. Update your details here. Only GMC-registered doctors are able to comment on this site.