This site is intended for health professionals only


How should I respond to insurance company requests for patient records?



Since 1988, an insurance company wishing to obtain medical information as part of the process of providing illness or life cover can ask for a tailored report from the patient’s GP with the patient’s consent.

But concerns have been raised about some insurance companies using a different route to obtain a patient’s full medical record.

The issue relates to ‘subject access requests’ known as SARs. Under section 7 of the Data Protection Act, this gives individuals the right to access all the information an organisation holds on them.

In some cases insurance companies have been making SARs on the patient’s behalf, and in doing so may be given access to the patient’s full medical record.

The BMA had written to the ICO asking for clarification amid fears that complying with such requests would be in breach of data protection law by disclosing information over and above that needed.

What has the ICO advised?

After carrying out an investigation into the practice, the ICO has sent a letter to the Association of British Insurers as well as issuing a statement warning that SARs should not be used in this way.

It concluded that the rights of individuals laid down in the Data Protection Act was ‘not designed to underpin the commercial processes of the life-insurance industry’.

The ICO goes as far as to say that using SARs to access medical records in this way is inappropriate and ‘an abuse of those rights’. This is mainly because it breaches a key principle contained in the Act that information must be ‘adequate, relevant and not excessive’, in relation to its intended purpose. Insurance companies have also been warned about how they process medical records they receive from GPs.

What should GPs do if they receive a SAR for insurance purposes?

The BMA has updated its advice on this issue. It warns GPs not to comply with any SARs they receive for insurance purposes as they may well be breaching data protection law if they do.

If such a request is received, practices should return them to the insurer as being inappropriate and the BMA has provided a template letter that practices may wish to use.

Previously GPs had been advised by the BMA that upon receiving a SAR they should write to the patient, giving them the option of having their medical record sent directly to them so they could choose whether or not to pass this on. This advice no longer stands.

How should GPs be providing information to insurers?

Practices should now fulfil requests only for medical reports, setting out only the information the insurance company needs to see, for which they can charge a fee. It is however expected that insurance companies will stop requesting SARs in response to the ICO ruling.

What if a patient requests to see their full record?

The advice from the ICO is that GPs should explain to patients the implications of making a SAR and their rights under the Data Protection Act.

But in its statement the ICO said the latest advice did not stop individual patients requesting access to their medical records in this way.