Back in November 2017 Dr Rachel Birch, medicolegal adviser at Medical Protection, wrote Data protection: getting ready for change – an overview of the EU General Data Protection Regulation (GDPR) which comes into force on May 25, 2018 – to help practices prepare for the changes.
Further detail has now emerged on two important areas that will be subject to change under the GDPR – subject access requests and transparency and fair processing. Here Dr Birch explores subject access requests – and will return next week to tackle transparency and fair processing
With significant media coverage about the GDPR, we can expect patients to be familiar with some of the changes to existing law. One area that will be of particular interest is their right of access.
Picture this scenario. It is May 25, 2018, and your practice receives a subject access request from Mr D – a patient who knows his rights and has waited until today to make his request so that it will be processed under the new rules.
He is asking for copies of all of his medical records. He has put his request to the practice by email and has requested an electronic copy. You do not have his email address on your computer system.
On looking at Mr D’s request further it appears he made a subject access request three months ago and obtained a full copy of his medical records at that time.
What information can the patient request?
The GDPR states that individuals will have a right to obtain:
- confirmation that their data is being processed;
- access to their personal data;
- other supplementary information, largely corresponding to information that should be provided in a privacy notice (covered in detail next week).
The GDPR clarifies that allowing individuals to access their data means they are aware of, and can verify, the lawfulness of the processing.
However, in terms of requests for copies of medical records, there may be a variety of reasons why patients may make requests, including keeping a record for personal reference, to jog their memory of past events or to investigate a potential complaint or claim. Irrespective of reasons, patients are entitled to make subject access requests and they do not need to provide a reason.
How should you verify the patient’s identity?
Can you be sure that the person emailing you is the patient to whom the record relates? If you are in any doubt it is reasonable to ask the patient to provide more information, such as a date of birth, a passport or birth certificate.
Do you have to provide an electronic copy of the patient’s records?
The Information Commissioner’s Office (ICO) has published a helpful guide to the GDPR, with specific reference to an individual’s right of access to information. It states that, if a subject access request is made electronically, you should provide the information in a commonly used electronic format.
The GDPR also makes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to their information. If this is not currently possible, you could consider whether it is feasible or desirable to develop such systems in the future.
How long do you have to comply with the subject access request?
Information should be provided without delay, but you will now have 30 calendar days to comply, rather than the previous 40 days. You may be able to extend this period by a further two months where requests are complex or numerous. However, if you need this further time, you must inform the patient within 30 calendar days of the receipt of the request and explain why the extension is necessary.
You should consider if your current system can meet this demand, if you have sufficient administrative staff and whether they have received training on the GDPR. Now is a good opportunity to update your practice protocols and procedures.
Can you charge a fee?
In most cases you will no longer be able to charge a fee. However, the ICO states that you can charge a ‘reasonable fee’ when a request is ‘manifestly unfounded or excessive’, particularly if it is repetitive. You may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that you can charge for all subsequent access requests.
Can you refuse to comply with this request?
The GDPR states that you can refuse requests that are ‘manifestly unfounded or excessive’. If you decide to refuse the request described above, you must tell Mr D within one month and inform him he has a right to complain to the ICO.
But it would be better to explore Mr D’s reasons for the repeat request – perhaps he has mislaid his previous copy or now wants it in an electronic format. In any case, three months has passed since his last request, so you may wish to clarify that it is just his recent information within his medical record that he requires.
What about third party information?
You should remove third party information before disclosing the records to Mr D. Third party information is that which discloses information relating to, or provided by, a third party who has not consented to that disclosure – for example, information provided by relatives in confidence.
Usually, the identity of treating clinicians is not considered third party information. However, personal details, such as the fact that ‘Dr A saw the patient as Dr B was sick’, should be redacted as this is confidential information relating to Dr B’s health.
You should also consider redacting any information which, if released, may cause serious harm to the physical or mental health or condition of the patient, or any other person.
If you have any concerns regarding whether to redact specific information, contact your medical defence organisation.
The ICO has published a self-assessment tool, incorporating helpful checklists to assess your compliance with data protection law and identify what steps you need to take at this stage to be GDPR compliant on 25 May 2018.
Medical Protection will host a webinar on GP medical records and GDPR on Wednesday March 21, 7.30-8.30pm. Members can register here.