The general data protection regulation – fondly known as GDPR – has made waves in terms of how we collect and hold data. It has successfully made us much more conscientious, but what of the financial impact?
Survindar Chahal, group content and customer experience manager at First Practice Management investigates the costs GP practices will incur as charges are removed for patient information requests and explores what you need to know about third-party requests
In a year when the NHS celebrated its 70th anniversary, along with the usual governmental moans about ‘efficiency savings’, GDPR has, not-so-subtly, put the cat amongst the pigeons by removing all charges for information requests. Where’s the efficiency in that?
Under GDPR patients have the right to request access to their medical records under a Subject Access Request (SAR) without charge – this includes situations where a patient gives consent for a third-party (i.e. solicitors) to access the data. There is also a reduction in response times from 40 to 30 days.
Although this makes it a fair and open process for the data subjects, the stumbling block here is that the bulk of the work will result from solicitors and insurance requests – and it’s not a ten-minute job. Practices regularly carry out private work like this which includes copy records, insurance claim forms, medicals and letters for outside agencies.
The price practices pay
Practices get numerous requests from solicitors, insurance companies and other third-parties for patient records which most would treat as chargeable work – what is involved to provide this information is not simple and there’s a substantial amount of admin and clinical time involved in preparation; although the previous £50 maximum charge was not sufficient it – at least partially – covered the time invested. GPs have previously estimated that requests can cost practices up to £80 each.
Practices already shoulder the burden of costs – an estimated 150 to 160 requests are made on average per practice – costing practices approximately £8,000 per year pre-GDPR. This will inevitably rise now that GDPR has made it an easily accessible process. A conservative estimate of how much it will cost practices post-GDPR is approximately £12k to £15k per year, a huge amount for an average practice to have to cover as they’re already under pressure to deliver within their current budgets and resources.
For the practices in England alone this could mean between £88m to £115m a year of missed revenue, with the bill footed by the surgeries themselves. The reduction in response times from 40 to 30 days means there’s more pressure to respond and this can, potentially, create extra pressure to meet these GDPR deadlines rather than focusing on patient-related work.
The government spin on this would be to ‘Rage Against the (EU) Machine’, but this isn’t enough – if it’s now in the UK, and we’re all going to be one happy sovereign nation, then post-Brexit it will be a British issue and needs to be solved or subsidised.
To charge or not to charge
What has compounded this is that there remains a mind-blowing level of ambiguity about what can and can’t be charged for. From some of the chatter amongst legal groups, there is an option in the Data Protection Act (DPA) 2018 that may allow for charging fees in the future, but it’s not certain whether this is definite or not.
The BMA have asked for clarification on what ‘manifestly unfounded and excessive’ means, and the ICO has said that, “A charge to cover administrative costs can be made for additional copies but we await guidance on what will constitute a ‘reasonable’ fee.”
The ICO has been reacting to some of the queries about payments and charges relating to primary care;
- The Access to Medical Records Act (AMRA) permits a charge for providing a medical report, but only to charge a reasonable fee to cover the cost of supplying it.
- If providing the data means creating new reports, then a ‘reasonable fee’ can be charged.
- A charge can be made for any additional copies of the data requested.
- A SAR for a patient’s whole medical record would not be considered excessive in relation to charging a fee.
- Practices can request that the third-party arrange collection from the practice instead of posting it out. If the third-party refuses, the practice cannot withhold the requested information.
Requests from solicitors
A SAR should be treated as if it was made by the patient themselves, as the solicitors are effectively acting on the patient’s behalf. A patient can authorise their solicitor, or another the third-party, to make a SAR. As long as the solicitor has provided the patient’s written consent to authorise access to the records, the SAR process should be followed as usual. The SAR’s purpose bears no relation to the amount of information that can be provided.
Requests from insurers
Insurance companies, however, do not have the same privileges to access patient records – the ICO has said that insurance companies using SARs to obtain full medical records is an abuse of the process.
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. Its main purpose is to implement the European Union’s General Data Protection Regulation in national law, in preparation for the UK’s withdrawal from the union in 2019. The DPA 2018 still says that information must be adequate, relevant and not excessive in relation to the purpose the data is processed for. They have stated that, if a SAR is received, GPs should contact the patient to explain the implications and the extent of the disclosure and should provide the information directly to the patient instead of to the insurance company.
As GPs are the data controllers for the practice, they would be liable for any breach of the GDPR and, as such, should be wary of what information is shared. This doesn’t mean that GPs can refuse to respond to a SAR from an insurance company, but it does mean they need to stay compliant.
It’s a criminal offence to make a SAR to access information about convictions and cautions – the law sets out various levels of fines – and a clause in the DPA will soon be enacted to extend this to cover medical records. If you suspect that a SAR from an insurer is doing this then it should be reported to the ICO and the Association of British Insurers.
Access to deceased patients records
Although initially there was talk of removing the ability to charge, the GDPR does not apply to data concerning deceased individuals. A fee can be charged for supplying a copy of deceased patients’ records, but it must not exceed the cost of making and posting the copy. Health professionals may charge a professional fee to cover the costs of giving access to the records of deceased patients that are not covered by legislation.
It is now an offence for anyone to require an individual to provide or give access to, a health record for the recruitment or continued employment of said individual, or for a contract for the provision of a service.