GPs providing full patient medical records to insurers risk breaking data protection laws, the Information Commissioner Office (ICO) has warned. Cover looks at this industry practice in greater depth
GPs providing full patient medical records at the request of life offices risk breaking data-protection law and patient's privacy, an investigation by the ICO has concluded.
As a result, The British Medical Association (BMA) has put out communications urging doctors not to comply with requests for full medical records made under the data protection act by insurers. It said this owed to the risk of "excessive" medical information being divulged to insurers.
The association is advising such requests by insurers be returned and instead suggest firms to apply for a written GP medical report. The initial story is covered in more depth on page four.
The ICO said of its investigation into GP reports: "This is a powerful right, designed to ensure individuals can access information held about them within a specified time period and at a nominal cost.
"This right was not designed to underpin the commercial processes of insurers. By making a subject access request [SAR] on a patient's behalf, an insurance company may be provided with a patient's entire medical record, including information that is not relevant for the purpose of underwriting a policy. The ICO has recently written to the insurance industry to explain that we consider that the use of SARs in this way is inappropriate and an abuse of that right.
The ICO added it was concerned that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act.
It said: "Patients continue to be able to make SARs to their GP. GPs have ethical obligations around how patient records are shared, and we advise GPs to explain to patients, in broad terms, the implications of making a SAR so they can make a more informed decision on whether they wish to exercise their rights under the Data Protection Act.We also recommend GPs share any responses to SARs directly with patients, rather than to insurance companies."
In addition, The ICO has told GPs that contrary to the BMA's advice, they are still obliged to respond to subject access requests made under the DPA.
It said: "Contrary to comments made by the BMA, GPs must still respond to SARs, in accordance with the guidance published on our website. The right to see personal information held about you by an organisation is an important one, and one from which GPs are not exempt. We will be speaking with the BMA again to further clarify this."
There is clarification to come regarding exactly what the guidelines mean for different parties.
At the moment there are three ways that an insurer can request a patient's medical history from their GP during the underwriting process. These are: a general practice report (GPR), which asks a set of questions on the patient's health); a SAR (or full patient report); and a targeted report.
But the practice of gathering further medical evidence has always been a thorny issue and has been one not really resolved in partnership with GPs and insurers over time.
In 2010, The Association of British Insurers and the BMA agreed a £97 fee for GP reports. They agreed that GPs should supply reports within 21 days.
The agreement expired in March 2011 and was not renewed. Since then, the insurance industry has said that GPs are now taking too long to return the reports, holding up decisions on individuals' underwriting and policy acceptances or terms.
To combat the difficulties, some insurers started using SARs. Supporters of SARs have said that moving away from using GPRs to full reports is a good way to speed up receiving reports from GPs, and having a full medical history helps to weed out the specific information needed for underwriting.
Using a SAR, an individual can ask their GP for access to their full medical records for between £10 to £50. This covers the cost of any administration fees, such as postage for paper reports.
These reports must be supplied within a maximum of 40 days. It is also worth mentioning that SARs are not a legally binding request and customers or GP surgeries can still choose a GPR.
PTO for insurer views
PTO for insurer views