GDPR and medical records – problems and solutions

GP practices are creaking under the strain and financial burden of a surge in patient requests for copy medical records.

The demise of the ability for GP practices and hospitals to charge a standard fee when responding to a request for copy medical records, in usual circumstances, has not proved to be a good legacy of the data protection reforms.

Insurers and defendants’ solicitors have also seen an increase in GP practices requesting that copy medical information is collected by courier from the GP practice, purportedly in order to comply with data protection legislation.

In light of the problems encountered since the 2018 data reforms, we consider best practice and what could assist the process of obtaining medical information for underwriting and claims purposes.


Before the legislative changes of May 2018, claimants’ solicitors often advised their client to sign a consent to allow the insurer/defendants’ solicitors to obtain medical information (and incur the £50 fee, which went some way towards the costs of compliance). The claimants’ solicitors would then ask for a copy from the insurer/defendants’ solicitor. However, without the financial ‘sense check’ of a standard fee, more requests are now being made directly by claimants/their solicitors.

When copy patient records are requested, medical professionals have the time consuming task of ensuring redaction of third parties’ names and checking that sight of the contents will not detrimentally affect the patient - which leaves less time for front line patient treatment.

Despite the rise in requests – and the burden this places on GPs - the Culture, Media and Sport Minister Margot James has recently confirmed that GPs in the UK will not be given the right to charge for patient information as this would ‘weaken the rights of patients’.

Routes to obtain medical information

The Information Commissioner’s Office (ICO) stance is that the appropriate route for insurers to obtain access to medical information in England, Wales and Scotland is through a report from the GP under the Access to Medical Reports Act 1988 (AMRA), setting out only the information the insurer needs. AMRA has a clear process for notifying the individual of their right to choose to see the medical report before it is seen by the insurer and to ask the treating medical professional to consider making corrections.

In Northern Ireland, a request is made under the Access to Personal Files and Medical Reports (Northern Ireland) Order 1991.

The current British Medical Association (BMA) guidance for fees for preparing a full AMRA style report is £104 and £27 for supplementary reports, regardless of whether the report is provided electronically or as a hard copy.

Patients can also use Subject Access Requests (SARs) to access their own medical information (Article 15 of the General Data Protection Regulation (GDPR), formerly Section 7 of the Data Protection Act 1998).

The ICO, ABI and BMA had concerns about insurers requesting ‘full’ medical records under the SAR process which could result in non-relevant information being provided to the insurer. This would potentially not comply with the GDPR principle that information must be ‘adequate’ and ‘relevant’ and limited to the purpose for which it is processed.

The BMA’s updated Guidance of July 2018 included a template letter to be sent to patients which followed the ICO’s Subject Access Code of Practice:

If you think an individual may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.

GP practices have adapted that template letter when writing to insurance companies, explaining that where full records have been requested they can send these to the patient and not directly to the insurer. This allows the patient to view the records and then decide what to disclose to the insurer or whether to direct the insurer to request a report under AMRA.

The danger of this is that if medical records are only sent to the patient, they may not pass on all the relevant information (or have a different view as to what is relevant compared with the insurer).

Whilst the computerised medical records are paginated, when they are printed out - enabling the insurer to verify that there is nothing missing - earlier records such as letters with hospitals are not paginated.

Access to Health Records Act 1990 (the 1990 Act) limited to deceased person’s records

The 1990 Act remains the correct route for obtaining access to and copies of deceased persons’ medical records. Current data protection legislation only applies to living persons’ personal data.

Implications and recommendations to insurers

AMRA reports may not be suitable in all situations

AMRA reports can potentially be effective in many situations. However, sometimes insurers legitimately wish to see actual medical records in addition to or rather than a report prepared by a treating medical professional who may not fully appreciate the relevance of certain medical information in respect of the issues of a particular claim or the insurance cover requested. Whilst a report can be very useful, it does not necessarily replace sight of actual medical records.

If an independent medical expert report is needed in relation to a claim it is important for that expert to have access to medical records in order to give fair consideration to the claim.

Targeted reports

By improving the standard of targeted medical questions within the AMRA request (for example the relevant period of time or types of medical conditions/symptoms that could be relevant) the insurer can potentially be better informed and reach fairer decisions for a wider number of their customers. There may still be a risk that some relevant information is not provided due to the subjective element of completing a report, but this should be reduced.

However, this may mean that claims personnel will need to have greater access to their Chief Medical Officers whether via training and more explicit claims philosophies or on an ad hoc basis to ensure that appropriate questions are raised with treating medical professionals when obtaining medical information.

The efforts by the insurance industry to request targeted reports have not always faced a positive reception from medical professionals. The BMA’s Professional Fees Committee does not support the introduction of targeted reports and has not provided a recommended fee for targeted requests that request information on a single condition.

In cases where lawyers are involved on behalf of the insurer, wider copy records could be requested and an application made if a reasonable request is faced with resistance from the patient/claimant.

Courier collection

The recent trend in GP practices asking for those requesting medical information to send a courier to collect the papers is not ideal, as this has greater scope for the wrong bundle being collected by the courier, compared with the sender being in charge of putting the bundle into the courier system and there is no truth to the inference that courier collection is required in order to comply with data protection legislation.

The ABI has been seeking to encourage the use of electronic access since at least early 2017. This would avoid the potential problems associated with couriers being sent to GP practices to collect papers, and mistakes arising. We fully endorse this approach, not least because of the reduction of potential data breaches that this provides.

With electronic transfer, it is important that the patient/claimant gives appropriate consent for the onward use of the data, such as using it to instruct an independent medical expert.

Consents on application forms and claim forms

As AMRA rights only strictly relate to obtaining medical reports (and not medical records) then most declarations correctly only recite those rights and seek a signed AMRA consent in respect of a report. If copy medical records are also requested, then the purpose for which that data shall be used and those who may also be provided with the data (such as medical experts) needs to be provided to the data subject when obtaining consent in order to ensure compliance with the data protection legislation.

Medical record consents only have a six months life once signed, so a fresh signature will be needed if further medical records are required.

BMA and Law Society approved consent form wording

In October 2018, the BMA and the Law Society published approved wording for use in a consent form authorising access to the medical records of the patient/signatory under the SAR route of the GDPR. This has been drafted with a claimant/patient in mind who may have a solicitor representing that individual, and acknowledges that “your {the patient’s} solicitor will likely need to see copies of all your GP records”.
It also acknowledges that if permission for their medical records to be obtained and disclosed is not provided then it is unlikely that the claim will be able to proceed if the medical records are crucial evidence in the claim.


The ICO and BMA are seeking to discourage blanket requests for full medical records in favour of a medical report from the GP. Targeted medical report requests can be a sensible option but potentially require greater access to Chief Medical Officers unless there is a clear claims philosophy already in place for that scenario. Where, for instance, there is an on-going dispute or a claim or application cannot be validated/approved on current information then wider access to actual medical records would normally be justifiable and the reason for this should be documented on the file.

Related item: Practical problems in processing medical information under the GDPR