Ms Claire Cregan, In-house Counsel at Medisec, provides advice on managing requests for patient records.
Confidentiality is a time-honoured principle of medical ethics and is fundamental to the therapeutic relationship between a doctor and their patient. A patient’s health record contains information of such a sensitive nature that a doctor’s ethical obligation to maintain confidentiality continues after a patient’s death. This article seeks to provide guidance on the management of requests for information relating to adult patients, from a patient directly or from a third party, such as a solicitor/insurance company.
Right of access
Patients have a right to access their own medical records by virtue of one or a combination of the following:
Doctors have a general duty to deliver copies of medical records in compliance with paragraph 33.5 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, (‘the Medical Council Guide’).
It states: “Patients have a right to get copies of their medical records except where this is likely to cause serious harm to their physical or mental health. Before giving copies of the records to the patient, you must remove information relating to other people, unless those people have given consent to the disclosure.”
2. Data protection legislation
Patients, whether private or medical card holders under the GMS scheme, have a right to access their own medical records in accordance with Article 15 of the EU General Data Protection Regulation (GDPR). A request may be made in writing or verbally and should be responded to within 30 days; this time period may be extended by a further two months where requests are complex or numerous.
If further time is required, the patient must be informed within one month and provided with an explanation as to why an extension is necessary. Pursuant to the GDPR, no fee is chargeable for providing a copy of the medical record; however, a “reasonable fee” may be charged when a request is “manifestly unfounded or excessive”.
Similar to ethical principles, the right to access may be restricted as per Section 60 (5) of the Data Protection Act 2018, if disclosure to the patient “would be likely to cause serious harm to the physical or mental health of the data subject”. It is advisable to record your decision-making process in restricting an access request. The patient has a right to appeal the restriction to the Data Protection Commissioner.
3. Freedom of information legislation
The Freedom of Information Acts (FoI) 1997-2014 grant individuals a right of access to their personal records held by public bodies. As the HSE is a public body, FoI legislation applies to records of patients who hold medical cards under the GMS scheme. Often, a GMS patient will make a request for their clinical records expressly referencing FoI legislation and, in such circumstances, the patient should be directed to the FoI department within the HSE to process their request.
Although not a strict requirement, it is good practice to seek a written request for the release of patient information and to obtain a written consent from the patient, which should be retained on their file.
Capacity and best interests
You should be satisfied that the patient has capacity to make the request and that the request is actually being made by the patient. Unfortunately, it is not unheard of for a family member to purportedly make the request in a patient’s name with the intention of intercepting the clinical records. If there is any doubt, we recommend verifying the request; this also affords an opportunity to talk to the patient and confirm capacity.
If for any reason you doubt the patient’s capacity, you should ask the patient to attend the practice for a consultation to assess capacity and whether it is in the patient’s best interests to receive a copy of their clinical records. For example, it may be necessary to restrict access for a patient who has mental health issues if access to the records is likely to cause serious harm.
Review before delivery
The Data Protection (Access Modification) (Health) Regulations, 1989, prohibit a person who is not a health professional from disclosing health data to an individual without first consulting the individual’s doctor, or “some other suitably qualified health professional”. In light of this provision, it is inappropriate for a doctor to delegate requests to release patient data to a member of their administrative staff.
Although time consuming, we recommend that you carefully review and consider each request on a case-by-case basis. All records held in relation to a patient, including correspondence from other health professionals form part of the complete patient record. While you do not need express consent from those other health professionals, we suggest as a matter of courtesy letting them know that the patient has requested a copy of their records and that their correspondence will be released to the patient.
Importantly; however, if the patient’s records contain information relating to their mental health and there is a possibility that access to this information could cause serious harm to the patient, we recommend contacting the treating psychiatrist to seek their views on disclosing the information to the patient and whether it would be in their best interests to do so.
Redacting third party information
Prior to release, there is also a requirement to redact information relating to third parties from the records, eg, the patient’s family members, unless the consent of the third party is obtained before disclosure. The process of redacting records can be complex and requires careful consideration on a case-bycase basis. You should consider the purpose of the request and the best interests of their patient in each case and make a clinical decision as to whether the information should be redacted.
We recommend a doctor contacts their indemnifier/insurer for assistance if they have any queries in that regard. When the doctor has completed the review and made any necessary redactions to the records, a complete legible copy should be disclosed; the original patient records should always be retained by the doctor.
Requests from third parties
Doctors often receive requests from third parties, such as solicitors, insurance companies or family members for information relating to patients. You must remember that where a patient has capacity, patient consent must be sought before disclosing any information to a third party. A written and dated consent form signed by the patient authorising disclosure to the third party should be obtained and stored on their file.
It is vital that the patient fully understands the nature and extent of what information will be disclosed. We recommend contacting the patient and explaining the nature of the information you intend to release to ensure they are agreeable; a patient may not be aware or may have forgotten entries from the past contained in their file so it is extremely important that they appreciate the full extent of the disclosure.
You should keep a record of any conversation with the patient and any information that goes beyond the parameters of the patient’s consent should not be disclosed. Patient confidentiality can be breached in limited circumstances only. Those circumstances will not be addressed in this article and we advise contacting your indemnifier/ insurer for advice if such a situation arises.
In general, a patient’s consent is required to release confidential medical information to the gardaí. There are, however, certain limited circumstances where the public interest in disclosing information outweighs the patient’s right to confidentiality, such as where disclosure is required by law; for example, where the gardaí produce a court order or are acting as agent of the coroner. Should you receive a request from the gardaí, we suggest you seek advice from your insurer if you have any concerns regarding consent or disclosure.
Request for medical records/ information of a deceased patient
The Medical Council Guide provides that patient information remains confidential after death. In general, prior to releasing the requested information, you should seek written consent from the Executor/Legal Personal Representative of the deceased patient’s estate.
The Medical Council Guide states that you should also consider how disclosure of information might benefit or cause distress to the deceased’s family, the effect of disclosure on the reputation of the deceased, and the purpose of the disclosure.
Again, we advise contacting your indemnifier/insurer on receipt of such requests should you have any queries. Where a doctor receives a request to release information/records relating to a deceased GMS patient and the request specifically refers to FoI legislation, those requests should be referred to the HSE FoI department for processing. The HSE deems a deceased patient’s health record as information of such a sensitive nature that the access request should be directed to the HSE FoI department and dealt with through the FoI process.
In summary, patients have a right of access to their clinical information, unless this is likely to cause serious harm to their physical or mental health. Where a patient has capacity, patient consent must be sought before disclosing any information to a third party, save in certain limited circumstances, for example where legislation permits disclosure in the absence of patient consent.
It is vital that a patient fully understands the nature and extent of any information intended to be disclosed and provides full and informed consent to the disclosure. We recommend that you seek advice from your insurer prior to releasing any patient information, should you have any queries or if there are any complicating factors arising from the request.
The Judge's report proposes that a Tribunal be established under legislation to hear and determine claims...
In December, the HSE released part of an external review into the case of 'Brandon', a...
The evidence on doctor burnout “should scare us and concern us”, the Director of the RCSI...
A review of public health governance structures and addressing “longstanding” IT infrastructure...