Client medical records: a matter of right

Whilst there are several issues that solicitors have had to face post-introduction of the General Data Protection Regulation (GDPR), one issue is in solicitors obtaining medical records from GPs.

Historically, there was a consent form which was agreed between the Law Society of Scotland and the British Medical Association (BMA) after the introduction of the Data Protection Act 1998. This allowed solicitors to access and receive copies of medical records for a fee. This consent form has become obsolete since the introduction of GDPR and the Data Protection Act 2018.

Since 25 May 2018 GPs can no longer charge patients to access their medical records by way of subject access request (SAR). This includes when a patient authorises access by a solicitor. GPs cannot charge for providing records to solicitors and are fearful of GDPR implications of providing records to third parties. Some GPs are prepared to provide records to the client directly. The concern for solicitors is that it raises the risk that the records could be tampered with before being passed to the solicitor. Also, in certain circumstances the client may not be able to receive or collect the records due to ill health or hospitalisation.

It has come to our attention that there is an assumption among some medical practices that solicitors are creating a nuisance to GP surgeries in a request for medical records. The new legislation makes it clear that there can be no charge for a request by a client or a solicitor for medical records. Solicitors themselves are seeing a growing number in SARs but must comply with them at no cost to those requesting the information.

The only exception where a GP or a solicitor is permitted to charge a “reasonable fee” is if the SAR is considered to be “manifestly unfounded” or “excessive”. The ICO advises that to deem a request manifestly unfounded requires circumstances where those requesting the information make it clear that the basis they are doing this is to cause mischief or disruption to the organisation or if they make unsubstantiated accusations against the data controller. The circumstances where this is likely to arise is rare. If those requesting have a genuine intention in obtaining the medical records, then it is unlikely that it will be manifestly unfounded and must be complied with.

A request could be deemed excessive if the information has recently been received by the individual and they then request the same information again. The organisation would be justified in charging a reasonable fee in those circumstances or be able to refuse the request.

Solicitors should also be aware that if the request is made for a medical report or for an interpretation of medical records, a fee can be charged by the GP. This is outwith the scope of GDPR and SAR.

Solicitors who are having issues in obtaining medical records from a GP should note that GPs must comply with the request, with the exceptions of the circumstances mentioned above. If Solicitors are experiencing difficulties, then it may be of use to direct the GP to contact the British Medical Association for guidance. There is helpful guidance published on the BMA website confirming requests must be complied with. Solicitors are not creating a nuisance and the real issue lies with the legislative framework brought in by GDPR and the Data Protection Act 2018.