GPs providing full patient medical records at the request of insurance firms risk breaking data protection laws, an investigation by the ICO (Information Commissioner Office) has warned.
The British Medical Association (BMA) has urged doctors not to comply with requests for full medical records made under the data protection act by insurers, due to the risk of "excessive" information being divulged.
The BMA has advised GPs that requests from insurers be returned and suggest firms apply for a written GP medical report.
The ICO has outlined that requests should not be made under section seven of the Data Protection Act 1998, which allows individuals to access their own data under Subject Access Requests (SAR).
Instead the BMA is advising that insurers should be directed to request reports from GPs under the Access to Medical Reports Act 1988.
In its' advice for GPs Focus on Subject Access Requests for insurance purposes, the BMA said: "The BMA has been aware for some time that some insurance companies are obtaining full medical ecords through the use of Subject Access Requests (SAR) under the Data Protection Act 1998 (DPA), rather than asking for a report from the applicant's GP, as previously agreed with the Association of British Insurers (ABI).
"The BMA was concerned that this practice was potentially a breach of the DPA as disclosure of the full medical record would amount to a disclosure of information which was not relevant for the purpose.
"On behalf of our members we raised this matter with the Information Commissioner's Office (ICO)."
It continues: "One of the key points from the ICO's advice is that insurance companies which process full medical records are likely to breach the DPA principle which states that information must be ‘adequate, relevant and not excessive' in relation to the purpose for which it is processed.
The guidance adds: "It is our expectation that insurance companies will discontinue the use of SARs and will instead revert to requesting medical reports under the provisions of the Access to Medical Reports Act 1988 (AMRA).
"The BMA has separate guidance on this legislation.
"Practices are able to apply a fee for completion of these reports, in line with the work associated, and should seek to agree the fee with the requestor in advance of completion.
"Practices may also wish to seek advanced payment. Information on the BMA's recommended fee, plus guidance on completing insurance reports, is on the BMA website."
The full guidance for GPs, Focus on subject access requests for insurance purposes from the BMA can be accessed here.
'Significant Benefit'
A statement from Legal & General Insurance said: "Our view is that the appropriate and relevant use of SARs is of significant benefit to customers.
"A SAR genuinely protects their interests by ensuring that we have relevant health information to assess their application.
"It minimises the risk of unintentional misrepresentation and therefore enables customers to have peace of mind that new medical information will not need to be considered if they have to claim in the future.
"Naturally we welcome further discussions with the ICO on the important topic of SARs.
"Pending the outcome of those discussions and any other developments that are relevant to this debate we will continue with our current practice of using a SAR to request medical evidence, where it is needed, for new applications and those applications in the pipeline.
"However if a GP surgery or a customer tell us that they do not want a SAR to be used to underwrite an application, we will revert to requesting a GPR" (GP report).
Further Reading: