GDPR: subject access requests and providing patient information free of charge
While many in general practice are focused on the big picture like the April 2019 contract changes in the English GP press, one element of which will ensure practices that have not yet done so will join large networks comprising 30-50,000 patients if they want to survive financially, there are existing everyday grass roots matters for busy surgery admin teams to consider and monitor in order to remain compliant with UK and European data management legislation.
Under the General Data Protection Regulation (GDPR), the requirements of which are mirrored in the UK’s Data Protection Act 2018 in readiness for whatever type of Brexit when or if it happens, practices cannot charge any level of fee whatsoever for providing patient information via subject access requests. This has recently been reinforced by the Culture, Media and Sport Minister, Margot James when the argument for exemption was put forward.
Practices report experiencing a significant rise in requests for patient information since charges were abolished under GDPR in late May 2018. While these requests for patient information are time-consuming and increase practice running costs as a result, charging for providing patient information would weaken patients’ rights according to the minister.
While practices are allowed to charge for excessive requests made by data subjects and those from third parties (e.g. insurers and solicitors) under the Access to Medical Reports Act 1988, there is nothing to define the extent of excessive requests.
The controversy that has arisen as a result of the minister’s position on general practice not being exempt from having to respond to subject access requests free of charge is that, where previously insurance companies and solicitors paid a fee to obtain patient information, they are now using GDPR to acquire this free of charge from practices. As a result, practices find themselves effectively supporting insurance companies and firms of solicitors financially – at their own cost through an inflated workload – because they are not permitted to pass on the cost of providing patient information (in whatever amount it is requested) to the third parties submitting subject access requests.
It looks as if the campaign to allow practices to charge commercial third parties for responding to subject access requests is not going to run out of steam any time soon. However, until general practice achieves formal exemption from the requirement to provide patient information free of charge under GDPR in response to subject access requests either from patients or third parties, it is important for everyone in the practice to remember that no charges can be made for providing patient information requested when the appropriate consent has been supplied and practices will continue to bear this cost.
*All information is correct at the time of publishing