GPs who provide full patient medical records for insurance firms risk breaking data-protection law, an Information Commission Office (ICO) investigation has revealed.
Doctors should not comply with requests for full medical records made under the data protection act by insurers, as ‘excessive’ information may be divulged, The British Medical Association (BMA) urged.
Instead, return any SARs [subject access requests] by insurers and suggest the firm applies for a written GP medical report.
“The BMA was concerned that this practice was potentially a breach of the DPA (Data Protection Act) as disclosure of the full medical record would amount to a disclosure of information which was not relevant for the purpose,” the BMA’s statement read.
This comes after a letter from the ICO was sent to the Association of British Insurers, after an investigation last year into the sector’s use of SARs, which the ICO deems an “abuse” of “the fundamental right to the protection of personal data”.
This is explained under Article 8 of the EU Charter of Fundamental Rights
The practice involves an insurance firm using section seven of the DPA 1998, which relates to an individual’s personal-access rights to their own data, to request access to medical records.