Sharing medical records and the Data Protection Act – issues for Insurers
The issue of sharing patient data and records is common across medical organisations, within the context of providing direct patient care.
What happens, however, when a medical malpractice claim arises? What can an insurer do to ensure it remains compliant with the Data Protection Act, if it wishes to obtain a copy of the claimant's medical records and give access to its insureds, for example to investigate a circumstance or claim?
Principles of the Data Protection Act
The Data Protection Act 1998 protects individuals' personally identifiable information, and imposes certain obligations on the party deciding how and why personal data is used (the data controller).
In the context of sharing patient medical records (which are categorised as "sensitive patient data" under the Act), key principles include:
- Principle 1: Personal data must be processed fairly and lawfully. Fair processing requires patients to be informed about the use of their data. Lawful processing requires compliance with one of the conditions set out at Schedule 3 of the Act, one of which is explicit patient consent;
- Principle 2: Personal data should not be shared for a different purpose than the purpose for which it was originally collected;
- Principle 7: Adequate security measures should be put in place to protect personal data. Common measures include encryption and including suitable security provisions in written agreements with data recipients.
Sharing of records by Insurers
Insurers should consider, whenever they request or receive medical records, what procedures they have in place to remain compliant with processing "sensitive patient data". Do they even want to share the medical records with an insured (with ensuing lack of control over an insured's information governance processes, and potential PR implications if records are not adequately protected)?
Where a decision is made to share the data, in particular should the insurer obtain explicit patient consent, which is needed to process such data? Standard letters, requesting consent to obtain medical records could specifically include consent to share the records with third parties, including with the insured. Care should be taken, however; the consent must be "explicit" – that is, freely given, specific, informed and unambiguous. Information Commissioner's Office and European Commission guidelines suggest that writing to patients saying their medical records will be shared with a third party unless they refuse in writing, does not constitute valid consent (let alone express consent).
In addition, the new General Data Protection Regulations (due to be implemented in 2016 and to take effect in 2018) also require that consent can be withdrawn, which can cause practical difficulties.
In the context of a claim, where a discussion of the claimant's medical records with the insured is essential to defend the claim, then arguably the Act allows for this without explicit consent. This is the justification for sharing the records with defence counsel. However, care and caution should be exercised in relying upon this in the context of a general policy of sharing sensitive patient data with insureds.
Whatever approaches are taken, insurers should ensure these are regularly reviewed to ensure compliance. Protecting and processing patient data fairly and lawfully remains an area of increased scrutiny for the ICO, amid increasing layers of legislation and regulation.