A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 11 February 2016
The issue of sharing patient data and records is common across medical organisations, within the context of providing direct patient care.
What happens, however, when a medical malpractice claim arises? What can an insurer do to ensure it remains compliant with the Data Protection Act, if it wishes to obtain a copy of the claimant's medical records and give access to its insureds, for example to investigate a circumstance or claim?
The Data Protection Act 1998 protects individuals' personally identifiable information, and imposes certain obligations on the party deciding how and why personal data is used (the data controller).
In the context of sharing patient medical records (which are categorised as "sensitive patient data" under the Act), key principles include:
Insurers should consider, whenever they request or receive medical records, what procedures they have in place to remain compliant with processing "sensitive patient data". Do they even want to share the medical records with an insured (with ensuing lack of control over an insured's information governance processes, and potential PR implications if records are not adequately protected)?
Where a decision is made to share the data, in particular should the insurer obtain explicit patient consent, which is needed to process such data? Standard letters, requesting consent to obtain medical records could specifically include consent to share the records with third parties, including with the insured. Care should be taken, however; the consent must be "explicit" – that is, freely given, specific, informed and unambiguous. Information Commissioner's Office and European Commission guidelines suggest that writing to patients saying their medical records will be shared with a third party unless they refuse in writing, does not constitute valid consent (let alone express consent).
In addition, the new General Data Protection Regulations (due to be implemented in 2016 and to take effect in 2018) also require that consent can be withdrawn, which can cause practical difficulties.
In the context of a claim, where a discussion of the claimant's medical records with the insured is essential to defend the claim, then arguably the Act allows for this without explicit consent. This is the justification for sharing the records with defence counsel. However, care and caution should be exercised in relying upon this in the context of a general policy of sharing sensitive patient data with insureds.
Whatever approaches are taken, insurers should ensure these are regularly reviewed to ensure compliance. Protecting and processing patient data fairly and lawfully remains an area of increased scrutiny for the ICO, amid increasing layers of legislation and regulation.
+44 (0)191 404 4045
Hilary Larter, Zoë Wigan, Ceri Fuller
Ceri Fuller, Hilary Larter, Zoë Wigan
Louise Bloomfield, Joanne Bell