Newsflash: £40,000 fine for GPs for wrongful release of medical records

Healthcare providers receive large numbers of requests for copies of medical records every day. It is easy to regard dealing with such requests as part of the routine administration of the practice, where all that needs to be done is to copy the notes and send them out on the receipt of the £50 fee.

However, such requests can present traps if the request is dealt with by someone without appropriate training and experience. A stark example of this is demonstrated in the recent penalty notice issued by the Information Commissioner’s Office against Regal Chambers Surgery on 8 August 2016 (available here).

A father requested copies of his 5 year old son’s medical records. While there had been an acrimonious divorce from the child’s mother, the father retained parental responsibility and so was entitled to make such a request. However, despite the mother already having asked the practice not to disclose the family’s whereabouts to her ex-husband, the notes were simply copied without any scrutiny of whether elements of the records were exempt from disclosure.

As a consequence, a large amount of data that was also the personal data of third parties was released, including very sensitive material such as child protection reports and social services correspondence. Needless to say when the mother discovered the extent of this disclosure she complained to the ICO.

The ICO was highly critical of the fact that the practice had no adequate written procedure for dealing with subject access requests, the person dealing with such requests had no adequate supervision from the GPs to ensure that subject access requests were dealt with properly, and there was no physical checking of the proposed disclosure to ensure that it did not contain information that should not be disclosed. Accordingly a fine of £40,000 was levied upon the practice.

What should practices do?

The ICO considered that practices should have robust safeguards against inappropriate disclosure including:

  • Adequate written procedures
  • Ensuring the task is limited to staff with appropriate experience and supervision
  • Physical checking of the material prior to disclosure

Practices should therefore review their existing systems for dealing with records disclosure requests to satisfy themselves that they would be able to demonstrate this to the ICO if required. They should make sure that those processing requests are aware of the circumstances when records should be withheld, which will require an understanding of the relevant provisions of the Data Protection Act 1998 – especially the rules relating to third party personal data – and recognise when to seek further guidance in complex cases.

Hempsons’ information governance team regularly assists clients with complex and sensitive subject access requests and will advise on what data can and cannot be disclosed. For further information, please contact Chris Alderson.