Obtaining medical records: what is the position and how should a request be dealt with?

In the wake of the GDPR, we consider issues around disclosing or obtaining medical records in the event of a claim or receipt of a preliminary notice of claim.

Previous practice

A doctor is accused of making an error and notifies his professional indemnity insurers or defence organisation. Insurers/indemnifiers want to investigate further to assess the risks to them, and to consider coverage. Historically what happened next went something like this:

• The doctor in question provided such notes as they held. These would inevitably be incomplete and only provide part of the picture.
• The doctor requested a complete set of patient notes from the relevant clinic or hospital, which were provided without any question. 
• Unless a claim had commenced (through the courts or the pre-action protocol) which requires a response, or there is some other particularly good reason, GP records would not be obtained at this stage.

The spectre of the GDPR has caused that pattern to change in recent times. When asked, hospitals and clinics are refusing to provide any paperwork without a signed release from the patient.

The question is then what papers insurers and their advisors are entitled to receive, and whether or not clinics and hospitals are over-reacting to the current GDPR frenzy?

Should the clinic provide papers?

Each clinic is a controller of their patients’ personal data. Since the majority of such data relates to patients’ health this is, in fact, designated special category data, and is subject to more stringent rules.

Generally special category data cannot be processed at all because of its highly confidential nature. “Processed” is a broad term that includes storage of the records, but also their disclosure, whether to the patient or to a third party. In general, data cannot be further processed for different purposes without a legitimate reason for doing so.

here are, inevitably, exceptions to the prohibition on processing sensitive personal data. These are found in article 9 of the GDPR. Article 9.2(h) covers “…the provision of health or social care or treatment”. This justifies the storage of medical records, and also allows their disclosure to another doctor for ongoing treatment. There is also article 9.2(a) which allows processing with the patient’s “explicit consent”. This is the exception now used by clinics to justify the provision of medical records to doctors who face claims.

There is, however, a third exception that potentially applies. Article 9.2(f) refers to processing “necessary for the establishment, exercise or defence of legal claims…|”. This potentially permits the disclosure of medical records. There are, however, two points to note:

• It concerns “legal claims”. It is recognised that this phrase includes prospective legal claims so even if there is only a Letter of Claim then there is no debate to be had. The position is less clear if there is only a complaint, perhaps to the clinic where the treatment occurred. Most controversial is where there has been no suggestion of a claim or complaint, but the surgeon has notified a circumstance, maybe just before renewal out of an abundance of caution. Arguably the provision of medical records would not be “necessary for the…defence of legal claims” where there is no hint of a claim.
• It does not make clear who the claim must be against. Because of the wide wording then apparently it could be against anyone, including the surgeon. Potentially, however, a clinic could interpret the wording as meaning that there must be a claim against them, not against some third party.

Should the doctor provide papers?

It is normal, on notification of a circumstance, for an insured doctor to be asked by their insurers for any papers that he or she holds. Article 9.2(f) means that a doctor is entitled to disclose papers so that they can obtain legal advice on a claim. The GMC’s guidance “Confidentiality: good practice in handling patient information” states at paragraph 59 that “you may disclose information without consent to your own legal adviser to get their advice”.

That still leaves room for some ambiguity in two regards. First, the issue of whether or not there is a claim – as explored above – remains. The GMC’s guidance apparently assumes that there does not need to be a claim for the doctor to seek advice, but the wording of the GDPR is less clear than that. Second is the fact that the doctor can disclose paperwork to “your own legal adviser”. Where a solicitor acts for both insurers and the doctor, then this is, again, uncontroversial. That is not, however, always the case, particularly if coverage is being considered, or if solicitors act as claims handlers in the first instance.

There is an exclusion relating to insurance – buried deep in the Data Protection Act 2018 in Schedule 1, part 2, paragraph 20 – which might be thought to assist. Unfortunately there are a number of conditions which make it unlikely to apply here. For example, there should be a “claim under an insurance contract” so arguably it would not apply if there was a circumstance. Further, it cannot apply where the controller cannot reasonably be expected to obtain the consent of the patient, which arguably they could. This exception is unlikely to help in these circumstances.

Potential breach of policy terms

If there is any uncertainty then it is at least arguable that the doctor does not have grounds to process the data – and therefore provide papers to their insurers – at this stage. If so, that potentially puts the doctor in a cleft stick. Most insurance policies will contain a term requiring the insured to co-operate with their insurers in the handling of any claim or circumstance. That will include the provision of information about the matter, including the relevant papers. Failing to provide papers on request could be construed as a failure to co-operate with insurers and a breach of the policy terms. A breach of the policy terms could, potentially, give insurers the right to decline cover. Whilst it is highly unlikely that insurers would take such a step where an insured is constrained by confidentiality rules, it cannot entirely be ruled out.

Practical steps

What then are doctors, and their insurers, going to do?

In our view a clinic or hospital can provide medical records to a surgeon facing a claim without needing a patient’s authority. Where a claim is afoot then the claimant should have already obtained the relevant papers. Where there is no claim the position is more doubtful. Given the potentially swingeing penalties for breaching the GDPR, it is unsurprising that clinics take a cautious approach and ask for a signed authority.

Where a claim has yet to be launched then asking for a signed authority may precipitate one, which is not in the interests of either insurers or the doctor. Further, satellite litigation with a clinic or hospital over disclosure will, in most circumstances, be deeply unattractive for all concerned.
That being so, insurers (and doctors) will have to be content for investigations to be limited until a claim arises. Where it is difficult to obtain full details of a potential claim then a clear reservation of rights should be maintained to ensure that insurers’ position is fully protected in the meantime.