Everyone was talking about it and then the day arrived – Friday 25th May, ‘GDPR day’ or perhaps ‘regulation day’; let’s not forget that the Data Protection Act 2018 was also introduced on the very same day! There was no grandiose introduction; suddenly a subject that had generated so much hype and debate seemed to pass us by and it was over to organisations to get on with it. All that hard work, preparation, stress, determination – and for what? A slight mention in the news? It hardly seemed worth it.
However in reality what you’ve been doing and are continuing to do is worth it, and it’s essential if you don’t want to face the wrath of the Information Commissioner’s Office (ICO) in the future. But as we’ve said many times, you don’t have to be fully compliant immediately, but you must be able to demonstrate that your GDPR journey has begun and you have systems and plans in place, showing a proactive approach to compliance.
One subject that has taken centre stage is Subject Access Requests (SARs) and it’s understandable to see why. The time and effort it takes to provide copies of medical records is often underestimated and now practices have to do it for free. Usually when the word ‘free’ is mentioned, most people hone in and see what it is that’s free; alas, there are no freebies here unless you’re the patient or their authorised third party. That’s because you can’t charge for anything associated with the SAR – not paper, not ink, not postage or time. Please don’t shoot the messenger; we’re just stating the facts!
Let’s move on to the ‘third party’ subject. Solicitors can request copies of records using a SAR as they’re acting for the patient and the SAR is, in effect, from the patient themselves. As long as the patient has given consent for their solicitor to access the full medical record, practices should comply with the patient’s (or their solicitor’s) request and provide a copy of the patient’s medical record free of charge. Talk about kicking a man when he’s down!
So when can you charge a fee? Well, the ICO has stated that the use of SARs to obtain medical information for insurance purposes is an abuse of access rights and practices should advise insurers to use the AMRA when requesting a GP report, with the BMA suggesting that practices charge £104 per report. Okay, back to SARs: What about those requests that you think are ‘manifestly unfounded or excessive’; what’s your definition of excessive? The Oxford Dictionary defines excessive as ‘more than is necessary, normal or desirable; immoderate’. So what’s considered normal or desirable when you look at an individual’s healthcare record? Do we state that a summary printout is normal whereas copies of the patient’s paper record are more than is necessary? We’re pretty certain we’d all have differing opinions. Is it anything more than 20 sheets of paper, or more or less?
What we need is clarification and we need it pretty quickly so that practices can request a ‘reasonable fee’ to deal with SARs. So this week we’ve emailed the ICO to ask what they deem to be excessive and what’s considered a reasonable fee. For example, is it acceptable for a practice to say they’ll provide the first 10 sheets of paper for free and then charge 30p per sheet thereafter? We await their response with anticipation, hope and a belief that common sense will prevail.
Once a response is received, it will be shared. Meanwhile, enjoy the sunshine and the World Cup!