GPs could be breaking the law if they provide insurers with medical records - even with patient consent, ICO rules
GPs no longer have to comply with requests from insurers to release medical records
GPs do not have to comply with requests from insurers to release patient medical records, even if a patient has given consent, the Information Commissioner's Office (ICO) has ruled.
Insurance firms who request the records under the Data Protection Act are abusing fundamental rights that are protected under EU law, and GPs who do hand over records could even be in breach of the law themselves, the ICO said in a letter to the Association of British Insurers seen by GP magazine Pulse.
Last year, the ICO investigated the use of "subject access requests" (SARs) by UK insurers who were looking to obtain medical data to underwrite insurance policies.
As a result of the investigation, the ICO said: "The commissioner takes the view that the use of subject access rights [provided for under Article 8 of the EU Charter of Fundamental Right] to access medical records in this way is an abuse of those rights.
"Using individuals' own data protection rights to side step the current statutory arrangements designed to meet the insurance industry's needs, and including important safeguards for individuals, is not the appropriate approach," it added.
The ICO said that insurers could be in breach of several of the Data Protection Act's principles around patients giving informed and explicit consent, data being kept longer than necessary and data security.
As data controllers, GPs who release whole patient records, including data that is not relevant to the insurance request in question, could also be in breach of the act.
It is likely that the Association of British Insurers and the General Practitioners Committee will have to come to a new agreement which would abide by the law.
Last year, it was revealed that the NHS information centre (NHS IC), now known as HSCIC, had made "significant lapses" in recording the release of data, meaning that millions of patients' NHS data was sold to private companies over the last decade without firm records.
The data release by the NHS was to universities and the Department for Health for research purposes, but also to technology firms, healthcare consultancies, insurance firms and pharmaceutical giants AstraZeneca and GlaxoSmithKline.