How to respond to a subject access request for medical records

• Patients have a legal right to request access to their medical records and this has been the case for many years.
• When patients request access to their records, it is known as a subject access request.
• More now than ever, patients are aware of their right to access their personal information and therefore it is vital that your data controller can appropriately deal with such requests.

Subject access requests (SARs) are governed by the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR). These laws only cover living patients while requests for a deceased person's records are governed by the Access to Health Records Act, 1990.

Complying with the law

The Data Protection Act 2018 (DPA) enshrined the General Data Protection Regulation (GDPR) into UK law. All healthcare and other organisations must comply with this legislation which introduced several significant changes to the way an SAR should be handled under the previous law. The changes included:

1. The SAR does not have to be in writing but can also be verbal and even by social media.

2. The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. More detail is given on this below.

3. You need to provide the information within one calendar month rather than the previous time frame of 40 days.

4. In Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records. In England, Wales and Northern Ireland, competence is assessed on a case-by-case basis. An older child may have capacity to consent, and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes disclosure is necessary to protect the child or young person, or someone else, from risk of death or serious harm, or unless required by law.

5. You should document access requests, reasons for any delay in providing the information and if requests are 'manifestly unfounded or excessive'. You should also document information provided about the right to complain to the ICO or judicial remedy.

Free access

There is currently no concise definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients as set out in the GMC's 'Good medical practice' (2024) and its guidance on confidentiality.

It may be helpful to discuss such cases with your data protection officer (DPO) and you can also contact us for advice.

In October 2020 the Information Commissioners Office (ICO) published the right of access detailed guidance to help identify what is a manifestly excessive request. It expands the definition and clarifies what needs to be considered when deciding upon a reasonable fee in these circumstances.

Another question that is often asked is whether insurance companies, solicitors or other third parties should be charged when requesting a patient's records. Usually, these organisations should not be charged if requesting records, with patient consent, under a SAR. However, other requests for information or reports by third parties should be dealt with in the usual way.

Access limitations

There are only limited situations in which you should deny or limit access to a patient's records following a SAR. The two main exemptions relate to information that is likely to cause serious harm and that relating to third parties.

Access can be limited or denied if it would be 'likely to cause serious harm to the physical or mental health or condition of the data subject or any other person', unless the patient is already aware of the information.

In such cases, there must first be an assessment by the doctor responsible for the person's clinical care. It's important to make a record of the assessment to ensure patient safety and in case you are later asked to justify why certain information was or wasn't redacted. We can help you to decide whether it is reasonable to limit access to a patient's record.

Information about third parties should be redacted, unless you can get consent from the person named. Information about the patient written by other healthcare professionals involved in their treatment may be disclosed. Read our guide on third-party redactions.

Communicating with patients

According to the ICO your organisation needs to be satisfied and have confirmed the identity of the requester (or the person the request is made on behalf of). The time limits for responding to a SAR only begin when the organisation receives the requested verification. This verification should however be requested promptly.

The ICO's guidance also confirms that: 'You are expected to give the individual additional information to aid their understanding, if the requested personal data is not in a form that they can easily understand. However, this is not meant to be onerous and you are not expected to translate information or decipher unintelligible written notes.

In relation to medical records this may mean spelling acronyms or explaining medical jargon in lay terms. You should also be prepared to explain diagnoses and treatments in more detail.

A version of this article was first published on GP Online.

This page was correct at publication on 30/01/2024. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.