The impact of GDPR on the Right to Access Medical Records
Regulation (EU) 2016/679 the General Data Protection Regulation (known as GDPR) is due to come into law on 25th May 2018. As a result the current Data Protection Acts 1988 and 2003 will be repealed and replaced by the Data Protection Act 2018.
When a client wishes to investigate a personal injury claim*, their medical records are a key element in building a case. For example, if you take a claim against a hospital/doctor for an injury suffered that you believe was the result of medical negligence, or if you have been involved in a road traffic accident, you will need to prove that the accident, or the negligence, was the cause of your injuries. Therefore, in such cases, medical records will form an important part of the case.
Individuals are entitled to access their personal medical records and can do so in a number of ways. The most usual methods to access records are as follows:
(1) By administrative access to HSE records,
(2) Under the Freedom of Information Acts 1997 and 2003,
(3) Under the Data Protection legislation,
(4) Via a court order for ‘Discovery’ in legal proceedings.
GDPR will impact requests for access to medical records under the new Data Protection Act 2018. This avenue is most appropriate for patients who have been treated privately e.g. by their General Practitioner, a Private Consultant and/or in a Private Hospital or Clinic.
GDPR places new obligations on Data Controllers and Processors (such as Doctors and Hospitals) to keep data safe and secure; to process data fairly; to retain data for one or more specified lawful purpose and to retain data for no longer than is necessary. There are also additions to the rights of rectification and right to erasure (also referred to as the right to be forgotten). Furthermore the Data subject (in this case the patient) must consent to the use of the data for one or more purposes that have been previously disclosed to them.
Data Protection legislation provides similar rights of access to medical records as the Freedom of Information Acts but an important distinction is that it does not apply to records of deceased persons.
Requests for access to medical records under the Data Protection legislation should be in writing, clearly state the records required and enclose as much information as possible to correctly identify these records i.e. your full name, your previous/current addresses, your date of birth, the time period that you were under their services and the relevant doctors or departments, if that information is available. It may also be necessary to provide proof of your identity.
The rules for dealing with access requests have been slightly changed under the GDPR. In most cases, the Data Controller will not be able to charge for processing an access request (previously the maximum fee was €6.35) unless they can demonstrate that the cost of complying with the request will be excessive. The timescale for processing an access request will also shorten from 40 days to 30 days. However there is provision to extend this timescale by two further months where necessary, taking into account the complexity and number of the requests. The data controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. In some cases there is also the right to receive data electronically (data portability) for the first time.
Doctors/Hospitals will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, the Doctor/Hospital will need to have clear refusal policies and procedures in place, and demonstrate why the refusal meets these criteria. In the event that you are unhappy with the outcome of the request, you have a right to appeal to the Data Protection Commissioner.
A further significant change under GDPR is the penalties for non-compliance, including significant administrative fining capabilities of up to €20 million (or 4% of total annual global turnover whichever is the greater) for the most serious infringements. GDPR also makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
If you have problems accessing your records contact us at Cantillons Solicitors at +353 (0)21 -4275673 or firstname.lastname@example.org if you would like more information.
* In contentious business, a solicitor may not calculate fees or other charges as a percentage of any award or settlement.