If an insurer wants your medical records should your GP say no?

By Tony Collins

Pulse reports that the Information Commissioner’s Office is to put questions to Aviva after learning that it has been requesting patients’ full GP records to underwrite some insurance policies.

An ICO spokesperson told Pulse it would be contacting insurer Aviva to ‘understand more’ about their use ‘subject access requests’ for collecting medical information on patients and ‘how these accord with the [Data Protection] Act’.

Aviva confirmed to Pulse that it has been using the method – with customer consent – for almost 12 months.

In a response to the article, an anonymous GP publishes his practice’s standard reply to such questions from insurers:

“Thank you for your medical records subject access request.  We formally decline to undertake this.

“We draw your attention to paragraph “2.12 Access to patient records from insurers and mortgage providers” on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013.

“The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage.

“The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines 113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent.

“In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only ‘adequate, relevant and not excessive’ personal data about an individual.

“This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose.

“The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.

“We suggest that you apply for a PMA report in the normal way.  Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.

“We cannot guarantee that the patient may withhold part of their medical record. You have a duty not to hold any more information than you require.

“I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.”


3 responses to “If an insurer wants your medical records should your GP say no?

  1. I have come across companies trying to lull people into giving them full access to their health records. When challenged the excuse is that it does it to help people as they don’t understand what information is relevant or not.

    The companies are being lazy and simply going “fishing” for data. The correct approach is for the company to ask the GP or other independent expert to prepare a report, based on the health record, in relation to specific questions from the company. Insurers know exactly what information they want but don’t want to spend the money doing it properly. We shouldn’t forget the Access to Medical Reports Act 1990 as this gives the right to see any medical report produced for insurance and employment purposes before it is sent to the requesting organisation (sadly this doesn’t apply to the DWP!).


  2. Excellent response by that practice.

    Ideally, yes, the patient should request the record and send it to the insurance company. Problem is that they would then have to pay the GP surgery the £50 SAR fee, which really should be covered by the insurance company (and no doubt recovered via the premiums).


  3. Reblogged this on sdbast.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.