By Tony Collins
Pulse reports that the Information Commissioner’s Office is to put questions to Aviva after learning that it has been requesting patients’ full GP records to underwrite some insurance policies.
An ICO spokesperson told Pulse it would be contacting insurer Aviva to ‘understand more’ about their use ‘subject access requests’ for collecting medical information on patients and ‘how these accord with the [Data Protection] Act’.
Aviva confirmed to Pulse that it has been using the method – with customer consent – for almost 12 months.
In a response to the article, an anonymous GP publishes his practice’s standard reply to such questions from insurers:
“Thank you for your medical records subject access request. We formally decline to undertake this.
“We draw your attention to paragraph “2.12 Access to patient records from insurers and mortgage providers” on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013.
“The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage.
“The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines 113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent.
“In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only ‘adequate, relevant and not excessive’ personal data about an individual.
“This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose.
“The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.
“We suggest that you apply for a PMA report in the normal way. Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.
“We cannot guarantee that the patient may withhold part of their medical record. You have a duty not to hold any more information than you require.
“I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.”