Responding to requests for medical records and charging

Following enquiries from a number of members who have been advised by insurance companies/solicitors that they can no longer charge for the issue of medial records since the introduction of GDPR, the iO team has been in touch with the Information Commissioners Office (ICO) to gain clarity and advice on this issue.

The introduction of GDPR earlier this year included a requirement to comply with ‘subject access requests’, whereby individuals or third parties with appropriate permission, can request copies of their personal information, such as medical records. Under the GDPR legislation, these requests must be actioned within 28 days and in most circumstances a fee cannot be charged.

With regards the issue of medical records for insurance claims, the Information Commissioners Office (ICO) has stated that requests by solicitors or insurance companies relating to insurance claims should be requested under The Medical Reports Act 1998, not GDPR.  On this basis, requests for medical reports for insurance claims can attract a fee.

Although the Medical Reports Act is the appropriate method for requesting records for insurance purposes, the ICO is aware that a number of solicitors and insurance companies are using GDPR to circumvent this. They have advised the following process for healthcare practitioners should they received a request for a medical report under a subject access request, in relation to an insurance claim:

  • Contact the patient to advise that a request for their data from the third party and confirm they have provided permission to the third party.
  • Advise the patient that under this request, then all their medical data will be supplied, as opposed to a report specific to the claim/condition. Patients will need to be made aware that this would, potentially, release sensitive medical data unrelated to the claim.
  • There are then two options for the patient
  • Offer to send the patient their records. It is then up to the patient to determine the relevant information to the claim and send on to the insurance company
  • Alternatively, the patient may still provide you consent to provide all the information to the insurance company.  If the patient provides consent for you to do this, then unfortunately this cannot attract an administrative fee.

We are therefore advising members to continue their charging policy for the supply of medical records unless the request has been made specifically as a ‘subject access request’ under GDPR, in which case we recommend following the above advice supplied by the ICO.

We would welcome feedback on members’ experience on this or similar issues.  Please contact 

Please login to comment.