Insurance and Other Third Party Reports
Insurance Reports using the Data Protection Act
Increasingly , insurance companies have taken to submitting requests for full copies of patient notes under the Data Protection Act rather than asking for the traditional Private Medical Attendant’s Report (PMAR) that for many years been the subject of an agreement between the Association of British Insurers (ABI) and the BMA. This itemises the information that should be disclosed and specifies the fee for providing it.
In recent years the growing computerisation of records has led to some practices sending unedited print-outs of patient notes in response to such requests.
In response, some insurers are now offering a reduced fee of £50 for such reports, and at least one has withdrawn from the ABI/BMA agreement and has started to make applications for records under the Data Protection Act. Apart from only offering a maximum fee of £50, including costs, this means that the GP has to check the printout closely to ensure that third party and other inappropriate information is not disclosed.
LMCs generally advise practices that they should not send unedited printouts in response to a PMAR request. This is partly because it is not in the spirit of the ABI/BMA agreement, but also because it risks breaching the requirements laid onto the practice as the data controller. It is a fundamental principle of information governance that only relevant and necessary information should be disclosed.
With the proper consent, an insurance company is allowed to request a DPA disclosure on behalf of a patient. However, it is likely that some patients will not know that when an insurance company requests a copy of the records, this includes every piece of information in the notes far more than is disclosed in a traditional PMAR. Consequently, it is not certain that patients are giving informed consent when approached in this way.
If you are uncertain about the information that you are being asked to disclose, it is reasonable to contact the patient to ask him or her to review this before it is despatched. You should tell the company requesting the information that you have taken this step, and, if appropriate, suggest that it should obtain further instructions from it’s potential client.
The practice is required under the DPA to provide the requested data within 40 days after the fee has been paid. If payment does not accompany the request, practices are expected to seek this within a reasonable timescale. The 40 days does not start until payment has been received by the practice, so if a cheque is sent this should be cleared into the practice account first.