Case Study 4
Access to medical records on a change of general practitioner
A person contacted me regarding her difficulty in obtaining her actual medical file which she had formally requested from the local Health Centre under section 4 of the Data Protection Acts. She explained that she was a private patient of a doctor at the Centre which catered for General Medical Service’s patients – the doctor treated patients on a private basis also. Her doctor had left the practice and had passed her records to his replacement in the Centre. She had received advice from her local Health Board that, under normal protocols, files associated with a general practitioner would transfer to the successor on the General Medical Service’s panel. However, files relating to private consultations between an individual and their general practitioner were a different matter. This is an important and correct distinction in Data Protection Law because the patient was a private patient. The doctor is therefore the data controller in respect of private patients and not the Health Centre or the Health Board.
In the course of our investigations, my Office established that the replacement GP had offered the complainant a copy of her medical notes but not the actual file, which is consistent with his obligations under the Acts. He had taken legal advice regarding the transfer of her notes to him and was satisfied that he, as a principal of the health centre, was entitled to custody of the complainant’s file.
My Office informed the complainant that she had a right, under section 4 of the Acts, to access her data, but did not have a right to obtain her actual file. I also advised that if she wished to transfer as a patient to another practitioner outside the health centre, she could request that a copy of her medical records be sent to her new GP. However, the GP at the health centre is entitled to retain custody of her file for medico-legal and other professional requirements.
General Practitioners are at the coal face of the medical service and patients are happy to put confidence and trust in them regarding their personal data. A health service can be delivered in an efficient and effective manner while at the same time respecting peoples’ privacy. The general nature of data protection law, to the extent that it leaves scope for ambiguity, entails a certain lack of legal certainty and clarity. For this reason, I liaised with the Irish College of General Practitioners and the National General Practice Information Technology Group which led to the timely publication in November 2003 of “An Information Guide to the Data Protection Acts for General Practitioners”. The Guide addresses the issues surrounding custody of patients’ data raised in this case and advises that General Practitioners should take prompt reasonable steps to notify patients of cessation of practice and allow them the opportunity to transfer their health information to another provider. It also says that
"where a patient decides to transfer to another doctor, the existing doctor should, in accordance with data protection law and ethical guidelines, facilitate that decision by making available to the patient's new doctor a copy of the patient's health information. The existing doctor should, however, maintain the patient information record accumulated at that time for an adequate period consistent with meeting legal and other professional responsibilities. During that period, the provisions of the Data Protection Acts continue to apply to that information."
In this case, I was pleased that the newly appointed doctor was following the guidance on the transfer of records. The case also highlights the important distinction between a data controller in respect of public patients (which is the Health Board or hospital or Health Centre as the case may be) and private patients (which is the relevant health professional).