The dos and don'ts of releasing records

The policy on responding to a request for confidential patient information depends on who makes it and how it is made

Ms Stephanie O'Connell, Legal Counsel, Medisec, Ireland

November 28, 2023

Similar articles
  • GPs often receive requests for confidential patient information. The policy on how one should respond to those requests  can depend on who makes the request and how it is made. 

    GPs will be very conscious of their professional and ethical obligations to maintain confidentiality, even after the death of a patient, but those duties sometimes need to be balanced with the legal obligation to disclose certain information. This article sets out some of the common situations in which GPs encounter requests for confidential patient information. Generally speaking, patients have a right to access their own medical records under general medical ethical principles, data protection legislation and/or freedom of information (FoI) legislation, but there are exceptions.

    Paragraph 33 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019 provides that: “Patients have a right to get copies of their medical records except where this is likely to cause serious harm to their physical or mental health. Before giving copies of the records to the patient, you must remove information relating to other people, unless those people have given consent to the disclosure.”

    Under GDPR, patients can request all documents relating to them, including staff communications. GPs and practice staff should always bear this in mind and maintain professional standards in their records and correspondence.  

    GPs should carefully review and consider each request on a case-by-case basis. If the patient’s records contain information relating to their mental health, for example, and there is a possibility that access to that information could cause serious harm to the patient, it may be necessary to restrict access to those parts of the records. Prior to release, there is also a requirement to redact from the records information relating to third parties, unless their consent is obtained before disclosure. A GP should consider the purpose of the request and the best interests of their patient in each case and make a clinical decision as to whether certain information should be redacted. We recommend that GPs contact their indemnifier for assistance if they have any queries relating to redactions.

    Patient requests

    When a GP receives a request for records from a patient, they should consider on what basis the patient is making the request. Although not a strict requirement, it is good practice to seek a written request for the release of patient information and obtain written consent from the patient which should be retained on their file. The GP should be satisfied that the patient has capacity to make the request and that the request is being made by and for patient themselves. If there is any doubt as to the patient’s capacity, the GP should ask the patient to attend the practice to discuss the request and where necessary, assess capacity. When in doubt, a GP should contact their indemnifier for advice. 

    Requests from family members

    Family members sometimes become involved in a patient’s care and seek copies of records. This information cannot be provided without the patient’s consent. Before the release of any records, consideration should be given as to the best interests of the patient and their capacity to consent. A GP may ask an elderly patient if they are happy for them to discuss their care with their adult children, and if consent is received, this should be recorded on the patient’s file, confirming which family members the patient is happy for the GP to liaise with. 

    Parents of teenage children may wish to see their children’s medical records. Section 4(a) of the ICGP guidance document, Processing of Patient Personal Data: A Guideline for General Practitioners (2019), states that while parents and/or legal guardians can make an access request on behalf of a child, once a child is capable of understanding their rights to privacy and data protection, the child should normally decide for themselves whether to request access to data and make the request in their own name. 

    Requests from third parties 

    Insurance companies and solicitors may seek information relating to claims made by patients. Sometimes, doctors are asked to write reports and/or provide copies of patients’ medical records. The GP should ensure they have full, valid and informed consent from the patient to disclose any information to an insurance company or solicitor. A written and dated consent form signed by the patient to the disclosure of information should be sought and stored on the patient file. The GP should ensure the patient understands the nature and extent of the records to be released and should not disclose any information that goes beyond the parameters of the request. 

    Requests from Gardaí

    In general, a patient’s consent is required to release confidential medical information to the Gardaí. Sometimes a patient will want their records released to the Gardaí, eg. if they were the victim of a crime, and other times they may not, eg. if the patient is being investigated by Gardaí. There are, however, certain limited circumstances where the public interest (such as a risk of serious harm or death) in disclosing information outweighs the patient’s interest in preserving confidentiality, or the disclosure is required by law.

    All Garda requests should be received in writing. Where the request relates to a living patient, it should be made pursuant to section 41 (b) of the Data Protection Act 2018, which allows for the processing of data other than for a purpose for which it was collected to the extent that it is necessary and proportionate for the purposes of “preventing, detecting, investigating or prosecuting criminal offences”.  The legislation does not place an obligation on GPs to disclose such information to the Gardaí, it merely allows for disclosure without consent in appropriate circumstances. It is open to the Gardaí to seek a court order or warrant to obtain information or records. If the Gardaí obtain a court order for the release of records, a GP would then be required to release the information requested. 

    Requests for mandated assistance 

    GPs are mandated persons under the Children First Act 2015 and as such are required to report to Tusla any knowledge, belief or reasonable suspicion that a child has been, is being or is at risk of being harmed. Section 16 of the Act provides that mandated persons can be requested by Tusla to provide necessary and proportionate assistance in their assessment of risk to a child. A request for mandated assistance usually involves a request to supply further information and/or medical records. If a GP receives a written request for mandated assistance from Tusla, it is important to comply with that request, regardless of who made the initial report to Tusla. Under section 16(3) of the Act, mandated persons are protected from civil liability for sharing information with Tusla at its request. Data protection legislation does not prevent the sharing of information on a reasonable and proportionate basis for the purpose of child protection.

    Request for medical records/information on a deceased patient 

    The Medical Council’s guide provides that patient information remains confidential after death. In general, prior to releasing patient information, a GP should seek written consent from the executor/legal personal representative of the deceased patient’s estate. A GP should also consider how disclosure of information might benefit or cause distress to the deceased’s family, the effect of disclosure on the reputation of the deceased and the purpose of the disclosure. Where a GP receives a request to release information relating to a deceased GMS patient and the request specifically refers to FoI legislation, those requests should be referred to the HSE FoI department for processing.  The HSE deems a deceased patient’s health record as information of such a sensitive nature that the access request should be directed to the HSE FoI department and dealt with through the FoI process. 

    Patients have a right of access to their medical records, unless it is likely to cause serious harm to their health. Written patient consent should be obtained before the release of records to a third party and GPs should ensure that the patient is fully aware of the nature and extent of the disclosure and gives informed consent. 

    Where the public interest in disclosing information outweighs the patient’s interest in preserving confidentiality, or the disclosure is required by law, it may be necessary to release patient information without consent. GPs should seek advice from their indemnifier prior to releasing any patient information where they have any queries or if there are any complicating factors arising from the request. 

    © Medmedia Publications/Forum, Journal of the ICGP 2023