Favourable changes regarding disclosure of medical records following GDPR

One piece of good news for clinical negligence practitioners is that their requests for medical records from healthcare providers should now be met free of charge, and more quickly than was sometimes the case pre-GDPR.  Whilst the previous statutory charge of £50.00 (which applied except where the patient was deceased) was generally considered reasonable and had not been increased over the years, it could add up where there were large numbers of providers.

Authority for the change is at Chapter 3, Article 12 of the GDPR.  Paragraph 5 reads: “Information provided under Articles 13 and 14…shall be provided free of charge”.  Article 13 relates to personal data originating from the data subject and Article 14 to personal data originating elsewhere – medical records arguably could be both, but there is no need to go into this for the purpose of Article 12.

There is an exception to the free of charge principle, but only in the event of unfounded or excessive requests – effectively ‘nuisance’ or malicious approaches.  Even then the burden is placed on the data controller to demonstrate that a (limited, administrative) fee is appropriate under the regulations so this looks unlikely to be sought in the context of a professional access request.

I have read that under GDPR, disclosure must be made within 30 days of the request being made.  This would represent a considerable improvement on the previous position, in many cases.  However when looking at the raw regulations they do not actually require substantive 30 day compliance.  They say (Article 12, para 3) “The controller shall provide information on action taken on a request [including access to data] without undue delay and in any event within one month of receipt of the request”.  This is not the same thing as providing the data itself within one month.  Furthermore the same paragraph allows for a two month extension “where necessary” , again to provide information on action taken rather than provision of the data itself.  In the absence of any meaningful deadline, it remains to be seen whether requests will actually be processed faster as appears to be the intention of the GDPR.

Clinco ISO27001 external audit success

The ISO27001 external auditor came to the Clinco offices yesterday to scrutinise our data protection systems. These are subject to annual audit.  Having achieved the data protection standard last year, we now have 18 months’ worth of evidence to show commitment and integrity in relation to information security.  We took the decision two years ago that, as a leading provider of medical records pagination services, we should also be leading on data protection.  All the medical records we are paginating are classified as special category data and we want to show we are protecting that information.

The ISO standard for information security is wide-ranging.  Electronic security opens up a whole raft of issues and risks which need to be minimised or eliminated.  Physical security is equally important.  What we came to realise in the early days of our application for ISO27001 is that almost every aspect of a business can affect information security – from recruitment to continuity planning.

With this in mind it is not surprising that it took five hours of intense scrutiny yesterday for the external auditor to be satisfied that he had examined enough evidence to continue Clinco’s data protection accreditation.  He also interviewed our IT support team and the site head of security.  I have not seen the full report yet, but I am pleased to report that Clinco’s systems passed with flying colours – no major or even minor non-compliances.  We are therefore confident that our services continue to be offered without risk to our clients’ data and in a way which meets compliance requirements in the new data protection landscape.

Well done to the Clinco staff, who made such an impressive contribution to the successful outcome.

Clinco ISO27001 external audit

ISO27001 data protection certification….a year in!

We’re just working up to our first external annual audit for ISO27001 – that’s the international data protection standard, which Clinco attained last summer.  We’re bringing our first audit a few weeks forward so we can tie it in with the earliest days of GDPR application, but we have now completed a full year’s certified compliance with information security best practice.  We still believe we are the only independent pagination service to have achieved this, not surprising to us as it has been a very stringent process.  We’re proud to have been the first in line for such an achievement and all credit to our compliance-minded management team and motivated staff for the push forward on standards.

We’ve been able to answer GDPR and other data protection questions with confidence, as a result.  We’ve noticed increasing attention being paid to information security, quite rightly in our view, and will continue to seek to improve standards and offer our clients the best available secure pagination service.  Apart from that, we’ve noticed benefits in terms of operational efficiency from the internal and external scrutiny of our processes – meaning that we can pass costs savings on to our clients.  So it’s a better service, for less.  We have invested much time and energy over the last couple of years in this area and are actually looking forward to welcoming the external auditor next week…