Third-party information in medical records

Ha Stephen

Try telling that to SW & CCG!!!

Yesterday I collected her medical records. Day before filled in form, showed them my LPA, photo ID & Household bill and hey presto gor a call back next day records ready on a disc & no charge. How is that for service.

Today I sent form, LPA, ID & Household bill to the Trust to access the records they hold. Got an email back, saying thank you, no charge etc etc and this line in content

" I am liaising with Health Care Professionals, to obtain their consent to the release of the notes, which must also be screened for third party information"

I was puzzled by this so went onto their own website and it says

" The information identifies a third party and they have not consented to the disclosure. The Trust must supply as much information as possible without revealing the identity of the third party. This does not apply to a health professional that has compiled or contributed to the health record or has been involved in the care of the patient."

So I am reading this as anyone who works for the Trust and has compiled records have to share and any third party has to be redacted/consent given??

Question Am I reading this correctly.? If not it would mean they wouldn’t have to share anything then…wouldn’t put it [ast them lol

AS far as I understand the rules, yes that is correct.
The approach I have always taken is to disclose as much of the third party info (ie. information from anyone not employed by the record holding organisation) as I could, while still protecting the third party’s identity, unless they had consented to full disclosure.

well I quoted the rules and hey presto next day they called to say they agreed and records available!!!

So my advice is googling relevant procedure/law/their own websites then hit 'em with the facts…seems to work well :grin:

That’s pretty much it. I’ve added a page on MHLO for the Data Protection Act 1998 and added some details about health records. Here’s the first draft:

The general rule is that the relevant GDPR provisions “do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information” (sch 2 para 16(1)).

That general rule does not apply where “(a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual” (sch 2 para 16(2)).

In relation to the “reasonable to disclose” exception:

  • In general, “the controller must have regard to all the relevant circumstances, including (a) the type of information that would be disclosed, (b) any duty of confidentiality owed to the other individual, (c) any steps taken by the controller with a view to seeking the consent of the other individual, (d) whether the other individual is capable of giving consent, and (e) any express refusal of consent by the other individual” (sch 2 para 16(3)).

  • In relation to health records, “it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where … the health data test is met” (sch 2 para 17(1)). This health data test is met if “(a) the information in question is contained in a health record, and (b) the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject” (sch 2 para 17(2)).

Further details including definitions of terms can be found in Schedule 2 of the Act.

Thanks Johnathon much appreciated. I have just got the records all 1,800 pages of them! Most is irrelevant stuff but a couple of interesting pages I can use to prove my points at meeting.

Of these pages three have been completely redacted, so just a black page??? So they are more or less saying that every sentence can identify the 3rd person even the date lol

Wondered whether I had a right to ask why or where it originated so I can get further information. These 3 documents might have relevant info. Seems strange to redact full pages.

Obviously they have to be really careful I appreciate that but they haven’t redacted someone elses records (4 Pages) they have misadvertently put in my Mum’s folder!!! Nothing too personal but still how could they miss this. Unbelievable.

I did think of contacting them and saying why have you redacted my Mum’s records when you have left in someone else’s records? Wonder what their reply would be then lol

This is just a wild guess, but maybe it’s a letter written by hand, or with a recognisable letterhead, which would identify the source? In relation to the general rule above, “information relating to another individual” includes information identifying the other individual as the source of information (sch 2 para 16(4)).

I don’t know but I’m sure you could ask, or at least ask them to reconsider those pages.

If your mum were still on s3, with ongoing MHT proceedings, the tribunal might have been willing to get involved in disclosure of records.

Otherwise, if you have a solicitor, the Trust might be willing to disclose the unredacted records to the solicitor, subject to an undertaking not to disclose them to you. I had that one time, though it was well before the DPA 2018 and I can’t remember the legal basis. I was able to persuade the Trust to disclose some extra documents (I think because the information had been disclosed elsewhere or was already known). There were some documents left but I moved jobs before dealing with them. I might have contacted the Information Commissioner’s Office to work out what to do next.