Medical Council News


Releasing Medical Records to Insurance Companies

Case Study:

Mrs M had badly injured her knee and filed an insurance claim. Her insurance company contacted her GP, Dr A, seeking Mrs M's medical records relating to the knee injury. In replying to this request, Dr A released data relevant to the knee injury, but also disclosed other medical information - including cervical smear test results and records relating to Carpel Tunnel Syndrome, none of which were relevant.

When Mrs M discovered this, she filed a complaint with the office of the Data Protection Commissioner. The DPC wrote to Dr A and asked that he provide an explanation as to what had occurred in this case. Dr A responded stating that Mrs M’s insurance company had requested relevant information with respect to her knee injury but that, inadvertently, he had also released other information. Dr A stated that he was deeply sorry that he had caused any distress or upset to Mrs M, whom he had known for thirty-five years.

In considering the case, the key issue, from a data protection perspective, was consent. It was noted that the complainant had completed and signed an insurance claim form which contained the following consent clause:

"I authorise XXX Insurance Company Limited (the Underwriters) to make any enquiries and get any information they consider relevant from my doctor, employers or elsewhere. I understand that I must provide evidence to [XXX Insurance Company Limited] to prove my claim."

On the same claim form, the complainant supplied details of her accident and explained why it prevented her from working:

"Left knee injury. Torn ligaments. Recovery time unknown. Waiting for knee surgery. On waiting list."

The insurance company concerned had sought Mrs M's medical records, supplied the relevant consent form and used the following terms in its request to Dr A:

"Can you please provide us with copies of the claimant's medical records relevant to this claim. This includes all records relating to the medical conditions and associated symptoms which are the subject of this claim."

It was clear from the insurance company’s request for medical records that it sought medical records relevant to the claim only and therefore the consent was limited to relevant information.

The Office of the Data Protection Commissioner made a decision that, in responding to the request, Dr A had disclosed certain medical records of the complainant without her consent to the insurance company, which was in breach of data protection legislation.

NOTE: This case study does not form part of the Guide to Ethics and Professionalism for Registered Medical Practitioners, nor does it constitute clinical or legal advice. It is intended as a helpful illustration of a potential scenario.

What guidance does the Medical Council provide to doctors that could help Dr A in this situation?

Due to the nature of their work, medical practitioners are subject to data protection legislation. If we consult the Ethical Guide, we can find guidance on confidentiality, medical records and disclosure, which Dr A should have followed.

With regard to medical records, paragraph 33 of the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (8th edition) states:

33.4 You must comply with data protection and other legislation relating to storage, disposal and access to records. You should understand the eight rules of data protection.

The eight rules of data protection are:
1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the purpose or purposes
8. Give a copy of his/her personal data to an individual, on request

Source: accessed 22/01/2016

With regard to confidentiality, paragraph 29 of the Guide states:

29.2 You should protect your patients’ privacy by keeping records and other information about patients securely. You should guard against accidental disclosures.

What should Dr A have done in this situation?
Dr A should only have provided the insurance company with medical records relating to Mrs M’s knee injury. He should not have provided any information unrelated to the knee injury.

What if an Insurer requests all medical files, with consent from the patient?
Insurers request medical information directly from medical practitioners as part of their claims processing procedures. Requests by Insurers to medical practitioners for full medical files, even with the consent of the individual, would not generally be acceptable.
Under the Data Protection Acts, the provision of explicit consent by an individual for the release of information permits an individual’s GP to give consideration to releasing the requested information as long as it is not excessive.

  • The disclosure should not be based on ALL medical records.
  • The disclosure should not be in the form of a Medical Report

Insurance companies have agreed a Code of Practice with the Data Protection Commissioner’s Office. This Code can be found here:

Further resources:
Data Protection Acts 1988 and 2003:

For more information on Data Protection legislation and case studies, please visit:

The ICGP have a very useful Guide to Data Protection Legislation for Irish General Practice:


The Medical Council would like to thank the Office of the Data Protection Commissioner for providing this case study.