You can find Confidentiality: good practice in handling patient information, and the rest of our guidance online.
The term ‘patient’ in this guidance refers to employees, clients, claimants, athletes and anyone else whose personal information you hold or have access to, whether or not you care for them in a traditional therapeutic relationship.
Doctors might provide their services to professional sports clubs (where the dual obligation is to both the patient and the club, which is very similar to the dual obligation of an occupational health doctor) or to associations (where the dual obligation is both to the patient and to a governing body or team of selectors).
Disclosure of the whole record may breach the principles of the data protection law, as the full record may contain information that is excessive and not relevant for the purpose. The Information Commissioner’s Office (ICO) has advised that it is not appropriate for insurance companies to obtain medical records using patients’ subject access requests. The Access to Medical Reports Act 1988 gives insurance companies a clear and established legal route to access medical information, while safeguarding patients’ rights.
The Department for Work and Pensions publishes advice about reports for benefits purposes.
The Law Society and the British Medical Association jointly publish model consent forms authorising the release of health records to solicitors under the data protection law. The forms include notes for clients, solicitors and medical records controllers.
Under the Access to Medical Reports Act 1988, patients are entitled to see a report that has been written about them for employment or insurance purposes by a doctor who is or has been responsible for the clinical care of the individual before it is sent, unless exceptions apply. Patients have the right to ask the doctor to amend any part of the report that the patient considers to be incorrect or misleading, and to attach their disagreement to the report, or to withdraw their consent for the release of the information. These provisions do not apply to reports for benefits purposes. If the patient has no legal right to see the report before it is sent, you should follow the guidance in paragraph 115(d) of Confidentiality, which is reproduced at the start of this explanatory guidance. If any of the exceptions set out in paragraph 115(d) apply, you should still disclose as much of the report as you can.
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 and the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (Northern Ireland) 1997 place duties on employers, the self-employed and people in control of work premises to report certain serious workplace accidents, occupational diseases and specified dangerous occurrences (near misses). You can find out more about these regulations on the website of the Health and Safety Executive (HSE) for England, Wales and Scotland and the website of the Health and Safety Executive for Northern Ireland (HSENI).