BMA Prepares Cost Estimate of GDPR-Compliant Requests for Patient Medical Records

GP surgeries are contacted by solicitors for patient medical records, usually in the course of bringing personal injury claims. This can cost surgeries up to £100 for a single patient with a complex medical history, potentially thousands of pages long.

After the General Data Protection Regulation (GDPR) came into force in May, patient records have been retrievable as subject access requests (SAR). Medical professionals can no longer charge £50 per patient for information, as the Access to Medical Records Act 1988 no longer applies. On the British Medical Association (BMA) website, it notifies members that:

‘The GDPR entitles individuals to obtain a copy of their personal data. If the request from the solicitor is for a copy of the patient’s medical record, or a copy of some elements of the medical record, it is a SAR’.[i]

However, Clive Elliott, business partner at Court Street Medical Practice, has labelled this issue a ‘national scandal’, while also criticising solicitors for making ‘inappropriate’ requests, such as refusing to pay for secure postage or refusing to pick up records in person:

‘The NHS is bearing these costs and in principle that is wrong’.[ii]

Mr Elliott predicts that SARs cost the NHS in England and Wales around £85 million per year at the primary care level alone. The cost burden faced by hospitals and other NHS bodies is assumed to be in the ‘hundreds of millions’.[iii]

The BMA is in the process of surveying its members to gauge the scale of the problem, before presenting its findings to the Government.

In a written question in Parliament last week, the Government was questioned over action taken to ensure that solicitors, requesting medical reports on behalf of insurance companies, do so under the 1988 Act, rather than the GDPR.

In response, Digital Policy Minister, Margot James MP, stated:

‘If a solicitor is acting on behalf of an insurer and is seeking health information about a prospective customer, these are not subject access requests under the GDPR. Such requests should be made under the [Act] and standard charges apply. The Information Commissioner’s Office (ICO) is responsible for regulating compliance with data protection legislation and may consider taking action against insurance companies which fail to comply with the relevant legislation’.

Ms. James was not asked if her response would be the same for solicitors acting for claimants.


[i] ‘General data protection regulation (GDPR)’ (5 September 2018 BMA) <> accessed 19 September 2018. 

[ii] John Hyde, ‘Solicitors' patient data demands anger GPs’ (17 September 2018 Law Gazette) <> accessed 19 September 2018.

[iii] Neil Rose, ‘Confusion as solicitors make medical record requests for clients under GDPR’ (17 September 2018 Legal Futures) <> accessed 19 September 2018.