The law of 4 March 2002 relating to patients’ rights and the quality of the health system established as a principle the right for patients to access to all health information relating to them. With the entry into force of the General Data Protection Regulation, patients’ rights have been strengthened.
Who can request access to their medical records?
Access to his medical record may be requested by the following persons:
– The patient himself/herself. If s/he is minor, the request must come from the holders of parental authority. However, the minor patient may object to a doctor disclosing his or her health data.
Therefore, when the request concerns a minor, the doctor must endeavour to obtain the minor’s consent to the disclosure of his or her health data. In the event that the minor refuses to provide the information, the health professional or health-care establishment may not grant the request of the holders of parental authority.
– the patient’s beneficiary in the event of death, insofar as the personal data requested are necessary to know the causes of death, to defend the memory of a deceased person or to assert his/her rights.
The health professional or health-care establishment must verify whether the deceased had expressed any contrary wishes.
– The tutor
– The doctor designated as an intermediary.
When psychiatric care has been provided without consent by decision of the prefect, or at the request of a third party, the person holding the information may request that a doctor be appointed as an intermediary. If the requester refuses this designation, the holder of the information shall refer the matter to the Departmental Committee on Psychiatric Hospitalisation. This commission will take a decision, which will be binding on both parties.
How to request access to one’s medical record and how should it be communicated?
The patient can submit a request to a health professional or the person in charge of the institution or to any person designated for this purpose.
Access to one’s medical record can be allowed on site, with the possibility of obtaining a copy of it. The medical record may also be sent by post by registered letter with acknowledgement of receipt.
The GDPR requires that the exercise of this right be free of charge. Fees may however be charged to cover the cost of sending the mail and the cost of reproduction generated by the request. Such must of course remain reasonable.
In order to not disclose sensitive information to the wrong person, the health professional or health-care establishment must verify the identity of the requester and/or recipient, or control the quality of the doctor designated as an intermediary.
The health professional or health-care establishment must provide the medical record as soon as possible, and in any event within 48 hours, after having observed a reflection period, and no later than 8 days following the request. If the requested information is more than 5 years old, or when the matter is referred to the Departmental Psychiatric Care Commission, the deadline is extended to 2 months.
What information can be communicated to the applicant?
All the following data can be communicated to the patient:
– data that are formalized and have contributed to the development and monitoring of diagnosis and treatment or preventive action;
– data that are the subject of written exchanges between health professionals: results of examinations, reports of consultations, interventions, exploration, or hospitalization, therapeutic protocols and prescriptions implemented, monitoring sheets, correspondence between health professionals.
However, information mentioning a third party who is not involved in therapeutic care or information concerning such a third party cannot be mentioned or must be obscured, so that it is impossible to know the identity of this third party.
What if the patient only exercises his or her right of access within the meaning of the GDPR to a health-care establishment and/or a health professional?
If a patient presents himself to the secretariat of a health-care establishment and wishes to exercise his/her right of access, what personal data can the latter have access to?
Indeed, the question will then arise as to whether the health-care establishment, as the person in charge of treatment, must send him or her his or her medical file but also all the other personal data concerning him or her, such as appointments, hospital stays, meals taken during hospitalisation, the names of the doctors consulted, invoices issued following the various procedures, bank details, contact details of the person concerned, and many others.
Thus, each health professional must reflect on this situation: if a patient does not specify the right he wishes to exercise, should he be given access only to his medical file or to all the data hold about them?
Indeed, the boundary between the right of access to one’s medical record and the right of access enshrined by GDPR is not defined. It therefore appears necessary, in particular in order not to be punished for failure to respond to a request for a right of access (Article R. 625-11 of the Criminal Code), that the health professional should endeavour to obtain from his patient the necessary details that will enable him to respond effectively to the latter’s request – and in accordance with the applicable regulation.