GPs reporting extra costs and workload under new GDPR rulesIvy Madziva
Over half of GP practices have seen an increase in subject access requests (SARs) since the GDPR was introduced – and many are spending over seven hours a week dealing with them.
Practices have to check records for any third party information (Photo: iStock.com/Sturti)
Under the new EU-wide regulations, practices are no longer able to charge for SARs which means they are facing a significant increase in costs as well as workload.
One GP respondent said: ‘A solicitor would charge £200 per hour yet we have to do it for nothing. It is scandalous!’
The GPC said it would be pushing for additional funding in contract negotiations to cover the costs practices are incurring because of the GDPR.
SARs cover requests for access to records by patients, or by third parties who have been authorised to have access by the patient, for example solicitors. Before the new regulations came into effect the BMA recommended that practices could charge up to £50 for providing a hard copy of records to patients, or up to £10 for computerised records. Some practices would charge more than this for solicitor requests.
Subject access requests
Producing the information required by a SAR can involve significant work for practices because they need to check each record to ensure they are not unwittingly providing details about any third parties.
On average, respondents to the GPonline/Medeconomics survey said their practice received seven SARs a week – although some received many more than this. The majority (62%) said it took them longer than 30 minutes to process a single subject access request, with 18% saying it took longer than an hour. Only 8% said it took less than 15 minutes to process SARs, while 30% said it took between 15 and 30 minutes.
The results suggest that some practices are spending at least seven hours of a staff member’s time a week processing SARs – for which they receive no funding. Practices also incur costs related to photocopying, printing and postage if the patient requests a hard copy of their record.
Guidance for GPs on the GDPR published by NHS Digital’s Information Governance Alliance earlier this year said that the changed process on subject access requests would ‘not be a burden on the practice’ if they provided patients with online access to records. However, even in these scenarios someone in the practice would need to check a patient’s record to ensure that third party information is redacted before making it available online.
GPs responding to the poll said that the increase in workload was taking time away from patient care and that practices should be paid for the work involved.
‘It is a huge workload checking for third party information, particularly for patients with a lot of notes,’ one GP said.
‘The GDPR is actively costing us money as we pay for all the paper, toner, postage as well as staff time,’ another said.
‘We should be paid for the work involved in providing copies of records. It can take a considerable time for which we have to pay our staff,’ said another.
‘The charges before the GDPR didn’t cover the costs, so now that it has to be provided free of charge it is a huge drain on resources,’ one GP said.
GPC chair Dr Richard Vautrey said: ‘We know from our own members that they are concerned about the increase in SARs since the GDPR legislation came in, and the knock-on effect on both workload and practice finances.
‘The BMA has produced guidance for GPs and their teams on this issue and will be pushing for additional funding to help cover the cost of any increase in negotiations.’
A motion for debate at Scotland’s LMCs conference, which takes place this Friday, is also calling on the Scottish GPC to negotiate extra funding to cover the cost of the work involved in responding to patient SARs.
Creative Commons Disclosure
About the Mandatory Training Group
The Mandatory Training Group is the leading UK provider of accredited healthcare and social care statutory and mandatory training courses, programs and qualifications.
Click on the links below to find out more about our GDPR in health and social care training courses
- Accredited information and governance training courses.
- Accredited IT and technology training courses.
- Accredited health and social care training courses.
- Accredited public health training courses.
Contact our Support Team on 02476100090 or via Email for more courses relating to the Care Quality Commission (CQC) and other regulatory compliance requirements.