Author: Prof. Edward S. Dove, School of Law and Criminology & ALL Institute member, Maynooth University
In nearly every interaction we have with a health practitioner – be it a GP, nurse, dentist, surgeon, therapist, and so on – a record of our interaction is documented by the practitioner. Over the course of our lifetime, a significant trail of health-related information about us is generated. The record may be paper-based or digital, and it may be combined with other kinds of information to build a detailed, sensitive portrait of our state of health and overall wellbeing. This collection of information is known as a health record or medical record. These records can include case notes, test results, reports, video and audio recordings, and data generated by systems or applications. While the health practitioner (or the health service provider that employs them) is the primary ‘author’ and ‘owner’ of these records, fundamentally they are about us as patients. And because they are about us, we have a right to access them.
Our reasons for wanting to access our health records can vary. Perhaps we want to better understand what information the health service (such as the HSE), an app provider, or some other entity collects and uses about us. Perhaps we want to validate the accuracy of the information in the record. Perhaps we need them for various financial, employment, or social-related purposes. Regardless of the underlying reason for seeking access, the right of access is one that all adults with capacity possess. Under the EU’s General Data Protection Regulation (GDPR), each of us has a right to obtain from a ‘data controller’ confirmation as to whether or not data concerning us are being processed, and, where that is the case, access to the data.
Yet, this right is a qualified right, as seen in the two primary pieces of legislation governing access in Ireland (as well as in the EU’s recent European Health Data Space Regulation).
The Freedom of Information Act 2014 (the 2014 Act) enables a person to access their health records held by public bodies. Public bodies would include the HSE, voluntary hospitals, some health agencies, and some GP records. Yet, where an access request relates to a record of a medical or psychiatric nature relating to the patient concerned, and, in the opinion of the public body concerned, disclosure might be ‘prejudicial’ to the patient’s ‘physical or mental health, well-being or emotional condition’, access can be restricted. Where the public body refuses to grant access to a health record on such grounds, if the patient so requests, the body must offer access to the record concerned, and keep it available for that purpose, to a health practitioner having expertise in relation to the subject-matter of the record as the patient may specify (e.g. their GP). Moreover, if the patient requests this, the public body must offer access to the record to the health practitioner and keep it available for that purpose. In this way, a patient may be able to have, at best, indirect access to information about their medical or psychiatric health.
Health records held by private hospitals or clinics, or by GP operating on a private basis, may be requested via data protection legislation. But the Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 also restrict access to one’s health records. The Regulations permit a data controller to deny a patient access to their health record where they have ‘reasonable grounds for believing that granting access to the data subject to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject’. Where these reasonable grounds apply, the data controller must advise the patient that, if they so request, the controller will offer access to the data concerned, and keep it available for that purpose, to a health practitioner having experience and qualifications in the subject matter of the data as the patient may specify, and offer access to the data concerned to such health practitioner and keep it available for that purpose. Thus, here, too, an indirect pathway to access is offered.
Naturally, a question arises: is it right to restrict access to one’s health records?
We might question the evidentiary basis upon which a health practitioner considers there be a ‘reasonable ground’ that providing access would be likely to cause serious harm to their physical or mental health. We might question whether this ‘access modification’ may be misused by practitioners on dubious paternalistic grounds, such as an assumption that the patient simply cannot handle the truth about their health. And we might question whether certain groups of patients are particularly discriminated against in seeking access to their health records.
In light of modern patient-centred health practice – which must respect the patient’s right of autonomy, itself an unenumerated right under the Irish Constitution – and the increasing digitalisation of records, it may be seen as increasingly problematic for the law to deny or severely restrict a patient’s request to see their own health record, even with the kind of ‘supported’ access pathway outlined in the 2014 Act and 2022 Regulations. Undoubtedly, some would argue that, much like the therapeutic exception (or privilege) in medical practice, there will always be legitimate grounds to restrict access to some degree to protect the interests of certain patients, including their autonomy interests. Others, however, would counter that such restrictions reflect an anachronistic, autonomy-depriving holdover from a previous ‘doctor knows best’ era that can imperil the mutual trust, reciprocity, and transparency necessary for the health practitioner–patient relationship to flourish.
In my view, the time is ripe for a debate in Ireland on whether to eliminate or further limit these access restrictions, and to think through more systemically and ethically how access to one’s health records can be facilitated in a patient-centred, autonomy-promoting manner.
