Contrary to popular belief, the Access to Medical Reports Act 1988 (“AMRA”) does not always apply when medical reports are sought.
As the application of AMRA can be quite restrictive for an employer it is worth knowing when you can safely disregard AMRA. In addition, whether or not AMRA is in play, employers also need to consider issues of Doctor/patient confidentiality, Data Protection and Disability Discrimination when considering what steps to take when requesting medical information about an employee. We summarise some of the key points to consider.
Which reports are covered by AMRA?
A report will be covered by AMRA if it is a report about an individual’s health AND it has been prepared by a medical practitioner who is or has been “responsible for the clinical care of the employee”.
Clinical care covers Examination, Investigation or Diagnosis in connection with, any form of medical treatment. This definition will therefore almost always cover reports by an employee’s GP or consultant.
Who is not covered?
A one-off medical report prepared by an occupational health physician or independent specialist will not, in most cases, be covered, because that person will not be responsible for the employee’s clinical care.
However, if the doctor has treated the employee previously for any reason, even in relation to a different illness, they may then fall within the ambit of AMRA. Therefore, if an employee sees the same OH doctor on more than one occasion, you will need to consider whether the requirements of AMRA have been triggered (the doctor should be able to assist with this decision).
In addition, it is often the case that a company doctor needs to obtain background information from a GP/consultant. Whether or not AMRA will apply to that background information depends on what is actually requested. Where the doctor is only seeking copies of existing medical records, AMRA will not apply. However, if a report is requested from the GP or Consultant by the Company Doctor, it will.
If AMRA applies, what do I need to do?
Broadly, if AMRA applies, you are obliged to notify the employee in writing that you intend to make the application, and inform the employee of his/her rights under AMRA. The employee must also be asked to provide their explicit consent to the application being made.
The employee has the right to either consent to the application or not, and can ask to see the report before it is sent to you. If the employee asks to see the report, he/she is entitled to refuse to allow it to then be passed on to you – which can be very frustrating where you have paid for the report to be prepared.
If AMRA does not apply, what else do I need to think about?
All doctors have a duty of confidentiality to patients, even in situations where AMRA does not apply. Doctors are advised by their regulatory bodies to be prepared to discuss reports with patients, and disclose a report to a patient even if this is not strictly necessary in law.
If the employee has provided consent up front, both to the consultation and the preparation of the report, this should allow the doctor to provide it to you. However, if an employee changes their mind and is determined to prevent you seeing the report, the doctor may decide that their duty of confidentiality overrides that of the contractual retainer with you, and withhold the report.
On top of everything else, health information is a “special category of data” under GDPR, and so thought needs to be given as to whether it can lawfully be processed.
Many employees believe that their consent is required under GDPR in order for an employer to provide information to the company doctor, and for the company doctor to provide the report to the employer. This is not the case. While express consent is useful, if an employee does not provide their consent, all is not lost.
In order to ensure you do not fall foul of GDPR when requesting a medical report, it is recommended that you:
- Ensure that your employee privacy notice covers the processing of information for medical reports (i.e. it states that personal data may be passed to third party medical advisors);
- Ensure that you have identified and recorded the purpose of obtaining the report, which is likely to be one of the following:
- preventing a significant risk to the health and safety of the employee, or others;
- determining the employee’s fitness for carrying out his or her job;
- determining whether the employee is fit to return to work after a period of sickness absence, or when this might be the case;
- determining the employee’s entitlement to health-related benefits, e.g. sick pay;
- preventing discrimination against the employee on the grounds of disability; or
- assessing the need to make reasonable adjustments to the working environment.
- Ensure that the employee privacy notice and data register state that consent is not the legal basis for processing data for the purposes of obtaining a medical report. You would normally rely on the legal basis that the processing is necessary for the employer’s legitimate interests, for example in managing sickness absence; or that it is necessary for compliance with a legal obligation, such as the duty to make reasonable adjustments.
- As health information is a special category of data, you will also need to identify a relevant condition allowing the processing of the data. Depending on the specified purpose of the report this is likely to be one of the following:
- for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee and/or for the purposes of medical diagnosis; or
- for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the employer in connection with employment, (e.g. health and safety obligations and the obligation to make reasonable adjustments); and/or
- for the establishment, exercise or defence of legal claims.
- In the letter to the employee informing them that you are seeking a medical report, set out fully:
- the purpose of obtaining the report
- the legal basis
- the special condition on which you are relying in order to process the data
- the information you are anticipating being processed (e.g. what you are going to tell the doctor and what you expect him/her to tell you).
- Ensure that you only pass on and request information which is necessary for the purpose of the report. Don’t be tempted, for example, to launch into an explanation of the employee’s full employment history if it is not relevant to the medical questions being asked.
- Remember that the employee can always request to see a copy of the report, and supporting information, by way of a subject access request, and the information will all be disclosable in any tribunal proceedings. Ensure nothing is said which you would not want them to see!
- Ensure that the report, once received, is stored securely, kept confidential, and destroyed in accordance with your data retention policy.
In many cases where a report is sought, the employee is, or may be, disabled. This means that you need to tread carefully to ensure that nothing is said or done which could be discriminatory. In particular, it is important to ensure that the triggers for obtaining medical reports are consistent (such as a set number of days’ absence). If you divert from this, you should be able to justify why.
In addition, remember that it is not actually up to a doctor to determine whether an employee is “disabled” for the purposes of the disability discrimination legislation (it is a legal question, not a medical one), and it is often safer not to ask the question directly. The preferable approach is to ask questions to see whether the employee satisfies the legal definition for disability, for example:
- does the employee have a physical or mental impairment?
- does that impairment have an adverse effect on their ability to carry out day-to-day activities?
- is that effect substantial?
- is that effect long-term? How long?
It is also always worth asking about whether there are any reasonable adjustments which can be made to support the employee (whether or not they are disabled).
Trust and confidence
Finally, as with everything else you do as an employer, bear in mind the implied duty of trust and confidence when obtaining a medical report and make sure that you act reasonably.
Employees who are unwell may be particularly sensitive about communications from the workplace and it is always worth reflecting how correspondence would appear when viewed by a judge considering a claim many months down the line.
If you have any queries on any matters raised in this article, please do get in touch.