Out-Law / Your Daily Need-To-Know

Uncertainty over medical information processing rules is hurting the UK financial services industry

Out-Law Analysis | 27 Jul 2012 | 8:00 am | 2 min. read

OPINION: Four years ago, Out-Law.com commented on the British Medical Association's ethics guidance to medical practitioners regarding permitting insurers' access to medical reports. 

The BMA had, at the time, advised medical practitioners not to grant access to medical reports unless the medical practitioner was satisfied that the requesting insurer had 'robust mechanisms' for verifying that the person the subject of the report had consented to the request, and had proof that the consent provided had not been altered in any way.

Much has changed since 2008 and straight-through-processing (STP) is now much more commonplace throughout the financial services sector.

What is the BMA's advice to medical practitioners today? Unfortunately, nothing has changed.

The BMA advice imposes a burden on medical practitioners which cannot practically be met. Does the BMA really expect a medical practitioner to test an insurer's business processes and IT systems for 'robustness' or engage a consultant to do so? Presumably, without further guidance, no one can be satisfied that anything less will suffice. And by what standards must this assessment take place? No clarification has been given. Medical practitioners have neither the resources nor the time to satisfy themselves that insurers have robust mechanisms to verify medical report consents.

The impracticality of requiring David the medical practitioner to approach Goliath the insurance company, and review its information flow process designs and IT systems for compliance with BMA ethics advice, means that in reality, medical practitioners will avoid responding to requests unless handed an original document containing a wet (pen and paper) signature. Medical practitioners, conscious of their patient confidentiality obligations, are not likely to take risks in meeting their ethical obligations.

It is understandable that the BMA has taken a risk averse position and not updated its advice. Access rights to personal information are restricted by both general data protection laws, and specific medical and health information laws. Generally, these laws require a consent to access a medical report to be in writing.

Since the introduction of the EU Electronic Signatures Directive, in principle, a legal requirement that a document or signature be 'in writing' no longer necessarily needs to be read as 'through the use of pen and paper'. However, rather than clarify that the estimated 40,000 references in UK legislation to 'in writing' now mean 'pen and paper or an equally or more secure electronic means of identification and authentication (unless otherwise specified)', the UK has chosen a different approach.

 By way of statutory order the UK Government is clarifying one by one, every instance in which a reference to 'in writing' may be taken to include writing by secure electronic means. To date, the Government has not seen fit to update its medical and health report access laws. This means that uncertainty still remains and the BMA advice only reflects that uncertainty.    

The bottom line is that legal uncertainty surrounding the validity of e-documents and e-signatures coupled with the BMA advice is hurting the financial services industry.

The European Commission has adopted a proposal for a Regulation on electronic identification and trusted services for electronic transactions in the internal market. It has noted that establishing a clear legal framework for "secure and seamless electronic interactions" is a key driver for economic development within the internal market. There is no reason though, why the UK Parliament should wait to remedy the adverse consequences which these uncertainties impose on the insurance industry until after the EU regulation takes effect.

The Government should act now and enable insurers to implement STP of medical reports in full knowledge that they can inform medical practitioners with certainty of the legal validity of such processing arrangements. As for the BMA advice, Michael Roe, Development & Standards Manager, at Origo, the e-Commerce standards and services body for the UK financial services industry, has noted that "the requirement for 'wet signatures' had been a long-standing barrier to industry initiatives to develop electronic GP reports. Origo would welcome any progress with the BMA that would facilitate straight-through-processing."

No doubt the industry as a whole would welcome progress as well.

John Salmon is the Sector Head, Financial Services at Pinsent Masons, the law firm behind Out-Law.com and Luke Scanlon is a technology law expert at Pinsent Masons.