Medical Records Request (Ireland)

A Medical Records Request in Ireland puts facts on the record under a formal declaration so they can be relied on by a court, registrar, or third party, as regulated by the Data Protection Act 2018.

Medical records are among the most sensitive categories of personal data recognised by Irish and EU law. Health data is classified as a special category of personal data under Article 9 of the GDPR, attracting the highest level of data protection. This category includes information about a person's physical or mental health, medical diagnoses, treatment history, prescription records, hospital discharge summaries, GP consultation notes, laboratory results, radiology reports, and any other information relating to the past, present, or future physical or mental health of an individual.

In Ireland, the right to access health data is exercised primarily through the GDPR framework, implemented in Irish law by the Data Protection Act 2018 (No. 7 of 2018). The Data Protection Commission (DPC) is the independent supervisory authority established under the 2018 Act to oversee compliance with data protection law in Ireland. The DPC has published detailed guidance confirming that individuals have a legal right to access their health records held by all types of healthcare providers, including GPs, public and private hospitals, the HSE, pharmacies, and specialist clinics.

For records held by public bodies such as the HSE and public hospitals, the Freedom of Information Act 2014 provides a parallel access route. The FOI Act entitles any person to access records held by public bodies, subject to certain exemptions, and the HSE has an established FOI process. In practice, individuals may use either the GDPR SAR route or the FOI route to access HSE health records, depending on which is more appropriate to their circumstances.

The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (S.I. No. 477 of 2022) provide that a healthcare provider may, in limited circumstances, restrict access to health data where a relevant health professional believes that disclosure would be likely to cause serious harm to the patient's physical or mental health. This is a narrow exception and the general right of access remains strong and enforceable under Irish law.

An Irish Medical Records Request is needed whenever an individual wishes to obtain a copy of their personal health records held by any Irish healthcare provider or health data controller.

Common reasons for requesting medical records in Ireland include: reviewing your own treatment history or medical history for personal information or peace of mind; obtaining records to support an application for life insurance, income protection insurance, or travel insurance, where the insurer requires a medical history; accessing records in preparation for a personal injury or medical negligence claim, where your solicitor requires your medical history to assess liability and quantum; obtaining records to bring to a new GP, specialist, or healthcare provider in Ireland or abroad; accessing records to support a disability benefit claim, an application for the Disability Allowance, or a Medical Card application; requesting records as part of a complaint to the Health Information and Quality Authority (HIQA), the Medical Council, the Nursing and Midwifery Board of Ireland, or the HSE's Patient Advocacy Service; accessing the records of a deceased family member (where you have the legal entitlement to do so, for example as executor of an estate or as next of kin in limited circumstances); or requesting records held about a child where you are the child's parent or guardian.

In the context of medical negligence proceedings, access to medical records is a critical step. Irish solicitors routinely advise clients who have suffered an adverse outcome during medical treatment to make a SAR at the earliest opportunity, as the records will form the basis of any expert assessment of liability. The Statute of Limitations (Amendment) Act 1991 and the Civil Liability and Courts Act 2004 govern time limits for personal injury and medical negligence claims in Ireland, making early access to records essential.

A medical records request is also commonly required when a patient is transferring between GPs or moving abroad, or when a person has lost access to their original records and requires a replacement copy for administrative or legal purposes.

A thorough Irish Medical Records Request letter should include the following essential elements to confirm it is valid, effective, and processed promptly by the data controller.

Identification of the requester: the full legal name of the data subject (the person whose records are being sought), date of birth, PPS number (to verify identity), current address, phone number, and email address. Where the request is made by an authorised representative (such as a solicitor, family member, or carer), the representative's details and the basis of their authority (power of attorney, court order, or written consent of the data subject) must be included.

Identification of the data controller: the full name and address of the healthcare provider, hospital, GP practice, or HSE office to which the request is directed, and the name of the DPO or data protection contact where known.

Scope of the request: a clear description of the records being sought, including the relevant date range, the type of records (for example, GP consultation notes, hospital discharge summaries, laboratory results, prescription records, radiology reports), and the specific medical conditions or treatments to which the request relates. A broadly worded request for all personal data held is valid but may result in a large volume of information; a more targeted request will typically receive a faster response.

Proof of identity: confirmation that the requester is prepared to provide proof of identity (for example, a copy of a passport or driving licence) if requested by the data controller, to confirm the identity of the data subject and protect the security of health data.

Delivery format: specification of whether the records are required in electronic format (PDF), in hard copy, or in a specific structured format.

Legal basis: reference to Article 15 of the GDPR (Regulation (EU) 2016/679) and the Data Protection Acts 1988 to 2018 as the legal basis for the request, and confirmation that the requester is aware of the one-month response deadline.

Date of request: clearly stated, to establish the start of the one-month response period under Article 12(3) of the GDPR.

Signature of the requester or their authorised representative. The forms-legal.com Medical Records Request (Ireland) template covers the mandatory elements under Sale of Goods and Supply of Services Act 1980.

Additional compliance elements for a Medical Records Request (Ireland) used in Ireland include: Data Protection — the Data Protection Act 2018 and GDPR Article 6 require a lawful basis for processing personal data; Governing Law — specify Irish law and the jurisdiction of Irish courts; Dispute Resolution — parties may refer disputes to the Workplace Relations Commission (WRC) for employment matters or initiate proceedings in the Circuit Court or High Court of Ireland for civil claims. Under Irish law, the Data Protection Act 2018 and GDPR Article 6 govern personal data in this document. The Consumer Rights Act 2022 protects individuals in consumer transactions. Section 67 of the Land and Conveyancing Law Reform Act 2009 applies to personal property matters. The Circuit Court and District Court have jurisdiction over personal disputes under the Courts (Supplemental Provisions) Act 1961. The Commissioners of Irish Lights and Revenue Commissioners may have compliance roles depending on the transaction type. Revenue Commissioners require appropriate tax treatment of payments made under the agreement, including VAT under the Value-Added Tax Consolidation Act 2010 where applicable.