Thursday, April 20, 2006

Consent and confidentiality of patient records

An emergency resolution has been submitted by Dame June Clark for discussion at next weeks Royal College of Nursing Congress, which says;

That this meeting of the RCN Congress, noting the Department of Health’s imminent intention to transfer information from the patient records held in general practices to the national NHS database, requests Council to obtain an immediate guarantee from the Department of Health that no patient records will be transferred without the patient’s explicit consent and the safeguards promised by Ministers in the “Care Records Guarantee”.


The security and confidentiality of information about patients has long been an issue and is included in “Codes of Conduct” for all professional groups who can see, change or otherwise interact with patient records, and has been addressed in legislation such as the Access to Health Records Act 1990. I’m sure that the Data Protection Act 1998 and Human Rights Act 1998 are also relevant.

It is a complex area and differentiation should be made between identifiable patient records and aggregated and truly annonymised data.

NHS and Social Care Act 2001

When the NHS and Social Care Act was a white paper there was a lot of discussion (with Fleur Fisher of BMA has high profile participant) in the rule introduced as section 60 that identifiable patient records could be shared, without their knowledge or that of their GP if it was “in the public interest”, and the definition of 'public interest' seems to be drawn very broadly.

One of the safeguards which underpinned this legislation was the requirement for proposals had to be considered by an Advisory Group, and the Secretary of State should publish each year a list of the proposals accepted. However it may be possible for the Secretary of State to override the Advisory Group's recommendations. It is also difficult to find out information about the composition and work of this group. One of the key things about the H&SC Act is that its assumed that without personally identifiable data it wouldn't be possible to build up a record for an individual over time. In fact this is possible with full anonymisation of records.
Share with Care

In 2002 the NHS Information Authority (NHSIA) in conjunction with The Consumers’ Association and Health Which undertook some research/market research to gauge the feelings of the general public about the sharing of their health records, which was published as Share with Care. They suggested that in most cases people were happy for their information to be shared by health professionals but not managers, researchers etc. Some information was seen as being particularly sensitive and the concept of the sealed envelope was proposed to provide a higher level of protection for this sort of information.

This work was criticised by the Foundation for Information Policy Research as not being a balanced discussion of the issues but rather a report on focus group discussions. They also suggested “that the participants were not properly briefed on patterns of information use within the NHS, and that the many administrative uses of identifiable personal information that were documented in the Caldicott Report were glossed over, and the emphasis is placed on more acceptable uses such as treatment and public health. Even so, 53% of those consulted did not want hospital managers to have access to any clinical information in their records, and only 22% were prepared for hospital managers to have access to full records (graph, page 24). It is curious that this graph has no explicit key; the meanings of the different coloured bars have to be inferred from the text, which goes out of its way to place a positive spin on the views expressed. It is also curious that the focus group participants were not polled on whether ministers or civil servants at the Department of Health should have access to their records. It is quite predictable from studies such as Hassey and Wells [1] [2] that the answer would have been no. The report text at page 15 does however mention that `a general rule evolved that any information released outside of NHS treatment areas should be anonymised, or patient permission sought'. The presentation of the report, however, turns this suspicion against receptionists rather than tackling the issue of whether patients trust the Secretary of State with their medical records.”

NHS Care Records Guarantee (May 2005)

The NHS Care Records Guarentee was issued in May 2005 (Press Release). This stated that patients have the right “to confidentiality under the Data Protection Act 1998, the Human Rights Act 1998 and the common law duty of confidence”.

The ‘sealed envelope’ is a concept developed during public consultation to represent the security that will surround parts of a shared electronic record to which a patient wishes to restrict access.

There still doesn’t seem to be clarity about where the sealed envelope will be held. Will this be on the National Spine? Will there be one per local health record? If on the national spine, then it seems likely that access will be outside the control of either the patient or care professional involved in its collection. The only protection would be those given by the legitimate relationship / Role Based Access mechanism. The same may well apply to the local record, where the record is on a Local Service Provider (LSP) server. If it is on a supplier server, then access requests (generally) go through the care professional involved, so the situation is the same as the record being held by the provider by whom it was created.

A wish may be expressed, for example, that sensitive personal information can be accessed by a patient’s GP but not shared with other members of the health team. Anyone who breaks into a seal would trigger an alert and be required to account for their actions.

Detailed plans of Connecting for Health for the Care Records Service are set out in a document dated 29th July 2005 including descriptions of the content of the “Detailed Care Record” and “Summary Care Record”. In this document section “2.5 People limiting their participation” the plans for the “sealed envelope” are described.

According to EHealth Insider “At a briefing during the NHS Care Record Development Board (CRDB) (Nov 2005) it was confirmed that no sealed envelopes would be available for the very first release of the summary record due to be provided by the NCRS in the late summer of 2006”.

I believe this triggered Dr Paul Thornton to write his a paper entitled "Why might National NHS Database proposals be unlawful?" in which he makes a strong case that the current plans "carry grave & imminent risks for both civil liberties and public health", and that "the legal justifications used to substantiate their proposals are untested in the courts and require independent judicial clarification".

He argues very convincingly that the NHS Care Records Guarantee doesn't provide sufficient safeguards. The acceptance of implied consent to the placing of patient records in a national database, rather than requiring individual and explicit patient opt-in to the sharing of their information is seen as contravening common law and both the Data Protection Act and Human Rights legislation. Implied consent might be acceptable if it was done to the standard documented by the previous Data Protection registrar. It appears that Connecting for Health (CfH) may not even be offering this standard. Beyond the initial summary upload from GP records, it is not clear at what stage patient control will be limited to sealing data, as opposed to blocking the recording of data on the national database.

The plans outlined by NHS Connecting for Health for a "sealed envelope" to hold sensitive information which the patient wishes to be restricted, are now beginning to look less secure. The fact that the sealed envelope will not be available for the very first release of the NHS Care Record Service and upload of data to the national database, is complicating matters!

I would hope that the arguments in the paper will apply to all interactions between patients and health professionals not just the GP record. An added legal dimension for GPs exists as being self employed, the GP as well as being the professional is also the legal entity for the organisation and the “data controller” in terms of the DPA.

A meeting between the Human Genetics Commission and Department of Health on 6th December raised further issues eg: NHS direct entering data (when the caller can not be specifically identified) & “Mr Phil Walker, head of the National Programme's digital information policy team, and Caldicott Guardian explained “that several fields were currently automatically excluded from information sharing (mental heath and GUM) and other fields might be added if the need was there”. However, if the last 5 prescriptions are included it would not be difficult to work out the patients diagnosis including mental heath and GUM. In addition stating that these are excluded from data sharing, does not mean they are excluded from being recorded on the National Database. There is also an implicit assumption that information is “Read coded” fully & correctly. A patient seen in A&E might have records read coded as “Abdo Pain” with the free text “Seen at GUM clinic last week and treated for Chlamydia”. This entry and the linked free text would not be excluded from information sharing automatically.

And the DoH appear, at that meeting, to be using the cost difficulties as an argument against allowing many people to “opt out” ie: “He explained that having one person withhold their data was not cost unrealistic, but it would become more difficult if many people chose to withhold their data”.

I understand that the BMA Working Party on NHS IT has agreed that “there must be a mechanism for patients to control access to their information”, and that “patients will be able to control their data by either choosing not to have any data uploaded or by discussing with their GP the data that they wish to be uploaded or excluded. For the initial upload, it is our understanding that patients who choose not to have a summary record can be assured that their healthcare information will not be uploaded or shared. Their healthcare data will remain in local systems, as at present. Since patients are given a choice whether to share information or not, we would question whether the system is unlawful provided that patients are supplied with sufficient information to make a valid informed choice. The BMA Working Party debated the implications of not having sealed envelopes for the initial upload and agreed that patients should be able to withhold prescriptions from the summary record to ensure privacy rights.”

They (BMA) also agreed that plans for the “sealed envelope” have not been proven, and the process for accrediting new systems, as negotiated under the GMS contract, needs to be completed before records can be uploaded to the spine.

On a related matter, with the model of data storage being Data Spine (extract of holistic record) plus Local System (holding full content) there is a further issue arising from the Care Records Guarantee and comments from CfH. All transactions which access a patient record, whether to create, change or delete (all necessary for disaster recovery purposes) OR enquire (under the guarantee) will log both the transaction type, (content change) and identify the staff member doing the transaction. A subject may request, under the guarantee to see their record any all the transactions done to it. The subject can make this request either via the Local Route or via the Spine Route. Locally, they will have background knowledge of the access, record subject etc and will be able to make a judgment on what support is necessary to give the subject to understand the record. Via the Spine Route, this judgment will be more mechanistic and could result in CfH giving out records to a known troublemaker or with some contentious reason for wanting their record which could put staff in jeopardy if the transaction was say to withhold treatment, shift appointment dates etc or was an enquiry made by a staff member actually known to the subject. A PCT has asked CfH how this would be dealt with as it amounts to data on an identifiable staff member being made known to a third party without their consent. CfH responded by confirming that they would request permission from the relevant local organization in each case. But this will require requests to ALL the organizations referenced in the holistic record, which could be a very complex job where the patient has an eclectic history of health interventions at specialist, out-of-hours, walk-in and holiday locations in addition to their home location. It is thought (but not confirmed) that some systems appear to store staff members as code numbers which will make identification logistically challenging, but some systems actually show names.

The implications of this procedure do not seem to have been thought through, and could potentially have a detrimental effect on CfH solution performance as well as contravene the Data Protection Act.

All of the issues raised above should not be taken as indicating that massive potential benefits for patient care can be achieved by increasing use of Information Technology, I am sure that they can. However these aspirations may be better met better met by fully funded implementation of appropriate local systems with better intercommunication as required.

Need for legal opinion

I feel that with many issues unresolved about access controls and “sealed envelopes” a legal opinion should be obtained before the first upload of summary records from GPs to the national spine. This should take into account present uncertainties about mechanisms for patient consent (opt-in v opt-out), the nature of the sealed envelop technologies, and the rights of all stakeholders within the context of the Data Protection Act and Human Rights Act.

Key Questions/issues

* Should the Department of Health have a database containing a fairly complete record of every treatment in the UK, including not just the treatment code and the cost, but also the name and address of the patient?

* Should the Department of Health have an accessible central record of ALL a patient's care relationships? For example, a patient who attends a sexually transmitted diseases clinic is entitled to keep this fact secret even from his GP. It is quite unreasonable that such a record is available to ministers and civil servants, or for the patient to feel, from the transaction log of activity on this (part of their) record, that it is widely available to professionals in the NHS without a specific need to know.

* Will explicit consent be required from each individual patient before any of their data is uploaded?

* Will patients be able to opt out of having parts of their medical record recorded on the National Database?

* Will patients be able to ensure that data initially recorded on the national database can subsequently be deleted (as opposed to just “sealed”)? This will be important when patients initially consent to recording but subsequently change their minds, or when information is initially recorded at times when the patient is not legally competent.

* Will patients have the right to “opt out” of having all or specific parts of their information shared, as ministers have promised? If so how?

* Will the first uploads of the summary care record to the National spine be made without sealed envelopes?

* What technology is proposed for the “sealed envelopes”? has it been tested/ if so how?

* How will the system cope if multiple bits of information may have to be made non-shareable to protect a particular piece of information?

* Has a decision been made not to record mental health and STD information on the national database?

* When will systems be in place to provide patients with access to their information automatically every time it changes (My HealthSpace or similar)?

* How will patients who are vulnerable outside of the clinical setting be protected from being obliged to reveal their “healthspace” record to third parties?

* Will there be any compunction on a health professional to look at what is in a patients’ “MyHealthSpace”?

* How will third party information, which may be in the patients record be handled?

* When patients (or their representatives) request a copy of their record on the spine, it will include an audit trail of changes and enquiries made & by whom. If this includes identifiable information about staff could this put them at risk?

* How will a legitimate relationship to the patient be defined? What legitimate relationship types are proposed, and who will authorise them? How will they be managed, changed and an audit trail of any changes kept?

* What sanctions will be in place for “inappropriate” opening of the sealed envelope & how will the audit and disciplinary processes be managed? Will the patient be informed? Will the patient have a right to see who has accessed their record and when?

* In the terms of the Data Protection Act, who will be the Data Controller for the National database, and how is it proposed to ensure that the data controller is wholly independent, particularly of politicians and state agencies?

It will be interesting to see if the agenda committee for the congress approve this resolution for discussion at congress and, if they do, the thoughts of the delegates in the debate.

Technorati Tags: , ,


Post a Comment

<< Home