| Bookmarkers beware: Bookmarks to pages other than the home page may not work after we change our server in April |
Editor's Choice | This Week in BMJ | Press releases
BMJ No 7133 Volume 316
Editorial Saturday 7 March 1998
Patient data, confidentiality, and electronics
Identifiable data should no longer be freely available within the NHS
"Banks access computer records, foreclose on cancer patients."(1) This emotive headline from America in 1993 demonstrated the risks to confidentiality posed by electronic patient records - which are easy to inspect, copy, and transmit without anyone knowing. In Britain, attempts by the medical profession to ensure that such headlines should never be seen here led to fundamental disagreements with the Department of Health. These in turn stalled the already slow development of electronic data handling in the NHS. Only now, with the publication in December of the Caldicott report, is a way forward beginning to emerge.
Shortly after this American headline, the BMA and the Department of Health first discussed confidentiality within the NHS information strategy. The Department of Health (and the NHS Executive) believed all electronically held clinical data should be shared through "the wider NHS family" to facilitate NHS management,(2) but the wider family turned out to be almost anyone in contract with or relating to the NHS, whether clinically involved or not. The BMA felt that patient confidentiality would be so threatened that the only ethical solution was to keep all identifiable clinical data within the clinical domain.(3)
After failing to reach any agreement for several years, the two sides last year agreed to the setting up of a review of the problem of identifiable patient information within NHS information systems under the chairmanship of Dame Fiona Caldicott.(4) The aim was to study flows of identifiable patient data in NHS business to decide whether the inclusion of identifiers was justified and what action could be taken to minimise potential breaches of confidentiality.
Given that the NHS Executive believes that authorised insiders misusing their position represent the most serious threat to confidentiality, it was particularly appropriate that the executive should undertake this review. As an NHS Executive review studying NHS procedures in the light of rules set down by the executive,(2) it is no surprise that all the business flows studied, such as general practitioners' family planning claims and extracontractual referrals, were deemed justified in containing patient identifiers. Nevertheless, the report went on to develop principles of confidentiality and build recommendations on these principles about how the NHS should handle electronically held patient data. These are to apply across the administrative and clinical arms of the NHS and are the start of a continuing process.
The better parts of the report state good practice for NHS electronic health records for the first time; the bad bits will require further negotiation to bring the recommendations back in line with the principles. A particular problem is the idea that the NHS number will act as a "de-identifying" variable in patient data (thereby supposedly enhancing protection of the data). In a computerised NHS, however, the NHS number is actually a better identifier than the patient's name and address. To solve this problem, pilot studies are under way to look at controlling access to the NHS number, and hence clinical records, in active NHS use. Nevertheless, and despite these real problems, the most valuable feature of the report is its promotion of a culture change within the NHS administrative machine. The report insists (and in accepting the report the NHS Executive has accepted) that identified data are longer freely available for all to see within the NHS.
What does this mean for clinicians? Work - and thought. It is no longer enough to say that data privacy is somebody else's problem, because clinicians are ultimately responsible for the safety of the patient data they commit to electronic transfer or storage.(5) This responsibility is wide and poorly understood. In the same way as paper records require proper care, so must clinical computer systems store data safely, and transmit data only to other appropriate safe havens, usually clinical ones. If clinicians cannot ensure that, they must see that the data have their identifiers removed before being committed to electronic media. This concept is new for many clinicians, and, while relatively easy in general practice, is a problem for most hospitals, which have traditionally been relaxed about care of patient data. This concept poses particular questions about research databases and registers, and the data guardians proposed by Caldicott to effect and enforce the report's principles will require considerable support, education, and training for their role (which the NHS Executive has agreed to finance).
Another American newspaper article recounts how a patient made the reasonable request that his electronic data should be identifiable only on the ward computer terminal.(6) This apparently simple request created enormous problems for the hospital computer system because confidentiality had not been designed in from the start. The risk exists that the same thing could happen in Britain if the residue of the internal market makes clinicians and administrators feel justified in breaking patient confidentiality. Given the advice of the BMA,(3) the Caldicott report, and adequate money now delivered for protecting confidentiality, there is no longer any excuse for either the executive or clinicians to fail to protect patient data adequately.
A peripheral issue the Caldicott report brings in its train is whether the NHSnet confers confidentiality, for the two are often confused. The NHSnet is the developing NHS intranet for exchanging business and clinical electronic messages, and many had hoped it would solve the confidentiality problem for patient data. Unfortunately it does not, being only a set of dedicated telephone wires. Safe carriers are helpful but not an answer, for the risk to patient data is not in transit, but at workstations throughout the NHS where the data are used.
The final question for confidentiality is how the NHS Executive will ensure that it gains informed consent from patients to use their data, a task the Caldicott review declined to tackle. The true sign of how seriously confidentiality is regarded by the NHS will be the action the executive takes to make informed consent the gold standard for handling patient identifiable data.
Grant Kelly
Chair,
Joint Computing Group of the General
Medical Services Committee and Royal College of General
Practitioners
Keynor House,
Sidlesham,
Chichester,
West Sussex PO20 7LN
References
1 RMs need to safeguard computerised patient records to
protect hospitals. Hospital Risk Management 1993
Sep:129-40.
2 NHS Executive. The protection and use of patient
information. Leeds: NHS Executive, 1996.
3 Anderson R J. Security in clinical information
systems. London: BMA, 1996.
4 Department of Health. Report on the review of patient
identifiable information. London: Department of Health, 1997.
(Caldicott report.)
5 General Medical Council. Confidentiality.
London: GMC, 1995.
6 Garfinkel S. Computers compromise privacy, cut cost of care.
Boston Globe 1997;Jun 5.
Home | Current issue | Past issues | Classified ads | Career Focus | Feedback
Collections | About this site | About the BMJ | BMA | Medline