Electronic records: Opt in or opt out

For and against

Patients should have to opt out of national electronic care records

Although some aspects of the NHS care record service have a broad consensus agreement, issues of consent and security are dividing health professionals, the public, and the national programme for information technology. Nigel Watson believes his experience of opting out shows it to be the most workable option, but John Halamka uses a US model to argue that opting in is the only way to ensure confidentiality



Commentary: What’s all the fuss about?


Wessex Local Medical Committees, Winchester SO23 8TA

Nigel Watson

chief executive


Health care is becoming more complex and is often delivered in different places by several professional groups. At present many records are still on paper and electronic records often do not link up. For example, although general practice electronic records are among the most advanced in the NHS, they are not normally available when the patient is seen out of hours or attends accident and emergency or another practice as a temporary resident. Electronic coded clinical communications between hospital and general practice systems are limited to pathology.

The NHS care records service lies at the heart of the national programme for information technology. The service will provide electronic summary care records and detailed care records that are available throughout the health service. The concept of appropriate electronic clinical information being available to legitimate healthcare professionals is not contentious. Most people agree that patient centred care requires comprehensive information to be available wherever and whenever care is provided. There is less agreement, however, on how patients should consent to use of electronic records and how the data can be kept secure.

Models of patient consent

There are two broad schools of thought. The first, characterised as the opt-out model, is for the public to be informed of the NHS care records service and to be offered a chance to express their wish that they do not want their clinical records shared within the NHS. The second model is for no sharing to occur until people have expressed their desire to share their clinical records within the NHS—opting in. This is the option supported by the BMA’s General Practitioners Committee. However, having experienced an opt-out approach in Hampshire and the Isle of Wight, I believe that, with caveats, this is the way forward. In November 2003, the public advisory board of the National Programme for Information Technology also advised, on balance rather than by clear consensus,adoption of an opt-out approach with a warning period. But what evidence is there on patients’ views?

Evidence supporting opt-out model

Scotland has already used the opt-out approach for its emergency care summary, which extracts data from general practitioners’ records and hospital notes and is available to the out of hours service. Patients were informed of the project by a widespread publicity campaign and were invited to opt out if they had concerns. In February 2006 the emergency care summary contained records for nearly 3 300 000 patients and only 22 had opted out.

In February 2004, the Wirral Health Informatics Service started consultation on establishing an electronic health record for each patient. The record contains clinical information provided by general practitioners and the hospital and is available to general practitioners, hospital clinicians, and the out of hours service. Patients were invited to opt out if they had concerns. Of the 350 000 patients whose records were uploaded, only 25 opted out.

The health service in Alberta, Canada, changed from the opt-in position to an opt-out one in 2003. The decision was made after consultation with patients and clinicians. Minister of Alberta Health and Wellness stated: "The changesalso recognize that patients must be assured their information is confidential. We consulted with health stakeholders and the Information and Privacy Commissioner to ensure confidentiality and appropriate access.

"The people who keep and manage electronic health records have told us getting consent is an administrative burden that takes time away from patient care and pilot project shows a majority of people consented to have their records shared by electronic means."

Hampshire and Isle of Wight

General practitioners in Hampshire and the Isle of Wight have been involved in two similar projects for the past six years, and our experience may provide some practical solutions to issues of security and consent. A pilot project during April 2000 to March 2003, evaluated a patient electronic health record that could support the clinical care of the patient out of hours and in an emergency situation. A meeting between representatives of the General Medical Council, the medical defence organisations, the BMA’s information and technology committee, the information commissioner, the local medical committee, and the primary care trust reached a consensus that records could be downloaded without explicit patient consent but that consent was required before the record was accessed. A leaflet was produced to explain the aims of the project and the important issues of consent. Patients were offered the opportunity to opt out of the project. Leaflets were sent to all households in the area and were also available in general practices and at the hospital.

The strategic health authority then worked in partnership with the local medical committees and hospitals in Hampshire to develop the clinical data repository using the same model of consent. When the repository went live in May 2006 it contained over 650 000 patient records from 76 general practices and 450 000 patient records from three hospitals. More practices and hospitals are contributing to the repository all the time.

Of the 1 300 000 patients in Hampshire and the Isle of Wight, 1150 have decided not to have their records included in the repository. Patients are made aware that they can view the information that is held on them. About 2000 patients have requested to view their record, although many stated this was out of curiosity rather than any concern over the project.


Access to a patient record in the repository requires a user name and password. Local NHS organisations issue user names only to staff who have confidentiality clauses in their employment contracts. Before accessing the patient record the user is asked to confirm that the patient has given consent. Patients can give consent for once-only access or for one year for all clinicians involved in their care.

The record includes an audit trail that shows the date and time the patient’s record is accessed and, most importantly, by whom. The audit trail automatically identifies when a record has been accessed but no change has been made to the record. A change would be expected if the patient had been receiving care from the general practice or hospital. If no change is made to a record, clinicians would be contacted to explain why they accessed the record. In the case of a life threatening emergency the consent can be overridden, but the clinician would record the reason in the record and have to defend his or her action if challenged at a later date.

The project has some limitations—for example, the clinician is unable to review the records before a consultation unless consent has been previously obtained. General practitioners do not ask consent to look at clinical records in their practice because they are deemed to have a legitimate relationship with the patient. Major problems have to be resolved regarding consent and access to the records when the patient is not present—for example, looking up hospital laboratory or radiography results.


The opt-out model allows patients to benefit from earlier availability of information, reduces the workload on hard pressed services, and cuts the bureaucracy for both practices and patients. I believe we should adopt an opt-out approach for contributing information to the NHS care record service but obtain consent, or have a legitimate clinical relationship with the patient, to access the clinical records. It will be essential, however, to have a large publicity campaign six months before the start of the service, detailing to patients what is going to happen, the potential benefits and dangers, and most importantly how they can opt out of having their records shared.

Contributors and sources: NW is a general practitioner and GP and regional representative for Hampshire and Isle of Wight on the BMA’s General Practitioners Committee.

Competing interests: None declared.

  1. Hippisley-Cox J, Pringle M, Cater R, Wynn A, Hammersley V, Coupland C, et al. The electronic patient record in primary care: regression or progression? A cross sectional study. BMJ 2003;326:1439-43.
  2. Connecting for Health. NHS care records service. www.connectingforhealth.nhs.uk/delivery/programmes/nhscrs (accessed 20 Jun 2006).
  3. BMA. Statement on Connecting for Health, June 2006. www.bma.org.uk/ap.nsf/Content/cfhstatement (accessed 20 June 2006).
  4. Chief Medical Officer. NHS Scotland emergency care summary. Letter to NHS board chief executives, August 2004. www.show.scot.nhs.uk/sehd/cmo/CMO (2004)14.pdf (accessed 20 Jun2006).
  5. Emergency Care Summary Newsletter 2006 Feb (No 3).
  6. Adams T, Budden M, Hoare C, Sanderson H. Lessons from the central Hampshire electronic health pilot project: issues of data protection and consent. BMJ 2004;328:871-4.



Harvard Medical School, 1135 Tremont, Boston, MA 02120

John D Halamka

chief information officer


Regional data sharing is a new concept in the United States, and each region of the country is still defining its privacy policies. The government has created a new organisation called the Health Information Security and Privacy Collaboration to record best privacy practices in an attempt to create a harmonised national privacy policy. Massachusetts has one of the most advanced regional data exchanges in the country and has developed its opt-in policy over the past two years by engaging all stakeholders in our state. The policy enables us to prospectively educate patients about the risks and benefits of data sharing and creates a sound foundation for trust in regional data sharing. We feel this trust is a prerequisite to successful implementation of the technology—patients have to trust that their data will be protected and used appropriately, and providers have to trust that the system has clinically relevant information in it and that it has been disclosed with the patient’s knowledge and understanding.

US policy

New England has implemented several novel regional data sharing initiatives over the past three years. Exchange of clinical data depends on a regional master patient index that does not contain clinical data but points to the sites holding medical records. An authorised clinician can query the index through a secure web page, and once institutions with records are identified ask for information on problems, drugs, allergies, case notes, and laboratory or radiology results. The local technology varies according to local needs and preferences—for example, solo practitioners need simpler applications than a multispecialty practice and academic medical centres need different technology from community hospitals.

Although variation in local health information systems is a virtue, variation in privacy, security, and patient permission is a vice. If privacy policies are not consistent, sharing data becomes more difficult because stakeholders may have differing views of what can be shared and with whom. Since sharing electronic health record data among care givers is new, I believe that patients are best served by prospectively seeking their permission to include data in the regional index. This approach acknowledges patient control and ownership of medical information.

Degrees of consent

Patients at Beth Israel Deaconess Medical Center, a 550 bed teaching hospital, might receive care varying from removal of an ingrown toenail to a heart transplant. The fact that they have medical records at the centre is non-disclosing about any specific disease state or lifestyle. However, if they seek care at McLean Hospital, well known for treating mental illness and substance misuse, the mere fact that they have a McLean medical record number discloses a fact that could jeopardise their employment, electability to public office, and standing in the community. If they seek care at Fenway Community Health Center, a centre of excellence in gay and lesbian care, the presence of a Fenway medical record number may disclose a lifestyle choice that they wish to keep private. When asked to consent for clinical data sharing, patients may therefore opt to include their Beth Israel medical record number but not their McLean and Fenway medical record numbers if they consider the risk of disclosure too high. Similar protection could be offered in the NHS through sealing parts of patients’ records.

In our experience with an ongoing implementation of electronic health records in around 170 physician offices in three Massachusetts cities, clinicians, especially solo practitioners, feel less comfortable taking legal responsibility for gathering consents on behalf of other doctors in the community, or conversely, getting other practices to get patient consents for them.

An opt-out approach would include all known sites of care in the regional index but would give the patient the option at the point of care to prohibit a clinician from looking up data. Both approaches have risks and benefits. With the opt-in approach to consent, patients declare what data they are willing to share. If the regional index is hacked or inappropriately released, the only data compromised would be their name, sex, date of birth, postcode, and the institutional identifiers that they had approved for sharing. Just as customers who use online banking understand the benefits of convenience but accept the risk that their account may be hacked, patients have made an active choice. Patient advocates, Massachusetts regulators, and local politicians support the opt-in approach.

The key disadvantage of this approach is that an opt-in system populates the regional index slowly, since no data are sent to the index until patients opt in at each site of care. This makes adoption of data sharing slow, and in the first few months of use many queries for patient data do not return any matches. Another disadvantage is that clinicians may treat the patient based on an incomplete medical record. For example, a clinician may prescribe a drug that has an important interaction with the patient’s undisclosed mental health prescriptions. However, my experience as an emergency physician, shared by many of my colleagues, is that access to any medical records is better than delivering care without access to data.

Risks of opting out

With the opt-out approach, patient demographics and medical record numbers would be stored in the regional database without patients’ approval. Historical records could be used to populate the regional index rapidly. However, if the regional index is compromised, information on all institutions would be leaked. This could cause much anxiety for patients if they had not consented to that information being shared or been properly informed about the regional index. With an opt-out approach, patients have only one choice during a clinical visit—either consent to enable a clinician to query records at all sites or deny consent. Telling a clinician, "I consent to you retrieving my Beth Israel records but not my McLean or Fenway records" is disclosing, so patients with concerns are more likely to withhold consent in the opt-out model. If a patient arrives unconscious, the clinician can over-ride the opt-out consent and look up the entire patient record. Although this may benefit the patient, it may lead to unwanted privacy breaches. This may affect patient confidence in the system.

In conclusion, we have only one opportunity to build a healthcare information superhighway that patients and providers can trust. We should let the patients decide if they want to drive on it.

Contributors and sources: JDH is an associate professor of medicine at Harvard Medical School. Micky Tripathi, chief executive of Massachusetts eHealth Collaborative, reviewed the article for accuracy.

Competing interests: None declared.

  • Halamka J, Aranow M, Ascenzo C, Bates D, Debor G, Glaser J, et al. Health care IT collaboration in Massachusetts: the experience of creating regional connectivity. J Am Med Inform Assoc 2005;12:596-601.
  • Gottlieb LK, Stone EM, Stone DL, Dunbrack LA, Calladine J. Regulatory and policy barriers to effective clinical data exchange: lessons learned from MedsInfo-ED. Health Aff (Milwood) 2005;24:1197-204.
  • Institute of Medicine. Hospital-based emergency care: at the breaking point. Washington, DC: IoM, 2006.


Commentary: What’s all the fuss about?

Ascot, Berkshire

Jan Wilkinson

patient representative

Patient consent is currently seen as the most controversial topic in the development and implementation by the NHS of universal, shared electronic health records. At least, that is how the medical profession and their legal advisers seem to view the situation. However, as a patient representative on the Care Record Development Board, it seems to me that the finer points of the opt-in or opt-out argument may be lost on even the most well informed patients.

Differences for patients

From the patient perspective, relatively few factors will ultimately matter in the process of establishing the NHS care record service. Topping patients’ list will be the benefits gained from the end result, the overall security of identifiable patient information, and the basic practicalities of how long it all takes. The question is how opting in and opting out will affect the patient in those key areas.

Under the opt-in position, once I have given my informed consent to opt in, I will have a shared care record. The care record guarantee sets out the duties and responsibilities of the NHS in relation to the integrity and security of that record, together with my rights and obligations as a patient. If I refuse to give my consent, my medical records will still exist in electronic format, but access to medical data that identifies me will be restricted to the health professional that created the specific record. Regardless of my current state of health, the level of sensitivity I may have to existing medical information about me, and the time constraints of my local general practice, I will need to visit my local surgery and follow the opt-in consent process.

Under the opt-out version I will have a shared care record unless I choose to opt out. The care record guarantee operates to define NHS duties and responsibilities and patient rights and obligations, exactly as in the opt-in situation. If I opt out, my medical records will still exist in electronic format but the sharing of that data will be restricted, as it would be if I did not opt in. I will not need to trouble myself or my general practitioner unless I have specific concerns about the content of my health records and the sharing of that information.

It is easy to spot that the end results of opting out and opting in look remarkably similar from the patient’s perspective. The care record and its benefits are the same; the ultimate security and safeguards are the same. It is difficult to imagine why most patients would vote for or support the opt-in model. They are more likely to wonder what all the fuss is about and to choose the more practical opt-out process. What ailing patient is going to appreciate a longer delay in gaining a surgery appointment because their general practitioner is snowed under in obtaining the opt-in consent for the care records of otherwise healthy patients? What unfortunate visitor to accident and emergency will be pleased to know that their basic medical history is not available because their general practice has not started the opt-in consent consultation process?

Who needs opting in?

Clearly, some patients with a sensitive medical history will have legitimate concerns. These are the people who will want to consult with the relevant health professional, to consider opting out, and to be advised of the possible consequences of such a decision. Another special group is public figures and celebrities. The risk of unscrupulous media organisations attempting to access the records of interesting people will exist, regardless of the consent model and of the personal consent decision. Although it is a risk, it affects a relatively small group, and several layers of access controls, audit processes, and further safeguards on even the demographic data of public figures are envisaged to mitigate that risk.

Although these two groups of patients could benefit from the more conservative opt-in consent model, they represent a tiny minority of the patient population in England. Anecdotal evidence suggests the majority of patients are likely to prefer to have the NHS care record service established sooner rather than later and to leave the medical professionals free to spend time on those who have serious concerns about their medical information or their privacy.

Is opting in for doctors or patients?

So we could conclude that the current debate is not really patient centric after all. Although the genuine desire to act in the patient’s best interest is undoubtedly part of this debate, perhaps the leaning towards the more conservative opt-in approach is fuelled by the difficulties that the medical profession has with the NHS care record. There is disquiet about the transformation it would bring. Some doctors have difficulty with the change in perceived ownership of medical records that results from creating a shared resource used by all concerned with the process of health care.

The concern that poor quality data uploaded to the NHS spine could compromise patient care or even jeopardise patient safety is valid but is not part of the consent debate. Whether consent is express (opt in) or implied (opt out), all patients are consenting to is the disclosure of their data. Opting in should not imply that the patient is validating the data in the shared health record or somehow becomes responsible for the quality of the data. The care record guarantee makes it clear that it is the duty of the NHS to "maintain full and accurate records of the care we provide to you."

So does the advantage of opting in for a minority of patients with sensitive histories stack up against the disadvantage imposed on the majority if a flawed implementation process results in delays and frustration for patients and hard pressed practitioners? Certainly, an effective public information campaign is vital to fulfil the ethical and legal requirements for informed consent. But surely patients have a right to expect the NHS to positively harness technology, to reform the way it uses information, and hence to improve services and the quality of patient care? It would be unfortunate if an over-riding emphasis on the NHS’s role as guardian of patient confidentiality resulted in an unworkable operating model for the implementation of the care record.

Competing interests: JW was appointed as a lay member of the Care Record Development Board in 2005 to represent patient and public views. This is a voluntary position.

NHS. The care record guarantee. www.connectingforhealth.nhs.uk/crdb/boardpapers/docs/crs_guarantee_2.pdf (accessed 21 June 2006).