Lessons from the central Hampshire electronic health record pilot project: issues of data protection and consentBMJ 2004; 328 doi: https://doi.org/10.1136/bmj.328.7444.871 (Published 08 April 2004) Cite this as: BMJ 2004;328:871
- Trina Adams, clinical systems programme manager ()1,
- Martin Budden, Surrey LIS programme manager2,
- Chris Hoare, chief information officer1,
- Hugh Sanderson, consultant in public health3
- 1Hampshire and Isle of Wight Strategic Health Authority, Southampton SO16 4GX
- 1East Surrey Health Informatics Service, Surrey and Sussex Strategic Health Authority, West Park Hospital, Epsom, Surrey K19 8PB
- 3Winchester and Eastleigh Healthcare Trust, Winchester, Hampshire SO22 5DG
- Correspondence to: T Adams
- Accepted 19 January 2004
One of the key elements of the NHS information strategy of 1998 was the development of electronic patient records.1 These were expected to be developed within organisations and to be capable of being linked into a patient focused electronic health record, which would form a lifetime record of health and health care for each patient within the NHS.1 This vision has been modified slightly by updates of the strategy, and the electronic health record has been renamed and redefined as the NHS Care Record Service, but in many ways the original concept has remained the same.2
The purpose of the electronic health record—now the NHS Care Record Service—is twofold. Firstly, to provide support for the clinical team to help them recall and communicate health status and treatments for patients in a coordinated way, and, secondly, to act as the source of statistical information on types of patients seen and the process and outcomes of their treatment. Although there was much expectation that these goals could be achieved, there was little evidence to prove that this was the case for the original strategy and its subsequent refreshes.2 For that reason, the NHS Information Authority sponsored 18 pilot projects which ran from April 2000 to March 2003 to test the concepts in several locations.
The pilot project
The central Hampshire electronic health record pilot project was supported from September 2000 to March 2003. During that time it evaluated the practicality of linking records from a wide range of organisations to support emergency and out of hours care, as well as providing information that could support data analysis and clinical governance.
The project, originally based at North and Mid-Hampshire Health Authority, linked with several key organisations within the area, which included three general practices (one in Eastleigh and Test Valley South primary care trust and two in Mid-Hampshire primary care trust), Winchester and Eastleigh Healthcare Trust, Hampshire Ambulance NHS Trust, Hampshire and Isle of Wight NHS Direct, and Hampshire social services.
A pilot electronic health record project linked patient records from five settings
A solution to issues of patient confidentiality and consent was developed through discussion with several bodies
Feedback to a public information campaign indicated that most people supported linked medical records
Only 10 patients in the pilot population wanted to restrict access to their records
Few resources are needed for a help desk and the mechanism for viewing electronic records
The withdrawal of some records from the electronic health record is unlikely to damage its usefulness for clinical care
The two out of hours cooperatives for Winchester were also part of the original plan but were dissolved part way through the project. The deputising service which took over responsibility for out of hours cover could not participate during the life of the project but would like to be involved in a future extension.
The technical solution
Extracts of patient information from the various feeder systems were designed to update the master patient index on a daily basis (figure). The index had been populated using the main NHS register (the Exeter system—organisational links extract), the Winchester and Eastleigh Trust master patient index, and the social services client index. When clinical data were sent to the electronic health record, the master index checked for an NHS number in the source record. If this was available the document was passed to the repository. If the number did not exist, the record went through a matching algorithm using first name, surname, date of birth, postcode, first line of address, general practice, and doctor's name to see if it could be matched to an individual record in the repository. Any unmatched records were excluded from the live system but retained for potential matching.
Data streams from the hospital were extracted using an interface engine (http://www.seebeyond.com/). New-church (http://www.newchurch.co.uk/), a consultancy working with healthcare organisations, provided a facility for extraction of general practice records.
The patient records were then incorporated as documents into a virtual case note, which was accessible securely on computers with an NHSNet connection and internet browser. This provided access to all available information on that patient. To enable access to these records, user identities, passwords, and training were provided for 31 clinical staff in the general practices, ambulance command and control, NHS Direct, out of hours social services, and Winchester Hospital accident and emergency department and the emergency medical assessment unit. A separate structured database was constructed for the analysis of records for clinical governance.
Data protection and patient consent
Patient identifiable data may be collected and stored in computerised records, provided the purpose of the record is clearly defined, data is held securely and confidentially, and the patient is able to check the content and accuracy of the record. Patient identifiable data may not be used for other purposes without the patient's consent, unless exemption has been obtained under section 60 of the Health and Social Care Act 2001.
Considerable discussion within the local health economy concerned the legality of combining records from different sources when patients had not been informed that this would happen and had not had the opportunity to exclude their records. National guidance derived from the records of multiple organisations was conflicting. Some relevant advice identifies that it is likely that processing personal information is legal, as specified in schedules 2 and 3 of the Data Protection Act 1998, where “the processing [of data] is necessary for medical purposes and is undertaken by a health professional or a person owing a duty of confidentiality equivalent to that owed by a health professional.” The act further specifies that included within the term “medical purposes” are preventative medicine, medical diagnosis, medical research, the provision of care and treatment, and the management of healthcare services.3
Discussions regarding the project were chaired by a professor of healthcare law and involved the Local Medical Committee, the General Medical Council, the British Medical Association, the Information Commission, NHS Information Policy Unit, and the NHS Information Authority. Two workshops were held to bring perspectives and concerns into focus. A set of actions was eventually agreed by all of these groups (box 1). These steps are consistent with the current position within the NHS.4
Information for patients
Two leaflets were written for patients; one described the uses of health records and the other described the project (see bmj.com). These were delivered to 80 000 households (225 000 residents) in central Hampshire.
Leaflets were also placed in all the local general practices and Winchester Hospital outpatients and accident and emergency departments, as well as libraries, county council offices, and dental surgeries.
Box 1: Set of actions agreed by groups involved in project
Send out leaflets on use of health information and the project to all households within the pilot area,giving contact points for more information, supported by advertisements in the local press
Provide the same leaflets along with posters for display in, for example, surgeries, hospital outpatients, accidentand emergency departments, libraries, county counciloffices
Enable patients to have their records excluded fromthe electronic health record
Provide a help desk based at NHS Direct to answer queries on the project, register patient's instructions about whether their records should be included, andprovide an opportunity for patients to review theirrecords
Provide a website with information on the project, and enable visitors to record their views about the project and confidentiality (http://www.chehr.org.uk/)
Ensure that, when ever practical, patients are askedfor their consent before the record is accessed
Set up a clinical committee with representationfrom all participating organisations with the remit ofdetermining which types of staff should have access towhich types of information
Restrict the extract from the general practicerecord to coded data only, excluding all free textcomments and annotations
Box 2: Range of patients' views
“In view of the concerns over an appropriate level of consent it was essential to get the level of information absolutely right. I am very concerned about the level of transparency and openness and the desire to really communicate with the public”
“This is information sharing by default and therefore a substantial and scary erosion of the confidential doctor-patient relationship”
“In summary, the aims of the project are good… but I believe the implementation is very misleading and may well be illegal under the DPA [data protection act]”
“Press on regardless, and save money by using EHR [electronic health record] in all cases. Stop all this pussyfooting about!”
“Some of the objectives are excellent and the website is a much better demo of the virtues of the project—but many people will not be able to access this”
“I think it should be accessed by suitable staff without having to ask the patient each time. I would prefer to give a once only ‘yes’ and then medical staff get on with reading what they like. How about having a small patient ‘write in’ box, so the patient can put in a few relevant words—maybe a tick box to say the patient give permission without having to ask each time?”
NHS Direct helpline
Overall, 82 patients called the NHS Direct helpline, of whom six asked for their records to be excluded from the electronic health record and eight asked to view their record before making a decision. (Four subsequently asked for information to be excluded.)
Most of the callers wanted more information or further copies of the leaflets, but several wanted to express their support for the electronic health record, in particular that their record was included and contained specific important information. A few callers expressed concern that their general practitioner was not included in the pilot.
The project's website received 1306 hits during the six month evaluation period, but of these only 20 questionnaires that provided feedback were completed. This is a low response rate and suggests that most visitors did not have strong enough views. It also renders interpretation of the results difficult.
Of those who did respond, almost half thought there was sufficient information on the site to allow them to make an informed decision, and a further quarter gave an equivocal response, leaving one third unsatisfied. Only one tenth thought that the site had not helped them to see the benefits of an electronic health record.
Four respondents thought that information sharing in the NHS was not a good idea and that the project was not doing a good job. These views were not shared by the remaining 16 respondents.
Only 12 of the respondents chose to comment (box 2). The range of views might be expected from those who had sufficient motivation to access the website and to respond to the questionnaire, but given such a low response rate, it is impossible to extrapolate from these findings.
Ten patients in the pilot population requested that their records be excluded. These patients were therefore excluded as missing personal data meant that subsequent clinical records could not be matched. Exclusion at the data extraction stage was impossible in all but one of the source systems.
This process was managed by the system administrator, and a log of transferred and deleted records was maintained as an audit trail. Although this worked well for the project and is scalable, the NHS Care Record Service has established new protocols for dealing with patient consent which would need to be adhered to in further iterations.
Confidentiality and analysis of the electronic health record
One of the objectives of the central Hampshire electronic health record project was to test the usability of patient records to support analysis and the provision of statistical data. To address the concerns over data protection and patient consent, the records were anonymised. However, to enable linkage of records for the same patient it was necessary to use unique identifiers. The NHS number was encrypted and the encryption algorithm held securely by the system manager.
These arrangements satisfied the Caldicott guardians of the organisations contributing data. In addition, analyses identifying individual clinical staff or specific organisations were not released without consent.
Confidentiality and patient consent
Discussions with the various bodies, although detailed and protracted, were constructive. All could see the potential value of the pilot. They wanted to help achieve these benefits but also wanted to be sure that patients' rights were protected and that clinicians were not in danger of breaking patient confidentiality and the law.
The process of widespread dissemination of information and seeking explicit consent whenever possible seems to have caused little concern among the residents of central Hampshire. Usage of the helpline and website was low compared with the numbers of leaflets despatched, and the volume of feedback was even lower. It might be expected that those who were concerned about patient confidentiality would make more effort to express their opinion; feedback was mostly positive. Ten people asked for their records to be excluded, and four people expressed concern about the project on the website feedback form. These results were consistent with the project in South Staffordshire.5 This project also tested whether the population had seen and understood the information, which raises further questions.
The South Staffordshire evaluation concerned a smaller community (around 60 000 households), leafleted in a similar way. Surveys were undertaken in Stafford town centre and in several general practices, asking patients if they knew about the South Staffordshire project and whether they had concerns about the use of their information. Only 38% of those interviewed were aware of the project, and of these only 15% understood that they could opt out. But although the effectiveness of raising awareness by leaflets was limited, there was no evidence that people were seriously concerned about their information being shared within an electronic health record. Nearly 80% were comfortable with this; the South Staffordshire project had no requests for exclusion.
These results were broadly in line with research undertaken by the Consumers' Association.6 This involved a quantitative survey of about 2000 people as well as qualitative research with four focus groups and interviews with 36 people with a special interest. Some of the results were conflicting, but in the survey 60% of respondents would not restrict access to any of their record. However, if possible, 9% would restrict their doctor's access to some of their record, 17% would restrict access by hospital doctors, and nearly half would restrict access to some of their record by other health professionals.
These observations suggest that most patients are in favour of their health information being available, but a significant minority want to be in a position to control access to some or all of it. Such functionality has been included within the Output Based Specification for the Integrated Care Record Service (now the NHS Care Record Service), which is currently being procured for the NHS.7
It is also clear from the South Staffordshire project that leaflet distribution is not an effective way of informing a population. This may be because interest in the issue, as judged by the contact with NHS Direct and the website, is low. If it is assumed that about 35% of the population (equivalent to 26 000 households) in central Hampshire read enough of the leaflet to become aware of the project, only about three in 1000 households were concerned enough to contact the helpdesk and five in 100 were motivated to visit the website.
The NHS code of practice on confidentiality emphasises the need to protect patient information, to inform patients how their information may be used, and to provide patients with choices as to whether their information may be disclosed or used for specific purposes.8 Given that most people seem to be relatively uninterested in this issue, ensuring that patients are aware of the processing of their data and understand their rights will continue to be an important challenge for the NHS.
The patient leaflets used in the project are on bmj.com
Contributors TA managed the day to day running of the project and wrote the paper as well as the project reports. HS chaired the clinical committee overseeing the project; he will act as guarantor for the paper. The guarantor accepts full responsibility for the conduct of the study, had access to the data, and controlled the decision to publish. MB programme managed the project. CH chaired the project board and steered the development of the project.
Funding The project was funded by the electronic records development and implementation programme (ERDIP) of the NHS Information Authority.
Competing interests None declared.
Ethical approval Ethical approval was provided by the Caldicott guardians of the participating organisations and from discussions with the General Medical Council, the Local Medical Committee, and the British Medical Association.