Intended for healthcare professionals


Soft paternalism and the ethics of shared electronic patient records

BMJ 2006; 333 doi: (Published 29 June 2006) Cite this as: BMJ 2006;333:2

Patient records, confidentiality and choice

From the website of the General Medical Council

“The duties of a doctor registered with the General Medical Council”

“Doctors hold information about patients which is private and
sensitive. This
information must not be given to others unless the patient consents or
can justify the disclosure.

Patients have a right to expect that information about them will be
held in
confidence by their doctors. Confidentiality is central to trust between
doctors and patients. Without assurances about confidentiality, patients
be reluctant to give doctors the information they need in order to
good care.

Many improper disclosures are unintentional. You should not discuss
patients where you can be overheard or leave patients’ records, either on

paper or on screen, where they can be seen by other patients,
health care staff or the public. You should take all reasonable steps to
that your consultations with patients are private.”

The Electronic Patient Record (EPR) for every NHS patient should be
in place
by 2010.This will allow a summary care record on every patient to be
available from every NHS computer terminal. As a consultant anaesthetist
an NHS hospital, I look forward to the day when the hospital notes of
I need to see and assess are legible, devoid of needless repetition and
results of relevant investigations. The EPR might achieve this and it
improve efficient and timely patient care. However, the financial costs
inadequacies of the system currently being developed might also make it an

expensive white elephant and enormous waste of public money. Leaving
aside the analysis of costs and benefits, my view is that the EPR is a
serious threat to patient confidentiality, which the GMC recognises to be
the centre of the relationship between doctor and patient.

Many hospitals already have electronic access to laboratory records
radiological images for medical, nursing and paramedical staff. Passwords
sometimes shared, screens left on in open view. Since lab data and images
are not the stuff of hospital gossip there seems to be little attention
paid to
confidentiality and security, despite the fact that staff can be
disciplined for
breaching rules on electronic data protection. When the entire medical
of the whole population is available on a central computerised record the
potential for breaching confidentiality is obvious.

Once private and personal data has been leaked from the system it can

become common knowledge; the genie of information can never be put back
into the bottle. Inappropriate access to medical records might be traced,
assuming that the person has used their own log-in details but given the
poor security that I see at the moment this will probably not be
Consider a junior doctor at a computer screen who is called to attend a
cardiac arrest. Will they remember to log off before responding to the
call? Even if challenged after a breach of security one could always
argue that
the data was requested accidentally, perhaps by entering an incorrect
identification number. It would be unreasonable to discipline a staff
for one or two infractions of this type because such errors are
inevitable. I
occasionally enter the wrong numbers into the radiology viewing system
am presented with the images of a different patient. At the moment I
this as a minor irritant and waste of my time; in future it might become a

more significant lapse of patient confidentiality.

In addition to the opportunity for workers in hospitals and GP
surgeries to
abuse the EPR for reasons of personal curiosity or maliciousness, there
also be the potential for commercial abuse of the system by, for example,
journalists or insurance agencies. No doubt the law will prescribe
penalties for such abuse after the fact, if detected, but might be
powerless to
prevent it.

So how should one respond personally to the EPR? It will be possible
to ask
one’s GP not to place certain information on the record. A GP must also,
they wish to abide by the advice of the GMC shown above, ask patients if
want their private medical records to be entered on a central computerised

system. My interpretation of this advice is that patients would have to
into the system, they cannot be assumed to do so by default. Another
option, available to the wealthy or the insured, would be to opt out of
NHS entirely and use private medical care. Private medical practitioners
be more polite than to enter confidential patient details on an open
system. Another option will simply be to lie to one’s medical carers –
deny or
conceal certain aspects of one’s medical history to maintain privacy and

For these reasons I believe that the Electronic Patient Record,
whatever its
political or bureaucratic attractions, is intrinsically incompatible with
confidentially and should be firmly rejected by the medical profession.
huge sums of money being invested in its construction could be usefully
spent on the care of our patients, rather than on compromising their

Competing interests:
None declared

Competing interests: No competing interests

25 June 2006
Michael Foley
Consultant anaesthetist
James Cook University Hospital, Middlesbrough, TS4 3BW