With greater access to records comes a greater risk of breaching confidentiality unless certain standards are adhered to, says Dr Gerard Panting of the MPS
Electronic information management systems offer considerable benefits. They provide greater access to patient information for the many healthcare professionals who may be involved in an individual’s care, better continuity of care and greater efficiency in medical treatment. They also make more medical data available for public health initiatives.
However, greater accessibility carries with it the dangers of access by unauthorised personnel for inappropriate use, and assimilation of information which may prejudice individuals when applying for life insurance, mortgages or jobs. This could, in turn, deter individuals from being completely open and honest with their doctors.
The NHS Information Authority (NHSIA) recently published four discussion papers about various aspects of patient confidentiality, a prelude to the NHS embarking on a major spending programme to improve the information systems used in patient care.
The consultation papers include a set of proposals for handling patient information called Caring for Information (a draft national patient information-sharing charter that tells people what they can expect from the NHS);1 a draft code of practice for NHS staff dealing with protecting patient confidentiality,2 and a draft script for a public information video explaining what the NHS does with patient information and patients’ rights.3
Meeting patients’ expectations
The NHSIA carried out research on patients’ expectations during May and June 2002. Encouragingly, there was a high level of trust in the NHS when it came to protecting patient confidentiality, but many patients did not know how the NHS uses patient information.
They generally accepted that GPs, hospital doctors and emergency services should have access to their data but wanted to reserve the right to limit access to very sensitive information.
The research also revealed that people considered information that was released outside the NHS or used inside the NHS for purposes other than treatment should be anonymised or the patient’s permission sought for that use.
The NHSIA aims to allow information to be shared among those in the NHS who need it to provide good quality care while at the same time recognising patients’ rights. It proposes to achieve this by implementing two principles: patient identifiable health records should only be shared for health and social care; and individuals should be given only the information they need to enable them to do their job in caring for the patient.
A code of practice
The NHSIA’s recently published draft code of practice for NHS staff on -protecting patient confidentiality2 brings together the law governing professional confidence, how a confidential service should be provided, how information should be used and various annexes dealing with more detailed requirements.
The law governing professional confidence
Medical confidentiality is a legal duty which arises when patients share information with their doctors, healthcare workers or other NHS staff in circumstances in which it is reasonable to expect that the information will be kept confidential.
That legal duty has been established by the courts in numerous cases, often reflecting the advice given to the profession by the General Medical Council. The GMC and other healthcare regulators require practitioners registered with them to follow their own guidance as well as following the general legal requirements.
The Data Protection Act 1998 and, to a lesser extent, the Human Rights Act 2000 make statutory provision for the way in which confidential information may be obtained and used. In addition, the Access to Health Records Act 1990 limits access to confidential information relating to individuals who have died.
The Data Protection Act 1998 is a complex piece of legislation with a large volume of supplementary regulations governing specific forms and uses of personal data. Despite this complexity, its requirements can be summarised as abiding by the data protection principles (Box 1, below). Providing data controllers comply with the notification requirements (previously termed ‘registration’) and the data protection principles, they should stay on the right side of the law.
|Box 1: The data protection principles|
Providing a confidential service
The draft code of practice for NHS staff defines a confidential service as one that protects patient information, ensures that patients are informed fully so that they are not surprised by how their information is used, and provides choice to patients. It should also improve the way in which confidential information is obtained, used and protected wherever possible.
The emphasis in this section of the document is on informing patients – through posters, leaflets and in person – that the information they give may be recorded and shared with others to provide them with care, and may also be used to support clinical audit and other work to monitor the quality of care provided.
It states that in order to inform patients properly, staff must check that patients have seen information leaflets about the collection and use of confidential information, and make it clear to patients when information is recorded or health records are accessed. They must also tell patients when information will be shared with others, check that patients are aware of the choices available to them regarding how that information may be used or shared and also check that they have no concerns or queries about this.
Staff must also respect the rights of patients to have access to their records (a statutory right under the Data Protection Act 1998).
The guidance also sets out standards for maintaining the security of medical records (Box 2, below) and issues advice on their content (Box 3, below).
|Box 2: Standards for maintaining the security of medical records|
|For all types of records, staff working in offices where records may be seen must:
|Box 3: NHSIA advice on the content of patient records|
|Patient records should:Be factual, consistent and accurate
There is very little in the document that is new, apart from the emphasis on the need to keep patients informed. However, the very fact that this guidance has been produced demonstrates the increasing complexity of the subject and seriousness with which the issue is taken by patients, politicians and regulators.
- NHS Information Authority. Caring for Information – Model for the Future. Birmingham: NHSIA, October 2002.
- Department of Health. Confidentiality: a code of practice for NHS staff. London: Department of Health, 2002.
- NHS Information Authority. Confidentiality of your medical records. Video script. Birmingham: NHSIA, October 2002.