NHS chief cans patient control over health record access
Opt out guarantees downgraded?
Government claims that patients would be able to opt out of the new National Health Service care records service (NHS CRS) have been undermined by the Department of Health's head of digital information policy. Assurances on privacy and confidentiality have previously been made by the Minister responsible for the NHS Programme for IT, John Hutton, but in a series of emails to a GP policy boss Phil Walker made it clear that patients will have little real control over their personal records.
According to a report by Radio 4's Today programme this morning, Walker said that decisions regarding the storage of patient data would primarily be the responsibility of the GP, and that the patient would have no right to veto the recording of information, or to say what should or should not be recorded. A spokesman later claimed to the programme that patients could discuss what details were recorded with their doctor, and have control over who is allowed to access them, except in an emergency. This was claimed as constituting the "opt out" Hutton had previously offered, and Walker's emails were claimed to be entirely in line with this policy.
The arguments over patient records arise from the nature of the change being brought in with the NHS CRS. Currently patient records are held by the GP in whatever format the GP chooses, whereas the new centralised system will allow instant access to any patient's medical records from anywhere within the NHS. In principle this should make treating patients throughout the service more efficient and reliable, and immediate access to data could be life-saving in emergencies. But who is allowed to access the data, when, and the nature of the data recorded clearly becomes an issue of concern for both the patient and the GP.
Seeking to squash suspicions about this area for the new centralised NHS IT structure, Hutton had said that patients could choose to have no records kept on the NHS CRS at all, or to restrict access to sensitive information in a sealed "electronic envelope" which could be accessed only in emergencies. Walker's statements however seem to suggest that the patient's rights here are dependent on the particular GP agreeing to them, i.e. it's not a patient opt-out, it's a GP-agreed patient opt-out.
If this is the case, Hutton's previous statements have been somewhat opaque on the subject. In answer to a parliamentary question last year, Hutton said: "The national programme for information technology is incorporating stringent security controls and safeguards that will mean patients have more control over who has access to their information than is possible with existing systems... A fundamental principle in the implementation of the national health service care records service (NHS CRS) is that confidentiality and privacy of sensitive patient information must not be compromised" and "Patients will have the right to specify that detailed information recorded at the point of contact with the NHS should not be available to other NHS organisations via the summary record held on their NHS care record. They will also have the right to define some information as especially sensitive and only accessible under terms of explicit consent. This reinforces the key statutory safeguards set out in the Data Protection Act 1998, with which all information users must comply. These facilities have been designed in to the NHS CRS...
"The Data Protection Act also provides patients with a right, where they are suffering substantial damage or distress, to object to processing of their data, including to prevent their data being held at all in an identifiable form, though this is expected to be a very rare event. We are currently considering how this right should apply to implementation of the NHS care record." (Examples of other Hutton answers can be found here and here.)
Today's revelations cast considerable doubt over these apparently cast-iron guarantees, and reopen the whole question of patient rights, privacy and confidentiality. In another answer last year Hutton trailed a "major public awareness campaign... to address the full range of issues posed by implementation of a national health service care records service (NHS CRS) and to ensure that NHS patients know their rights and how information about them can be used within the health service."
Right now that looks just a little bit urgent, although the NHS should probably nail down what the policy actually is before it kicks off the campaign. ®
Sponsored: 2016 Cyberthreat defense report