Feeds

NHS chief cans patient control over health record access

Opt out guarantees downgraded?

  • alert
  • submit to reddit

Application security programs and practises

Government claims that patients would be able to opt out of the new National Health Service care records service (NHS CRS) have been undermined by the Department of Health's head of digital information policy. Assurances on privacy and confidentiality have previously been made by the Minister responsible for the NHS Programme for IT, John Hutton, but in a series of emails to a GP policy boss Phil Walker made it clear that patients will have little real control over their personal records.

According to a report by Radio 4's Today programme this morning, Walker said that decisions regarding the storage of patient data would primarily be the responsibility of the GP, and that the patient would have no right to veto the recording of information, or to say what should or should not be recorded. A spokesman later claimed to the programme that patients could discuss what details were recorded with their doctor, and have control over who is allowed to access them, except in an emergency. This was claimed as constituting the "opt out" Hutton had previously offered, and Walker's emails were claimed to be entirely in line with this policy.

The arguments over patient records arise from the nature of the change being brought in with the NHS CRS. Currently patient records are held by the GP in whatever format the GP chooses, whereas the new centralised system will allow instant access to any patient's medical records from anywhere within the NHS. In principle this should make treating patients throughout the service more efficient and reliable, and immediate access to data could be life-saving in emergencies. But who is allowed to access the data, when, and the nature of the data recorded clearly becomes an issue of concern for both the patient and the GP.

Seeking to squash suspicions about this area for the new centralised NHS IT structure, Hutton had said that patients could choose to have no records kept on the NHS CRS at all, or to restrict access to sensitive information in a sealed "electronic envelope" which could be accessed only in emergencies. Walker's statements however seem to suggest that the patient's rights here are dependent on the particular GP agreeing to them, i.e. it's not a patient opt-out, it's a GP-agreed patient opt-out.

If this is the case, Hutton's previous statements have been somewhat opaque on the subject. In answer to a parliamentary question last year, Hutton said: "The national programme for information technology is incorporating stringent security controls and safeguards that will mean patients have more control over who has access to their information than is possible with existing systems... A fundamental principle in the implementation of the national health service care records service (NHS CRS) is that confidentiality and privacy of sensitive patient information must not be compromised" and "Patients will have the right to specify that detailed information recorded at the point of contact with the NHS should not be available to other NHS organisations via the summary record held on their NHS care record. They will also have the right to define some information as especially sensitive and only accessible under terms of explicit consent. This reinforces the key statutory safeguards set out in the Data Protection Act 1998, with which all information users must comply. These facilities have been designed in to the NHS CRS...

"The Data Protection Act also provides patients with a right, where they are suffering substantial damage or distress, to object to processing of their data, including to prevent their data being held at all in an identifiable form, though this is expected to be a very rare event. We are currently considering how this right should apply to implementation of the NHS care record." (Examples of other Hutton answers can be found here and here.)

Today's revelations cast considerable doubt over these apparently cast-iron guarantees, and reopen the whole question of patient rights, privacy and confidentiality. In another answer last year Hutton trailed a "major public awareness campaign... to address the full range of issues posed by implementation of a national health service care records service (NHS CRS) and to ensure that NHS patients know their rights and how information about them can be used within the health service."

Right now that looks just a little bit urgent, although the NHS should probably nail down what the policy actually is before it kicks off the campaign. ®

Related Stories:

DoH broadens technology choice for GPs
NPfIT boss prepares to cut failing suppliers
GPs have no faith in £6bn NHS IT programme
Flagship NHS project in danger

Designing a Defense for Mobile Applications

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.