Saturday, June 20, 2009

Who Sees What? project

The Who Sees What? project is a new website designed to give ordinary people the opportunity to discover, discuss and decide about the new ways in which the NHS wants to use electronic patient records.

Who Sees What? is a collaboration between the New Economics Foundation and the Centre for Science Education at Sheffield Hallam University. It’s funded by the Wellcome Trust.

I feel these are important topics which require wider discussion and welcome this contribution to the debate.

Labels: ,

Friday, January 23, 2009

Privacy and confidentiality of patient information

I was interested to note that The NHS Constitution for England which was published this week gives several pledges to patients including:

You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.

This is a vital issue where, I feel, we need still to get clarity about how this will be achieved - particularly in the light of Tony Collins Blog post this week Post-it notes for passwords - an NHS option? about the culture of shared passwords in the NHS.

Labels: ,

Tuesday, July 15, 2008

Data Sharing Review

A few days ago a report, entitled the Data Sharing Review by Richard Thomas, the Information Commissioner, and Mark Walport, the director of the Welcome Trust, was delivered to the government which commisioned it.

The review examined issues around the safety and security of personal information and the ways in which public sectors bodies, including the National Health Service (NHS), share data about individuals.

The review's conclusions were that:
  • there is a lack of transparency and accountability in the way organisations deal with personal information
  • there is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law
  • greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis
  • the Information Commissioner needs more effective powers, and the resources to allow him to use them properly.
and it came with a series of recommendations aimed at transforming the personal and organisational culture of those who collect, manage and share information. These included:
  • to improve leadership, accountability and training within organisations
  • to ensure all organisations are as transparent and open as possible about how and with whom data are shared, with what authority, for what purposes and with what protections and safeguards
  • to clarify and simplify the legal framework governing data sharing, including provisions to guarantee better and more authoritative guidance for practitioners
  • to develop mechanisms that will enable population-based research and statistical analysis for public benefit, whilst safeguarding the privacy of individuals
  • to help safeguard and protect personal information held in publicly available sources.
A key point for the NHS and other healthcare providers was the support for the assumption of implied consent, explicitly stating that:
"An NHS patient agreeing to a course of treatment should also be taken to have agreed that information given during the course of the treatment might be made available for future medical research projects, so long as robust systems are in place to protect personal information and privacy."
But warns that:
"However, implied consent is not satisfactory without considerable transparency. In the case of the NHS, we strongly encourage it to build on its existing efforts to educate patients by making general and widely advertised statements about how people’s health information might be used in the future."
I would suggest that we are currently a long way from achieving this aim and that the majority of the public have no idea how the information they give to a doctor, nurse or other healthcare professional might be shared.

The report also uses examples from health to look at the shring of clinical information for research processes, and includes a specific recomendation on this:
"Recommendation 17: We recommend that the NHS should develop a system to allow approved researchers to work with healthcare providers to identify potential patients, who may then be approached to take part in clinical studies for which consent is needed. These approved researchers would be bound by the same duty of confidentiality as the clinical team providing care, and face similar penalties in the case of any breach of confidentiality. If legislation is necessary to implement such a scheme, then we would urge Government to bring that legislation forward as quickly as possible."
If legislation is to be proposed then I feel it must always err on the side of patient safety and confidentiality, rather than being driven by the desires of the research community, including pharmaceutical companies, and clarify the "approval process" especially as many of them are not covered by the same professional codes (with sanctions for breaking them) as clinicians.

Action is definitely needed to improve the way in which organisations, such as the NHS, handle sensitive personal data and improve public confidence in these processes.

It will be interesting to see how any new legislation, including the implementation of EU directives, improve practice and achieve some of the laudable aims set out in the review.

Labels: ,

Thursday, June 05, 2008

Consent, opt out and the summary care record

Dr Paul Thornton has made public his advisory letter about the rollout of summary care records (SCR) in Dorset and the consent model being employed.

He cites the UCL report on the SCR early adopter program and guidance from the Medical Defence Union to advise the Dorset Local Medical Committee that implied consent (“opt out”) is unlikely to be valid.

It will be interesting to see what decisions GPs make in the next phase of rollout areas following the learning from the early adopter sites.

Labels: , ,

Thursday, September 13, 2007

Major reports on NHS & NPfIT

Todays publication of the House of Commons Health Committee into Electronic Patient Records along with yesterdays Report Our Future Health Secured? A review of NHS funding and performance for the King's Fund means I have lots of reading to do - which is getting in the way of preparing a major document for my DPhil.

I've not got all the details from the Health Select Committee report yet but have spotted a couple of conlusions which I think point out some of the problems they have identified in the NHS's National Programme for IT and Connecting for Health approach:

NPfIT is characterised by a centralised management structure and large-scale procurement from private suppliers. This approach aims to offer improved value for money and to address the previously patchy adoption of IT systems across the health service. The Department defended the progress made by NPfIT to date, arguing that the programme is on course to succeed. However, serious doubts have been raised, from sources including the Public Accounts Committee, about how much has been achieved and about the likely completion date. In particular, progress on the development of the NCRS has been questioned.

The input of end-users is vital in planning, design and implementation.

As EPR systems make more personal health data accessible to more people, breaches of security and confidentiality must be regarded as serious matters.

The arrangements for the SCR will be strengthened when "sealed envelopes" are made available to protect sensitive information and when patients can access their record via the HealthSpace website... Connecting for Health must ensure that both "sealed envelopes" and HealthSpace are introduced as soon as possible, particularly so that their effectiveness can be assessed during the independent evaluation of the early adopter programme.

The sharing of unique smartcards between users is unacceptable and undermines the operational security of DCR systems. However, we sympathise with the A&E staff who shared smartcards when faced with waits of a minute or more to access their new PAS software. Unless unacceptably lengthy log-on times are addressed, security breaches are inevitable.

I'm sure there will be more to follow and that this report will generate wider interest - but if others have comments please add them.

Labels: , , , ,