No single opt-out on medical records database

Tags: BMA CRS emergency Government GP HIS Information iS NPfIT Quality

08 Mar 2005

Patients will be unable to make a single request for their records not to be held on the NHS Care Records Service. Instead they will have to ask their details are not recorded onto the national medical records database each time they deal with the health service.

Any patient who does not want their medical information held on the NHS CRS Service will only be able to do so if they can demonstrate they will suffer significant distress or damage, and will be required to prove this afresh each time they come into contact with an NHS service.

The apparently cumbersome opt-out policy adopted by the National Programme for IT’s programme board has been outlined by NPfIT’s Caldicott Guardian Phil Walker in a letter to a GP.

Dr Mark McCartney, a GP in Pensilva, Cornwall, wrote to NPfIT at the end of January because one of his patients had requested that their personal information was not stored electronically via the NHS Care Records Service.

Walker told Dr McCartney that the right of a patient to opt out of having information about them recorded within the NHS CRS was covered by the Data Protection Act 1998. The right is separate to mechanisms by which patients can request that their details held on the national database not be available to health professionals other than their doctor.

He said: "This permits a patient who feels that they are suffering, or may in future suffer, significant damage or distress to ask for the processing of data to cease, including the holding of data.

"The process by which a patient may demonstrate the required level of damage or distress is still being considered but will need to be in place prior to NCRS going live with clinical details included."

Walker said that if a patient was successful in demonstrating the required damage or distress data would be removed from the systems. However he added: "If the patient re-presents for subsequent NHS care there will be a new entry of data and the patient will need to again establish that they are suffering, or may suffer, significant damage or distress."

Dr McCartney told EHI Primary Care that the reply had been helpful but criticised the requirement for a patient to show distress each time an NHS contact was made.

He said: "It doesn’t seem to be a realistic opt out and the greater risk is that it will lead to the quality of information that’s recorded being more vague and general."

Walker told Dr McCartney that there were other ways in which the patient might protect their information such as using access controls which would mean that only the organisation that entered the data would be permitted to see it.

He added: "The use of sealed envelopes, which should be available just about the go live time for NCRS will allow your patient to put particularly sensitive details under seal, perhaps allowing you and no-one else to see them without consent except in emergency situations."

Walker said that he hoped the process by which patients could demonstrate distress would be in place before clinical details went on the NCRS which he said was planned to be in the autumn of this year.

Dr Paul Cundy, chairman of the joint GPC/RCGP IT committee, told EHI Primary Care that it was not up to the NPfIT to dictate what rights patients had over information held on the NHS Care Records Service. He added: "I don't give a fig what the NPfIT Caldicott Guardian says. It's not up to the National programme for IT and the government to decide on this, it's up to the profession and patients."

Dr Cundy said the BMA had not finalised its position on NPfIT's opt out policy and planned to hold a conference to debate the issues.He added: "We will then aspire to provide the national programme with an informed and debated view from the profession and patients as how we think it should work."

Readers Comments

Benefits to patients in sharing information

08 Mar 05 13:57

Perhaps Dr McCartney's patient should consider how many deaths will be avoided through the ability to share data. I personally have been involved with the Coroner on more than one occasion where the lack of information sharing significantly or wholly contributed to the death of a patient.

The access controls within NCRS, along with the sealed envelop concept will restrict access to information far more than happens today - GP practices being a good example where reception/office staff often have unlimited access to clinical information.

Are we all not duty bound by our professional codes of conduct to treat patient information with care and respect and after all do we not all work for the NHS - for the benefits to patients?

Personally I can't wait for NPfIT to be delivered - it will take out a great deal of risk in my everyday professional life where I have to make decisions based on what information I can glean rather what information is known and should be available.

(Comment edited by EHI)

Horrified to learn that patients may be denied single opt out for their information on CRS

08 Mar 05 19:34

I am generally supportive of NPfIT and need no convincing of the potential benefits of CRS but I was horrified to learn that patients may be denied the single opt out for their information being held centrally. I'm suspicious that this is an attempt to gloss over a major issue that the profession needs to resist if we are to take seriously our duties as doctors. I believe that patients should opt in - they should be asked before their information is published centrally and theyr should be given the option to be able to say - "Thank you - but No". It should be possible for a patient to make an informed choice about whether their information should continue to be published. There are only a few exceptions I can readily think of - a patient identified as potentially violent should not be allowed to supress "Risk of Violence" for example on CRS. I cannot believe that this issue would not upset the majority of patients and health care professionals alike. This issue has greatly concerned me for some time - doing the right thing by patients often isn't easy but it simply isnt acceptable to take the easy option just to achieve a national programme's objectives. Shroud waving isn't fair either - not when we are considering restricting an individuals right not to indicate that they dont wish to have information stored about them on a national database. I asked several patients tonight in evening surgery how they felt about it and they wanted the right to say "I opt out" just the once.

I cant remember being so annoyed by a proposal realted to NPfIT in a long time. Mind you, hearing that is had been accepted and agreed that " Patients managing and changing their passwords for CAB in Primary Care - would not cause GPs or their staff much administrative burdon" seemed to me to be a delusional belief that came pretty close 2nd!

Confidentiality vs better healthcare

PETER.SINGLETON@CHI-GROUP.COM

09 Mar 05 06:49

We need to balance the Platonic 'ideal' of patient consent with some hard-headed pragmatism in order to get integrated systems started - we should look to improve standards as we progress, not stop good practice just because it could be bettered.

Just about everyone would like to offer patients a full range of choice, but 'the devil is in the detail' as ever. Patients would like to be asked first - who wouldn't? Ask them though if they want to be consulted about every possible clinical use and whether they want researchers to contact them at every turn for permission to use their data – and even the most avid privacy activist might start thinking that we need to keep things simple and proportionate to the risks, so that people have some choice, but not a free rein to make a mess of the healthcare system.

There is no doubt that the present solution is not perfect. The repeated opt-out doesn’t sound elegant, but, if we believe that the solution of an EHR is needed, then we have to accept that opting out of it entirely is not generally in the patient’s best interests – if people want to withhold their data, then they really should fully understand what it might mean to them in the future. We should be looking to the ideal of ‘fully informed dissent’ rather than ‘fully informed consent’, given the way the risks and costs lie.

The fact that so much of current emergency medicine is done by doctors ‘flying blind’ is probably a great credit to their skills, but a damning comment on the present state of affairs, especially when compared with activities in other industries, where integrated supply chains and mechanisms to ensure safety and quality are the norm rather than the exception.

Doctors are right to raise issues of confidentiality, but there are greater concerns over the quality and safety of patient care in the NHS system. There are at best a few cases concerning breaches of patient confidentiality (ever) against the thousands of cases of deaths from medical error each year. We need a solution that is good enough, in confidentiality terms, to allow us to get started with improving healthcare – whether the systems proposed will do that is another matter.

Few Breaches of confidentiality with current system

09 Mar 05 09:29

I have read the subsequent posts with mounting horror. Surely the reason there have been few breaches of confidentiality with the current system is that the records are inherently inaccessible- the act of publishing patient's data without their express consent to the CRS raises the risk of breach of confidentiality manyfold. Suggessting that receptionists have access to data etc. as a criticism of the current system is a red herring. Computerisation in local surgeries has generally made notes even more secure - (our system now has Role Based Access determined confidentiality policies that never existed with paper notes). Publishing medical data to the CRS is another matter altogether. Suggesting that patients couldnt understand the true nature of the benefit that they would derive from having their data published to the CRS, in my view, risks seriously patronising the general public. If we are so confident that the case is compelling, then educate the public and let them opt in rather than adopt this administratively convenient paternalistic "We know best and are therefore making the decision for you" approach!

FUD and rubbish, often repeated

MIDGLEY@MEDNETICS.ORG

09 Mar 05 15:33

"The access controls within NCRS ... will restrict access to information far more than happens today - GP practices being a good example where reception/office staff often have unlimited access to clinical information."

This is repeated so many times I don't think it is an accidental misunderstanding of the threat model.

In general practice or on the wards receptionists have access to notes of the patients currently registered with the Practice or in the ward.

If departed patients' notes are not locked, they may look up patients who previously chose to receive care from and share information with that organsaition.

The threat of NCR is that all of these records are to be aggregated for the whole country.

This makes them a far better target - one could build a business out of getting access to the records of _anyone_ in a way that one could not from getting access to the 2000 to 30 000 patients of a single practice.

It also removes the exposure... Anyone accessing records at present must do so where the records are stored.

A sensible intermediate is to store records where the patient is, and negotiate access with others at a distance.

Part of the threat model for GPs and citizens is that the people least trusted to misuse records are both likely to be involved in the custody of central records, and likely to be convinced that if they are analysing records it is for the good of the State or the Service.

But to peddle the idea that my receptionist could currently sell you the hospital records of somone in Darlington is to show yourself either confused or attempting to confuse the rest of us.

Opt-in/Opt-out on NCRS

PETER.SINGLETON@CHI-GROUP.COM

09 Mar 05 18:51

My apologies for referring below to commentators by part of the title of their comment, but I can see no easy alternative.

I will try to keep to the 'opt-in' vs 'opt-out'point rather than getting into the question of whether NCRS is generally the right approach/solution for the NHS as do some of the postings.

I should correct one aspect of my previous posting: like Domestos, which "kills 99% of all known germs", there are few “known” cases where a breach of confidentiality has lead to harm and a subsequent court case – there may be cases where the complaint was settled out of court, but not recorded (at least centrally - perhaps for "confidentiality" reasons!) - there may be a lot of cases where a breach occurs and harm is caused, but the data subject is unaware and so unable to seek redress.

"Few breaches" (FB) is quite right to note that NCRS will greatly increase the risk of breach of confidentiality over the present arrangements - opt-in or opt-out won’t change that. That is more a question of whether NCRS delivers benefits to patients and the NHS to offset the increase in risk - and the billions of investment too, of course. It clearly needs to have good security measures to protect the data and minimise the risk - without preventing proper usage by being unwieldy.

When I interviewed Dr. Ross Anderson of Cambridge University four years ago, he was highly critical of NHSnet security and complacency about the risks to confidentiality - however, the most common form of breach of confidentiality was by a private investigator "blagging" - using a telephone to ring a GP surgery and pretend to be an A&E clinician and so seeking information on a patient for their client, perhaps an employer or insurance company. Hopefully, most GP practices now use call-back techniques to prevent this - at least, NCRS would eliminate this duping of practice staff as there should obviously be no need for another clinician to call. There is clearly still room for subversion of NHS staff - experience with DVLC database showed that effective monitoring and sanctions are the best defence here.

I don’t think that anyone has suggested that “patients couldnt understand the true nature of the benefit” as FB seems to think – the evidence is that patients can understand it all too well, and the vast majority, when they have had it explained, are happy for their data to be on the system in the same way that they expect any bank branch to have their details available (the risks/threats are different, of course, as Dr. Midgley would note).

There is no suggestion of patients not having a choice, though clearly the question is ‘loaded’ by using opt-out, but given such evidence as there is indicates that well over 90% want in, then it is counter-intuitive to set the system default to be "off".

The opt-in option sounds nice, but the costs of the consent process are enormous if one is to get a high enough take-up rate to make it worthwhile for an A&E clinician to consult the NCRS when someone turns up without any records. There is no point putting in a system that won't get used. A 30% response rate would be fantastic for any marketing campaign, but the kiss of death for any EHR system where I should think at least a 90% hit rate would be needed for it to be useful to clinicians.

"Horrified to learn" (HTL) notes the administrative burden of managing patient passwords for CAB – and that is an "opt-in" system where costs only occur where patients want on-line access. For NCRS, we would need to seek consent from all members of the public, not just those who are current patients.

Doctors are quick to point out where administrative costs are being incurred unnecessarily and could be better used to fund direct care for the public – quite rightly – but an opt-in approach would be a huge cost nationally where we already know what most people would choose, surely a cheaper system, where we support the 5% or so who do have some objection or concern, must be the right route to take.

Ross can be read directly

09 Mar 05 19:39

Ross Anderson's views are straightforward and can be read at http://www.cl.cam.ac.uk:80/users/rja14/ "scroll down to security in medical record systems"

Prof Anderson has not been a supporter of the Care Record Service, in concept or execution, in my experience.

Police and intelligence services will abuse compulsory NCRS

MJCBROWN@YAHOO.COM

10 Mar 05 11:44

In the mid 1970s, Judge Krever's Royal Commission into the Confidentiality of Medical Records in Ontario showed that by far the most frequent mis-use of medical records was by the Royal Canadian Mounted Police (RCMP) requesting access to medical records OSTENSIBLY for immigration control purposes. But in Canada the RCMP also has the role of collecting political intelligence. Special Branch and other security services will have a field day trawling through the NCRS in the detection of crime as they are allowed to do under Data Protection Act. The case of Church of Scientology v. Department of Health showed how liberal the DoH is with even psychiatric records.

Data reliability

james@laing.plus.com

10 Mar 05 23:12

GPs are in my view rightly concerned about the confidentiality issues of the NCRS but also about the accuracy of the data on the spine. The assumption that the information will be accurate or complete enough to base emergency clinical judgements on seems unrealistic. A lot of GP computer data is excellent but much is incomplete and some inaccurate. You will be accessing data stripped of context and possibly free text, without knowing the reliability of the data recorder, no audit trail(as far as historical data is concerned) and no idea how many times it has been mangled by data transfer. Cleaning our own data for instance showed a handful of people on the diabetes register where the coded entry was preceded by the free text "Family History". Things will become more complicated as secondary and primary care data is mixed together with no clear "data owner" who will be responsible for maintaining an accurate narative

Why does the NCRS need a patient's identity?

smghughes@yahoo.com

11 Mar 05 11:23

None of the clinical or research use cases I've seen require the patient's personal identity to be stored with their medical records, if the patient's GP is the master and only storer of a patient's personal identity (i.e. name and address and other contact-type details). The GP's system generates an identity key that is stored on the NCRS database, along with the GP's key. The NCRS stores the patient's now anonymous records with the identity key only, plus the identity of the GP. Only the GP knows and stores the identity of the patient.

If research on the NCRS indicates a particular patient would benefit from a particular treatment, then the GP can be advised, and the GP then identifies, from the patient's key, their identity, and hence can contact and control how the patient is informed of this advice.

Because the NCRS has no way of identifying the patient, all of the patient's medical records that it holds would no longer be circumscribed by the Data Protection Act, and any 'leaks' from the NCRS cannot lead to the identity of a patient.

Other NHS staff that need to access a patient's records would normally do so through the GP, as currently. For example, when an appointment is made the relevant records could be sent (encrypted, of course) from the GP's system to the cunsultant's system, which would then store these locally and temporarily. Once the appointment expires, the local data is deleted.

The patient should also be issued with their key, say stored on a smart chip, so that if involved in an accident, they could hand it to the medical staff who would use it to access their records directly from the NCRS.

This card might of course be welcomed by the governernment as it could also serve as a national identity card in terms of accessing other government services, but only if the other services maintained a separate and different identity key that could also be stored on the chip.

OPTING OUT

helenwilkinsonmakey@fastmail.fm

11 Mar 05 15:56

I am a Practice Manager so fully understand all the issues peratining to NCRS. I am also another patient who has been unsuccessfully trying to opt out of NCRS. I have been trying to opt out of NCRS since last Aug. My MP has taken up the issues with John Hutton but both John Hutton and Phil Walker are refusing to allow me to opt out. Dr Andrew Murrison the Shadow Health Minister is also aware of the problems I am having.

I believe it will cause patients immense distress if they have to justifiy their reasons for not wanting their details on NCRS each time they come into contact with the NHS.

I have to some extent managed to solve the problem. I am fortunate in that I am able to afford extremely comprehensive Health Insurance. My GP has deregistered from the NHS and has offered to see me for free. UCLH have been helpful they know me both as a patient an ex employee. They have taken off their PAS/EPR system totally and are giving me the complete set of my medical records so that I can arrange an appointment directly with my Consultant (as I am no longer on PAS/EPR) and take my medical records with me.

This is still very unsatisfactory as the Secretary of State for Health has an obligations to provide NHS care to every UK Citizen. I am being denied NHS care as I refuse to have my personal and clinical details on NCRS.

I do not believe NPfIT have the right to make these sorts of decisions over patients personal and clinical details. Patients need to be able to make an informed choice over NCRS and should have the right to completely opt out of NCRS.

I would take full responsibility for my decison should this comprise my care in any way.

Data management?

PAPER.RECORDS@NTLWORLD.COM

14 Mar 05 23:55

My name is 'Mary Jones'. Lately I have moved my GP Practice, because I have got married. My name is now 'Mary Smith.'

I am getting treated by a local acute hospital for a chronic condition.

The acute hospital send a letter to my old GP practice with advice about my medication, the hospital not knowing yet I have moved.

Has NPfIT published the protocols that ensure all the data for Mary Smith/Jones finishes up against the one CRS record.

Given the need for quality checks, is there a published perfomance criterion for how long it should take for this data to become available, nationally.

If the data is out-of-date or misaligned, but acted on by a clinician, who bears the risk?

Further to my 'data management?'

PAPER.RECORDS@NTLWORLD.COM

15 Mar 05 17:32

I paste below the reply to a similar query put to NPfIT, and received today. That query, like the one posted, finished with the question of risk.

"The role of the Personal Demographics Service (PDS) - one of the national NHS Care Records Service (NHS CRS) elements - is to become the sole, authoritative source of demographics for the NHS CRS. All NHS CRS compliant local services must defer to the PDS for their demographics, for certain business event classes, which includes updating demographics with any necessary corrections and changes. Such interactions with the PDS will be governed by procedures and protocols to elicited up-to-date demographic information from patients, when patients present at a NHS CRS enabled NHS contact point. Back office processes will be in place to deal with any confusion cases, of the sort exemplified in the question, which will minimise the risk of mis-associations.

Existing national demographics services - such as the NHS Strategic Tracing Service (NSTS) - are key enablers for NHS CRS, for cleansing local data, prior to migration to NHS CRS."

A disgrace.

bevernbridge@yahoo.co.uk

17 Mar 05 08:35

That there is no single opt-put facility planned for this system is a disgrace !

Confidentiality and Secrecy

14 Apr 05 17:26

I am the manager of a PAS system for a Trust and am aware of the shortfalls of such systems there is no way that Mr Blair would have been able to keep his child's vaccination history secret someone would have breached the system because it is so easy to do so.

I think this absolute failure of security is the fault of the sycophants who are trying to please their political masters rather than actually doing their job of advising correctly. There are a significant number of people in this country who would not just be embarrassed but humiliated if their medical history was made available to persons who knew them and such humiliation would severely affect their ability to function both at home and especially at work.

At present staff health departments keep records which often mimic their NHS rcord secret from employers. This will become impossible in the NHS since all the employer has to do is consult the national system. All of us in the system know how easy that is. Despite all the words on paper there is no way of enforcing them. Every patient should have the right to know who has accessed their records, when it was accessed, where from and why. THen the patient can make the decision if the access was appropriate and correct rather than us so called professionals who have other 'more important' things to do and will hence be less vigilant.