Paperless medical records : where’s the privacy protection?

3797160719_337b4742e7_bToday’s announcement from the Health Secretary that all patient medical records will be held in electronic form by 2018 has grabbed some headlines, but the underlying privacy risks seem to have been given short shrift.

Paperless records is a nice soundbite but the change creates significant privacy risks. The Department of Health needs to be absolutely clear who will hold our medical records, who can access them and reassure patients that their privacy will not be destroyed in another NHS IT blunder.

Detail on how patients will give their consent, who will have access and what rights patients will have after sharing is sparse. As we have previously highlighted, barely any NHS systems have the ability to give patients the option of seeing who has looked at their medical records. Without this audit trail, abuse is often very difficult to spot.

We’ve previously highlighted how patient confidentiality has been breached five times every week in recent years, but these figures are the tip of the iceberg. More than 100 staff were dismissed in three years for data protection breaches. The Information Commissioner has previously warned of ‘systemic’ problems in the health services’ management of patient data.

The timetable announced today aims for hospitals to have “digital records that are capable of being shared” for all their patients from 2014. From 2015, NHS referrals will be “fully paperless” and the “ambition” is for the entire health service to “go paperless” by 2018. This would include joining up health and social care systems, with private companies potentially given access.

Speaking to Policy Exchange this evening, Jeremy Hunt will say “We need to make sure there are proper protections in place and proper patient consent is given so that patients know how their data will be used.”

However, as Prof. Ross Anderson of the University of Cambridge points out on his blog, this seems largely impossible given GPs will be forced to upload data to a new system called GPES if they want to get paid.

Conservative policy on this issue was clear at the last election: “We will put patients in charge of their own health records, with the ability to choose which providers they share them with.” From the detail we know, it seems ‘control’ is something patients will not be able to exercise in practice.

There is a real risk that if patients aren’t assured that this scheme is fully secure then people will stop sharing information with their doctor and that could be extremely dangerous for care.