Expert response to Caldicott review reveals true extent of challenge to protect patient privacy
The UK is lagging behind the rest of the world when it comes to taking steps to prevent data breaches, with NHS patients unaware whether their records are being illegally accessed, industry experts warned this week.
The stark claim comes as Dame Fiona Caldicott begins the consultation process for her Information Governance Review , which is being commissioned by the Government to consider the balance between protecting patient information and making decisions about what data should be shared in order to improve patient care.
Despite recent data from the UK Information Commissioner’s Office revealing that data security breaches within the NHS have increased, there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place
In its response to the exercise, experts at privacy monitoring specialist, FairWarning, claim that unless the UK follows the US and some of Europe by introducing stricter guidelines, patients will not only be at risk of their notes being read by unauthorised personnel, but will likely never know a breach has taken place.
In a letter to Dame Fiona, the company’s founder and chief executive, Kurt Long, states: “Despite recent data from the UK Information Commissioner’s Office (ICO) revealing that data security breaches within the NHS have increased, there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place. This must be addressed as UK citizens have a basic right to know when their records have been inappropriately accessed and their privacy compromised.”
According to Long, the biggest driver for improvements in patient privacy will be tighter legislation around disclosure and notification.
He said: “When a breach has occurred, providers must be mandated to provide breach disclosure to patients, and breach notification to the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines.”
He added: “Healthcare privacy laws in the rest of the world are being significantly strengthened and we urge the UK to follow suit.”
In the US, ARRA HITECH privacy legislation introduced in 2009 lays down strict guidelines around breach disclosure and notification and, similarly, in Europe, pending legislation in the General Data Protection Regulation, will mandate the disclosure and notification of privacy breaches to individual patients and governmental organisations respectively.
When a breach has occurred, providers must be mandated to provide breach disclosure to patients, and breach notification to the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines
As well as making healthcare providers fully accountable for breach disclosure to patients and notification to the ICO, the FairWarning response makes a number of other recommendations based on the company’s work with health trusts in the UK, US, Canada and France. They include mandating trusts to build patient privacy into NHS IT systems by enforcing the compulsory use of audit trails across all healthcare applications. This, it claims, must be coupled with the publication of robust standards for audit trails:
Currently, with no legal requirement for electronic health record vendors or applications to produce a robust audit trail, when a privacy breach has occurred, neither the care provider, enforcement agencies, nor the patient have the ability to reconstruct who has been affected, to what extent damage has been done, and for how long it has been occurring.
To support this, the implementation of robust standards for audit trails will also be a key component in the delivery of an electronic healthcare model built on the principle of interoperable systems, which encourages the widespread sharing of data.
Concluding its response, FairWarning calls for reinforcement of a culture of privacy in the NHS.
Given the rapid changes within the NHS, it is vital for healthcare leaders to make sure they also become leaders in privacy protection. It plays a vital role in ensuring that patients build trust to protect the reputations of healthcare providers
“Effecting meaningful change is as much a cultural challenge as it is a technological one and education, training and awareness of patient privacy within the NHS needs to be improved”, the response states. “This can be achieved through the introduction of clear guidelines on information sharing and privacy in order to help healthcare providers put the right practical measures in place.”
Long concludes: “Electronic-based healthcare is among the most important advances of our times and acts as a powerful enabler, transforming how we plan and deliver care to individuals and populations. “
”Given the rapid changes within the NHS, it is vital for healthcare leaders to make sure they also become leaders in privacy protection. It plays a vital role in ensuring that patients build trust to protect the reputations of healthcare providers.”
Studies suggest that improper access to patient records can do significant reputational harm to hospitals and damage the patient-clinician relationship. A recent survey of more than 1,000 UK patients revealed 86.5% of respondents believe a serious breach of personal data would do considerable damage to a hospital’s reputation and 87.2% believe the NHS should monitor who looks at their records.
As part of her review, Dame Fiona will be calling on an expert panel made up of clinical, social care, research and other professionals, as well as patients and service users. They will determine the detailed scope and priorities for the review and publish their findings later this year.
She said: “Since the original working group’s report on the security of patients’ information in 1997, it has become clear that there is sometimes a lack of understanding about the rules and this can act as a barrier to exchanging information that would benefit the patient.
“On other occasions, this has resulted in too much information being disclosed. These are issues of importance to everyone who uses health or social care services and our review will look across both sectors. We need to examine when, and how, to seek and record consent, to support the flow of information to enhance patient and citizen care.”