Confidentiality and sharing health information
BMJ 2009; 338 doi: https://doi.org/10.1136/bmj.b2160 (Published 15 June 2009) Cite this as: BMJ 2009;338:b2160
All rapid responses
Rapid responses are electronic comments to the editor. They enable our users to debate issues raised in articles published on bmj.com. A rapid response is first posted online. If you need the URL (web address) of an individual response, simply click on the response headline and copy the URL from the browser window. A proportion of responses will, after editing, be published online and in the print journal as letters, which are indexed in PubMed. Rapid responses are not indexed in PubMed and they are not journal articles. The BMJ reserves the right to remove responses which are being wilfully misrepresented as published articles or when it is brought to our attention that a response spreads misinformation.
From March 2022, the word limit for rapid responses will be 600 words not including references and author details. We will no longer post responses that exceed this limit.
The word limit for letters selected from posted responses remains 300 words.
“The flow of high quality, up to date information, accessible to
patients and immediately available to appropriate health professionals,
will create a virtuous circle: clinicians will be able to do a better job,
and patient outcomes will improve”.
The above quote from this journal is justified. The availability of
this information creates a good trigger for dialogue. The data is
centrally processed into meaningful information is fed back to the
different stakeholders in the health system.
A few selected indicators are processed and display anonymously into
a useful set of health messages. For example some information may be given
by the patient at individual level but this information can be used for
the public good.
A case study that may involve such an aspect is the assessment of the
client satisfaction with the services at a given health facility. The
results from the analysis of such data can be used to hold dialogue
sessions for improvement. The dialogue sessions may include the health
workers, the patients, the Community Health Workers (CHWs),Health
Committee members and community members. The action plan may result in
improvement on the client satisfaction at the health facility level. This
outcome of improvement agrees with the argument above that clinicians will
do a better job. In other words improved service delivery and health
outcomes.
The provision of high quality health care also requires large data
flows for planning. The ADPA model relies on data that triggers dialogue
for continuous improvement. ADPA means Assess, Dialogue, Plan and Act. In
this kind of a set the data is the energy source that drives this dialogue
which can also be referred to wheel of change.
The debate on whether the patients’ information should be treated as
individual or public good can be handled carefully by considering ethics
in research. Regulations such as anonymous data at the national level
protects the patients from harm. Issue of confidentiality considered at
the health facility level and disaggregating data for individual, health
facility, district , national and international levels.
Competing interests:
None declared
Competing interests: No competing interests
It is a mistake to think that the way to process health data for
research or probably for much of care is to collect all of it from many
places and then analyse it in one place.
It is a mindset comon in primary care trusts and other varieties of
health authority - "Send us all your patients records, we want to count
how many of them have Diabetes".
A better approach would be to send the question - automatically,
system to system not person to person - and receive the number. 82
More complex processing is no harder to do where the data is than
where it is done at present, and the problems of collecting the records of
many onto a place from which a worker may copy them to a thumb drive and
then lose it are avoided.
Last century the MIQUEST ssytem, allowing querying of GP computer
systems in a Health Query Language (HQL) which is a superset of (a subset
of) Structured Query Language (SQL) was developed for this and other
purposes. The apparent fact that the people who want the conclusions do
not understand the best tool for extracting and analysing the data should
not be taken as a recommendation for them, nor for them to do it in other
arbitrarily reinvented fashions. Quite the reverse.
In the event that patient identified information is sent elsewhere,
each item and each access, subsequently as well as at the time of
extraction, should be reported automatically to the patient. A brief
sketch of one way to do this is presented at
http://www.flickr.com/photos/midgley/3622837633/
Competing interests:
None declared
Competing interests: No competing interests
The ethical debate about managing patient information security and
confidentiality sharing data from a Central Care Record is entirely
unnecessary as there is no need for and indeed no established case for the
creation of such a record.
Sheather's editorial highlights four needs - for:
1. flow of information to 'support 21st century healthcare' assisted
by:
2. a single secure confidential Electronic Patient Record (EPR) for
every person to assist information flow and provide a focus for:
3. timely communication to improve day-to-day patient care and
provide:
4. legitimate access to records for research, audit, commissioning,
planning and governance.
The single secure confidential EPR exists and is alive and well cared
for in Primary Care (General Practice) throughout the UK, and it is
virtually universal. It does not have to be re-invented in another form
such as the Central Care Record (CCR). The only reason why the Primary
Care EPR is not used to send and receive information to and from secondary
care is that the UK government's efforts to create a CCR have held up, nay
stopped dead, such flows as secondary care continues to wait and wait for
the CCR and still has no EPR to communicate with the Primary Care record.
As Sheather says, there are no ethical objections to such digital
electronic communications as they simply replicate the existing analogue
paper communications.
The fourth need (the subject of so much futile debate and hand
wringing) for legitimate access to EPRs for audit, research,
commissioning, planning and governance can be met by existing technology
which provides analysis of extracted pre-anonymised (de-identified) data
collected from GP EPRs, as practiced for the past 18 years by several
organisations including the charity Doctors' Independent Network (DIN).
The Central Care Record scheme should be abandoned and all efforts
directed at creating a standard (using Read codes version 2 as currently
used in most GP systems) for a universal transmissible EPR for use across
all health and social care sectors, providing EPRs to all care providers
but making the GP EPR the main one to which all others report, thus
facilitating the data flows so desperately needed for optimal patient
care. Access by organisations not directly involved with patient care for
research and so on can be limited to anonymised data collected and
governed by 'trusted third parties' such as DIN.
Competing interests:
Dr Roger Weeks is the chairman of Doctors' Independent Network (DIN)
Competing interests: No competing interests
“Confidentiality and sharing health information”
BMJ 2009 ;338:b2160 doi: 10.1136/bmj.b1260
Data is a useful resource for the health and the care of patients and
is expensive both to create and record. Patients invest their lives and
their confidentiality when they register with a health service provider.
They expect a service that improves their lives with the minimum amount of
harm from the treatment or disclosure of their personal data. The balance
between the unwanted disclosure of data and harm from non disclosure of
data is not dissimilar to the risks and benefits of prescribed drugs. Not
enough and inaccurate information can harm or kill them. Too much can
cause them shame, embarrassment, and economical or employment problems.
As Richard Thomas and Mark Walport’s review described there is a
balance to find between the two risks. Having been a GP in Manchester and
surrounds for 30 years I hope to see a far more seamless care system for
my current and ex patients before I hang up my medical bag. Why can I not
see the hospital record of my patients and why can the hospital doctor not
see the GP record that I have so carefully created to represent my
patients?
In January 2008 I became a pro-active Caldicott Guardian pushing for
more and better sharing of information. The Data Protection Act is a good
tool to help me, professionals and patients. However it needs to be taught
to all professionals. It is currently not part of Medical students’
mandatory training and should be.
So what does does the DPA do?
The Data Protection Act requires lawful and fair processing of
personal data. It requires the appropriate technical and organizational
measures to be taken against unauthorized or unlawful processing of
personal data and against accidental loss or destruction of, or damage to,
personal data.
Data subjects’ rights include the right of access to personal data,
the right to prevent processing likely to cause damage or distress, the
right to prevent processing for purposes of direct marketing, the rights
in relation to automated decision-taking and the rights to request
rectification, blocking, erasure and destruction.
Fair and lawful processing of data is enhanced by access to records
by patients and we are investing in and researching this process at
Tameside and Glossop PCT. Fair processing also requires a conversation
with our public and visibility of data flows. We publish our third party
data sharing agreements, data flows and registers of clinical records on
our public facing website.
www.tamesideandglossop.nhs.uk/templates/Page____937.aspx
We are working with our PCT’s Contractor and Performance department
to produce data sharing contracts for our service providers as required by
the DPA ( “Where processing of personal data is carried out by a data
processor on behalf of a data controller, the data controller must in
order to comply with the seventh principle—
(a) choose a data processor providing sufficient guarantees in
respect of the technical and organisational security measures governing
the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
12 Where processing of personal data is carried out by a data processor on
behalf of a data controller, the data controller is not to be regarded as
complying with the seventh principle unless—
(a) the processing is carried out under a contract—
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from
the data controller, and
(b) the contract requires the data processor to comply with obligations
equivalent to those imposed on a data controller by the seventh
principle.”)
We plan to allow patients to access the audit trails to their own
records too.
Patients experience a conceptually whole NHS but are treated by a
data fragmented NHS. The Data Protection Act, training, Information
Governance and modern technology will provide a solid platform for data
sharing. We all need culture change, training, application and true
patient and public partnership for the successful implementation of
information sharing.
Richard Fitton
Caldicott Guardian
Tameside and Glossop PCT
Progress Way
Windmill Lane
Denton
Manchester M34 2GP
0161 304 5300
Competing interests:
None declared
Competing interests: No competing interests
Confidentiality and Sharing Health Information
The Issue of confidentiality is quite complex. I do agree with most
of the authors comments on confidentiality. In most cases patients
release information not even knowing that it is going to be shared among
the health personnel directly involved in providing care, and yet this is
what usually happens. This affects patents confidentiality though it is
beneficial for providing care to the patient.
In reference to releasing data required for ancillary use such as
audit, research, care planning or accountability, this actually poses a
problem in confidentiality because the information is being used or at
times even published without the consent of the source (patient).
Some of the patients are aware of the above scenarios and do not
disclose sensitive information leading to fragmentation and bias. Sharing
information among health personnel who are directly involved in care and
also the use information for ancillary processes are very important for
patients’ care and planning. I do accept that there is need to balance
rights to health care with duties to share information, without
conflicting the issues of confidentiality in future, by explaining to the
patient the future prospective of releasing health information.
Beatrice Amuge
Competing interests:
None declared
Competing interests: No competing interests