NHS patient information audit uncovers "significant lapses" in confidentiality

Nick Partridge, who conducted the investigation, stated: ‘The public merely will not tolerate vagueness about health care information that could be intensely personal to them.’ Photograph: Frantzesco Kangaris

The NHS physique charged with safeguarding confidential health information has announced a rolling programme of spot checks on companies, charities, universities and government bodies that have acquired healthcare information soon after an investigation uncovered “important lapses” in safeguarding patient confidentiality.

The investigation had been prompted by considerations raised by the wellness pick committee in February, the place MPs had been unconvinced by the arguments put forward by the Well being and Social Care Info Centre, the newly produced central database for wellness information, that patient privacy had been safeguarded.

This kind of was the public anger over programs to make a single English health-related database – harvested from GP and hospital records and containing data on psychological health problems and this kind of ailments as cancer, as properly as smoking and drinking routines – that ministers very first put on hold the proposals prior to scaling back the programme. It will now start with a 100 or so GP surgeries in the autumn.

The audit, led by former Terrence Higgins Believe in chief executive Sir Nick Partridge, located that three,059 information releases had taken location in between 2005 and 2013 – with a comprehensive examination of ten% of these. It discovered “lapses in the strict arrangements that had been supposed to be in spot to make sure that people’s individual information would never be utilized improperly”.

Of those examined in depth, it was discovered that one study programme had no legal authority to get patient-identifiable data but was nonetheless accessing NHS data in 2014. And a further eight were still getting mortality information – which could probably pinpoint individual patients – with out approval. In all 9 instances medical researchers have suspended their work.

Partridge, who is a non-executive director of HSCIC, also pointed out that there have been “information sharing agreements” created with 3 reinsurance organizations that permitted people reinsurers to proceed to use the information till the agreements expired in 2015 and 2016. All 3 businesses have been asked to delete these medical data, the review stated.

One particular set of records – which included a decade’s well worth of hospital data with patients’ partial postcodes and partial date of birth, including month and year as well as gender, dates of admission, diagnosis, speciality, and treatment method – went to French multinational reinsurer Scor. Yet another similar data set went to the United kingdom subsidiary of the Reinsurance Group of America. Each had been utilised to set “reinsurance premiums” for insuring essential sickness circumstances.

One more reinsurer Millman obtained two years of patient care information – detailing NHS amount, age at start off of hospital spell, gender, partial postcode, dates of admission, diagnosis, speciality, and therapy – to be employed as component of a solution sold to customers.

Partridge explained that not only would the law be modified this 12 months to restrict the movement of information “solely to the functions of benefit to overall health and social care systems” but that he was well mindful of “public concern about insurance coverage businesses holding information drawn from overall health sources”.

“I ensured that the HSCIC’s chief executive wrote to the three companies concerned asking them to delete the information ahead of this legislation coming into force,” he stated.

There was also apparent confirmation that a centralised database could be accessed by police to locate people. There were 12,733 “accepted and accepted” approaches to the NHS, which led to 3,104 prospects for officers. The HSCIC has stated it will now report every single quarter on requests from law enforcement, stressing that the information only reveals the place of the nearest GP and would only be given for investigations into severe crimes.

Phil Booth, coordinator at patient pressure group medConfidential, mentioned: “This is obviously technique failure above a time period of many years. Patient information is out there and the public don’t know exactly where it is. Businesses acquiring it did not know their duties as information controllers and they have not been in a position to distinguish amongst information sharing and reuse. This implies we will in no way know who acquired hold of the data.”

Partridge explained HSCIC have to understand the lessons of the previous. “The public just will not tolerate vagueness about healthcare records that could be intensely personal to them. We exist to guard their data and we have to earn their believe in by demonstrating scrupulous care with which we take care of their private data.

“We can now make certain we conform to current legislative alterations, so that data is launched when it will benefit the health and social care program.”

NHS patient information audit uncovers "significant lapses" in confidentiality