Minister backs NHS link-up to digital medical records but campaigners warn of data privacy risks

Out-Law News | 17 Jan 2013 | 3:16 pm | 2 min. read

NHS patients should each have a digital medical record that public health providers can access "when necessary" and where individuals' "permission" has been granted, the Health Secretary has said.

In a speech on Wednesday, Jeremy Hunt said he wanted the NHS to be "paperless" by 2018, in a move he said could reduce costs and improve services. However, the plans have been criticised by a privacy expert and campaign group Big Brother Watch (BBW).

"There must be total commitment to ensuring that interaction is paperless, and that, with a patient’s consent, their full medical history can follow them around the system seamlessly," Hunt said. "Clearly we need protocols so that people can be comfortable that their data is only being accessed when necessary and with their permission. But if the banks can make people confident that their money is safe, we must surely be able to develop a system that keeps medical records safe too."

"Then there is the importance of the doctor-patient relationship. There will be many times when only a face-to-face meeting will do. But allowing repeat prescriptions to be booked online will free up much more time for such meetings, as well as offering a better and more convenient service for patients," he said.

Digital data should be available across the "thousands" of different systems that are currently in operation in the NHS by "linking" those systems through "common standards", Hunt said. "Things don’t have to be the same. They just have to be compatible," he added.

The Health Secretary said that a paperless system could help NHS staff deliver a "more personalised service" and that savings made from the changes could be "released to spend on better care". Accounting firm PricewaterhouseCoopers (PwC) has said (60-page / 811KB PDF) that up to £4.4 billion of savings could be made in the NHS if information and technology were better utilised.

"Over a million people have some form of contact with the NHS every 36 hours and have done so for over 60 years," Hunt said. "This produces mind-boggling amounts of data that, if properly utilised with the right safeguards, can help improve treatments, unlock new cures and transform the face of modern health and social care."

However, Nick Pickles, director of BBW, said that there were a number of details around data privacy that needed to be addressed in the plans.

"The Department of Health needs to be absolutely clear who will hold our medical records, who can access them and reassure patients that their privacy will not be destroyed in another NHS IT blunder," Pickles said in a statement. "Detail on how patients will give their consent, who will have access and what rights patients will have after sharing is sparse. As we have previously highlighted, barely any NHS systems have the ability to give patients the option of seeing who has looked at their medical records. Without this audit trail, abuse is often very difficult to spot."

Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, also raised concern about new protocols that he said could override patients' wish for confidentiality of their medical data.

"The minister says we have an opt-out; but no-one seems to have told him that ... GPs will in future be compelled to upload a lot of information about us through a system called GPES (General Practice Extraction Service) if they want to be paid," Anderson said in a blog. 

Plans have already been set out that will see a move towards paperless referrals in the NHS by March 2015. GPs will also be required, upon request, to provide details of patients' diagnosis or condition and the action taken to review or intervene by health professionals, amongst other information, to the Health and Social Care Information Centre (HSCIC) under a "new clinically-led, local commissioning system".

GPs will be able to use the "secure" GPES system to provide the patient data, or use other means deemed appropriate by the HSCIC, according to guidance (9-page / 210KB PDF) issued by the NHS Commissioning Board last month. 

The Board described HSCIC as a "statutory safe haven" and said that "patient identifiable components will not be released outside the safe haven except as permitted by the Data Protection Act".