COMMENT: The UK’s opportunity to take a lead on data privacy

Kurt Long of FairWarning talks about how te drive to give patients access to their medical records is increasing pressure of the NHS to protect personal data

In this article, KURT LONG, chief executive of FairWarning, discusses how the drive to give patients greater access to their healthcare records must be aligned with a new privacy culture to protect individuals from data breaches

The modern NHS stands at the threshold of a major opportunity to transform patient services through the innovative application of healthcare technologies. In fact, current efforts to integrate health and social care provide a powerful catalyst to ensure that the NHS maintains its global reputation as a provider of world-class healthcare, and the ambitions laid out in the UK Government’s recent NHS Information Strategy are a great example of this.

Indeed, its whole premise is one based upon the delivery of integrated care through the creation of a transparent, open-access service where patients are empowered by the secure exchange of health information. This is clearly about encouraging shared decision-making between clinicians and patients with the belief that informed and engaged patients are more likely to be compliant with their treatments and take greater involvement in the management of their care, which, in my mind, can only be a good thing.

A right to know

The modern NHS stands at the threshold of a major opportunity to transform patient services through the innovative application of healthcare technologies

There is no doubt then, that the Government’s strategy, The Power Of Information provides an essential blueprint for the future of the NHS. But to deliver it, UK policymakers must ensure the vision, which provides patients with greater access to their healthcare records, aligns with a privacy culture that protects individuals from having their personal data breached. As privacy is a globally-recognised patient need and right, the widespread adoption of healthcare IT will only be realised if patient privacy expectations are comprehensively met - and this is where the UK has an opportunity to take a lead.

The IT strategy’s guiding principle of ‘no decision about me, without me’ must therefore be applied to patient privacy. UK citizens have a fundamental, democratic right to know when their records have been inappropriately accessed and their privacy compromised. To this end, NHS professionals must be made more accountable for protecting patient privacy – beginning with the mandatory requirement of disclosure to the patient when a breach has occurred. This must be achieved so as not to be at odds with creating a ‘patient-centred’ philosophy, or to belie our hard-earned Western societal values of openness, transparency, democracy and equality.

End to ambiguity

It is because of this that most would share the sentiment that the UK’s health service needs to keep people’s records safe because it is the right thing to do. The whole reason why the NHS is such an admired institution is because it is founded on the principal of right – the right of all to have the best possible care, no matter who they are, how rich they are, or where they live. It’s a concept which most healthcare professionals do an immense amount to protect.

Yet there still remains an ambiguity in that the need to ensure patient privacy has often failed to take the priority it deserves as the NHS rushes forward, eager to harvest the great goods offered by electronic health records (EHRs). Part of the reason for this is that there remains no legal requirement for healthcare organisations to inform patients when their privacy has been compromised. This has created a rather absurd situation where breaches of citizens’ personal details are still allowed to happen within the NHS, a publicly-funded organisation which is effectively there to serve and protect them from harm. Surely they have a right to know, just like they would be informed of other risks of harm such as the introduction of a virus or spreadable disease.

The UK leads the way

Future expectations around confidentiality are therefore high and the UK, like any other global nation, has an obligation to play a leadership role in meeting them. Patients across the UK have enormous faith in the NHS, but evidence shows that more needs to be done for medical information to be shared securely to ensure the very best patient outcomes.

Patients across the UK have enormous faith in the NHS, but evidence shows that more needs to be done for medical information to be shared securely to ensure the very best patient outcomes

In the electronic age, and as society becomes more digitised, protecting patient privacy is a major human rights challenge. It is an issue that is not confined simply to celebrities or VIPs; it concerns every single patient in the UK. With a population of more than 60 million people, and around a fifth of those receiving NHS care each year, the size of the challenge is clear. But it is a challenge that can be overcome.

The tools for progress are already there. Innovative technological solutions that can enhance the ability to protect patient data and bolster privacy and security policies are readily available to the NHS. In the first instance, trusts should be mandated to build patient privacy into all NHS IT systems by enforcing the obligatory use of automated audit trails across all healthcare applications. These can be used to help monitor and pro-actively identify where and when privacy breaches have taken place and when a patient has been injured through a breach. Secondly, any efforts to reinforce a culture of privacy across the NHS would be strengthened by making healthcare providers fully accountable for breach disclosure to patients and breach notification to the Information Commissioner’s Office.

The UK has a golden opportunity to lead the way on patient privacy and is already demonstrating that it can achieve this. While healthcare privacy laws around the world are being strengthened to protect patients – and pending European regulation in the General Data Protection Regulation will mandate the disclosure and notification of privacy breaches to individual patients and regulators respectively – the UK does not need to wait for EU regulation. In fact, with full patient access to electronic health records planned for 2015, it cannot afford to – it must take the initiative now. As history demonstrates, the UK can take the lead and boasts a strong record of taking its own independent route in matters of great national importance!

Optimism for change

Any efforts to reinforce a culture of privacy across the NHS would be strengthened by making healthcare providers fully accountable for breach disclosure to patients and breach notification to the Information Commissioner’s Office

There are already clear signs of optimism and change, having seen the decisiveness with which the health service can act when patient privacy rises to the top of the agenda. Certainly the Government and regulators are treating data issues with increasing seriousness, showing respect for the 2010 NHS Constitution, which enshrines the right to privacy and an expectation for the NHS to keep confidential information secure. Plus the Information Governance Review , led by Dame Fiona Caldicott, is well underway in terms of spearheading the drive for change to help protect patients’ rights.

As well as this there are many forward-thinking healthcare providers that are now moving ahead at some pace to deploy privacy enhancing technology and procedures. For example, NHS Scotland, which employs nearly 132,000 staff, including more than 8,500 doctors, is now deploying patient privacy auditing and monitoring across all 14 NHS health boards, and Northern Ireland is following suit, with Wales also showing a great deal of interest in protecting patients from privacy breaches.

Plus, the ongoing dissolution of the National Programme for IT (NPfIT) is giving trusts in England greater autonomy over their technology and many trusts are moving fast to ensure their electronic health records will be secure to the core. Aintree University Hospital NHS Foundation Trust, which is recognised as having developed one of the most advanced IT architectures in the NHS with around 90% of its health records being electronic, is deploying a privacy monitoring solution across all of its clinical systems; and Homerton University Hospital NHS Foundation Trust, which was designated as the official hospital for the 2012 London Olympics, has implemented a privacy breach detection solution across its EPR system for the acute side of the trust, following on now with one across its community EPR system.

As a result of these innovating healthcare providers, the future is looking brighter as they set a precedence for the rest of the UK, and the world, to follow.

Seizing the opportunity

The NHS is the cornerstone of a UK society founded on the democratic principle of high quality healthcare, accessible to all. It is a globally-revered brand, synonymous with delivering the highest standards of patient care. But the current model is under increasing pressure. The pathway laid out in the Power of Information is absolutely the right strategy to transform service delivery and shape a sustainable model for the NHS of the future.

The UK does not need to wait for EU regulation. In fact, with full patient access to electronic health records planned for 2015, it cannot afford to – it must take the initiative now

With the clock towards 2015 already ticking, the NHS can become a global leader on patient privacy. Electronic healthcare is one of the most important advances of our time. It presents a huge opportunity to build a sustainable healthcare model that can transform patient care – and it’s well within reach. But there is a significant human impact if that opportunity is lost. If privacy concerns cause us to miss out, the NHS risks being unable to deliver the care that’s necessary at an individual level or on a countrywide basis.

The opportunity is now – the UK can seize it, and lead the way in safeguarding patients’ right to privacy. It can achieve this by making healthcare providers fully accountable for breach disclosure to patients and breach notification, mandating trusts to build patient privacy into NHS IT systems by enforcing the mandatory use of audit trails across all healthcare applications, and by reinforcing a culture of privacy and transparency through education and awareness and embracing the concept of the patients’ right to know who is assessing their records.

Companies