Making the information available from an individuals GP record makes you confront just about all the medical ethics, law and personal views you can think of. There is general support for the concept and the idea of sharing this information to provide better care for the individual is certainly moral high ground. We decided to start in emergency care. However, these records do contain for some people, very sensitive information that they wish to keep private. In addition the custodian of the record is subject to severe penalties for breaking confidentiality a fact that has created a very risk adverse mind set.
We had watched others attempts to do this notably in the home countries and none had addressed all the issues we had uncovered and had got into difficulties over a number of privacy and security issues. Notably there was a lack of understanding of the legal framework in which they were operating.
Our overall approach was guided by the principles outlined in the last blog. The idea was to go further than the law required to adopt in addition ethical standards which would engender trust. We therefore introduced the principle of consent to enable individuals to control the record. We also used privacy and security design principles alongside each other to secure the record.
We communicated what we were doing through CHCs, NHS organisations, practices, adverts, mail drops and council news letters. We offered the opportunity to opt out of the process and provided a professional friendly approach to this. We used implied consent for gathering the information.
The record extracted from the proactive was limited in several ways. Firstly we only required the coded information. no free text or letters were extracted as this was where the most sensitive information is often found. We did not extract “legally sensitive” information that cannot be moved from one system to another without the patients explicit consent e.g gender reassignment. however We went further to define a set of codes with GPs and patients that could be considered sensitive to many people such as contrception etc. We therefore defined a restricted record that contained all the important information but left out the sensitive information.
The next issue had led to conversations elsewhere along the lines of the number of angels on the head of a pin. How do you assert that a health progressional has a legitimate reason to access a specific IHR. One approach would be to allow a professional to go fishing in the entire database of 3 million records accessing whichever record they wished. This had been proved to be an unacceptable risk elsewhere , encouraging browsing of records and was therefore rejected. This problem was solved by allowing the machines to establish the relationship. So when you booked into out of hours as a patient you were registered on the system by the call taker ,and that system contacted the IHR database to obtain the IHR record. When the clinical professional saw you they were only provided with your record and no facilities to search for other records.
In addition when you were seen the clinician had to ask you consent before they could open the IHR. This put another control in the patients hands , the requirement for explicit consent before the record was viewed. A break glass function was also included to deal with extreme cases where an individual was incapacitated and unable to consent.
We were also concerned to keep the security framework simple and deliverable. We found that we only needed 4 roles to manage the entire system. However we used security design principles that build in detection and reaction as well as defence in depth. We therefore introduced proactive audit of all accesses to the IHRs to check for suspicious activity. We also reminded users that if they detected access by colleagues that was suspicious they had to report this or they too would be held accountable.
Using the above controls has satisfied most of the very real patient and professional concerns that we encountered. This is proving a pragmatic workable solution to these issues in Wales and I am glad to say has been copied successfully in the home countries.
As a result of our work an interesting standard has been established to clear the fog on excluded sensitive codes in summary records in the UK. We are so delighted that this list compiled without our involvement contains our original spelling mistakes ;-).