Evidence submitted by Ms A Jones (EPR
07)
SUMMARY
Thank you for the opportunity to comment on
the above. My background is IT and this system has fantastic potential,
but only if the confidentiality issue is taken very seriously.
We need to be sure that Doctor/Patient confidentiality is maintained
to the highest degree, and that GPs/other medical professionals
will not be required to pass on our personal information under
any circumstances without our (written?) consent. This system
is unique in that it should, and must, stand alone from all the
other proposed/existing database systems. The key to its success
is privacy and anonymity. Already a growing number of people visit
a GP's surgery at random claiming to be on holiday and possibly
using a false name and address rather than having their condition
logged on their own record on their GP's system. The greatest
danger is that people with various sensitive conditions will not
present for treatment or help if the issue of confidentiality
is not robustly enforced.
1. What info should be held?
The absolute minimum level of personal data
should be held to preserve privacy without compromising health,
eg:
Initials and surname (not
full name).
Age band (not age/date of
birth).
House number and post code (not
full address) (Apparently a surname, house number and post code
are sufficient to have a letter delivered).
Optionalphone/mobile phone
number and email address.
With the consent of patients, certain medical
conditions, immunisations, operations, allergies and current medication
should be noted. This includes Parental Consent for children under
16 years. A time limit should be considered eg: only data for
past 10 years. GP/other narrative comments should be omitted.
We all know our NI Number so it should be possible
to allocate a permanent NHS number if necessary to ensure the
correct record is accessed.
Patients should be able to opt-out of the system
if they wish. If a good, robust and secure system is seen to work
efficiently and effectively then perhaps people may choose to
opt-in at a later date.
2. Access (local and national)
Only the patient's GP should have
full accessnot auxiliary medical or admin staff at surgeries.
Hospitals should only have access
via GP giving permission to a hospital consultant so a log of
authorised access is created. A system to control this "out
of hours" and in an emergency should be developed.
Nursing and other staff in hospitals/surgeries
should not have full access to complete patient recordstheir
need for information should be confined to current treatment and
information directly relevant as directed by the patient's consultant
or GP. This is absolutely essential in the case of sensitive circumstances
or conditions (alchohol/drug use; STDs; domestic violence; depressive
illnesses etc). Perhaps thought should be given now to the manner
which information relating to these sensitive issues is stored
and used. Failure to address this will lead to people not seeking
appropriate treatment or help. No other body should have access
to medical records under any circumstances.
A patient should be able to view
their full record at any time and there should be a clear and
simple procedure to correct any wrong or misleading data.
3. Protection of patient confidentiality
This is the greatest weakness in the system.
BrieflyI experienced a leak of three distinct pieces of
my medical info. I could do nothing as I had no absolute proof.
I sold my house and moved 250 miles away. This was due to a community
medical staff known to me socially (not a GP) having what seems
to be unlimited access to records. This is why every possible
step must be taken to limit the personal or identifying data held
in the patient record and there must be very clear and stringent
penalties for any abuse of the systemno matter how trivial.
In my case if my full name, address etc had not formed part of
my record it would not have been possible for the gossip to be
connected to me. Thought needs to be given as to why this specific
and full identifying data needs to be included rather than my
suggestion at Para 1. The confidentiality issue is not really
about what the GP knowsit has more to do with the casual
users of the system who may not be involved in your care or who
may see your data in passing.
When attending a medical appointment
there is no need for your complete record to appear on screen
in front of the Administrator. A time-out should be build in to
guard against a patient record being accidently left on-screen.
A chip and pin-type card held by
the patient should be used to access the full patient record.
The argument that we may forget or loose a card does not hold
water. We all manage to carry our various credit, debit and store
cards and remember our various pins. Alternative arrangements
could be made for those who genuinely could not reliably use this
card system. For the minority who find themselves in an emergency
without their card the same procedures apply as nowmedical
professionals do their best in the circumstances.
The proposed system will not remove
the need to describe your condition several times to various medical
professionals. The comprehensive patient held notes used during
pregnancy do not avoid this happening as it is easier/quicker
for medical staff to talk to you than to read pages of notes.
There is no reason to link this database
with any other database. A Medical Record should be a completely
separate entity to other public or private Personal Information
databases.
4. Data for other purposes
Patients could be asked to sign up
to their statistical data (not personal data) being collected
for other purposes eg: research. In a database system it is very
easy to implement this.
The GP or hospital consultant should
be the gatekeeper of this data, providing total numbers or percentages
or depersonalised case histories for research purposes. Most people
would be comfortable with this.
5. Progress and delay
If this system is implemented without thorough
open discussion and debate it will become an expensive failure.
Time taken now to think through all the implications and to listen
to people's genuine fears and concerns will ensure the final design
is acceptable and fit for purpose. The system needs to be thoroughly
piloted and tested before implementation. All major IT systems
take years. In this instance it is essential to invest the time
to make sure it is absolutely watertight and foolproofunfortunately
this will take longer than you think.
Thanks for your time.
A Jones (Ms)
7 March 2007
|