Presentation is loading. Please wait.

Presentation is loading. Please wait.

Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics.

Similar presentations

Presentation on theme: "Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics."— Presentation transcript:

1 Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics

2 Confidentiality in a nutshell Don’t tell ANYBODY ANYTHING about a person EVER unless you have their consent

3 But its not that simple ►Obligation to disclose when in public interest ►Includes, but not limited to, statutory reporting ►Product recall e.g. ►faulty surgical implant – need registry ►faulty surgeon (HBV) may require naming surgeon ►Billing for care provided to organisation commissioning it ►Patient name and address by tradition used as order number ►Research

4 Overview ►Medical Data Confidentiality in the UK ►What patients want ►The Law ►Ethics ►Licensing and policing ►The reality ►USA and HIPAA ►EC Regulation

5 Protecting Confidentiality The UK

6 Trust me, I’m a doctor… ►Until 19th century, reliance on good faith of researchers ►A few researchers broke that trust ►Burke & Hare 1827 ►Organ Retention Scandals - Bristol and Alder Hey 1998 ►19 th Century Legislation ►Anatomy Act (1832) ►Cruelty to Animals Act (1876) ►20 th Century Legislation ►Animals (Scientific Procedures) Act (1986) ►Human Fertilisation and Embryology Act (1990) ►Data Protection Act (1998) ►Health and Social Care Act (2001) ►UK Medicines for Human Use (Clinical Trials) Regulations (2004) ►Human Tissue Act (2004)

7 What do the patients think? Public Consultations ERDIP Share with Care YouGov

8 NHS Consultations on Confidentiality ERDIP Report #5 Electronic record development and implementation programme ►October 2002 to January 2003 ►Minimal publicity ►Consultation of dubious value ►Based on 6 focus groups in nursing homes

9 NHS Consultations on Confidentiality Share with Care (NHS & Consumer’s Assoc 2002) ►Lots of trust, no awareness of reality ►60% would not want to put health info into a virtual sealed envelope ►More concern on who uses info and whether it is anonymous than how it is used ►People prefer to grant access to specific types of people for any purpose, rather than for a specific purpose but by any type of person ►Support principles of consent and anonymisation for all non-treatment reasons ►Most don’t want to be asked for consent for use of anonymised data, but would like to know as a courtesy ►Sex and race difference ►Women and Caucasians want confidentiality ►Pragmatics: spend money on care, not on systems to protect confidentiality

10 2005 YouGov Survey n=2000 ►75 % do not object to medical records being held on computer ►But 25% do ►80% afraid non-health professional will have access to their record ►77% want explicit opt-in consent ►93 % want public consultation first

11 The UK today in a nutshell… Common & Statute Law PIAG GMCMRCNHS Policy Caldicott Guardians You Information Commissioner SCAGLREC Journals Medical Data 4 th Estate

12 The UK today in a nutshell… ►2 Common Law principles (consent, and privacy) ►5 Acts of Parliament ►5 bodies making policy ►Parliament, GMC, MRC, RECs, NHS ►More than one document each ►5 oversight/licensing bodies ►RECs, Caldicott, PIAG, SCAG, Information Commissioner ►Different remits - not bound by each other’s decisions ►Approval does not guarantee no possibility of prosecution ►Plus 3 more for special occasions (GTAC, MRHA, HTA) ►5 Police Forces ►The Law Courts – put you in jail ►The GMC – remove license to practise ►The Research Councils – refuse grants ►The Scientific Press – refuse to publish ►The Tabloid Press – public humiliation

13 UK: The Law

14 Remember…the law is an ass ►Chandler v Webster (1904) ►Claimant rented room from which to watch the coronation, at higher than normal price reflecting demand, and left a deposit. Coronation cancelled. ►Court agreed that contract was frustrated, but deemed that not only should deposit NOT be returned, but claimant remained liable for the full agreed balance, because losses must ‘lie where they fall’. ►Anchor Brewhouse v Berkely House (1987) ►Pub seeks court order to stop booms of building cranes swinging over their property. No question of any damage, or likelihood of damage. ►Court (reluctantly) obliged to rule that it was technically a trespass, and should stop.

15 UK Legal Regulation ►Common Law (Tort) ►Duty of confidence in absence of consent ►Right to grant or withhold consent ►Except, also legal duty to notify ►Birth, death, infectious disease ►Access to Health Records Act 1990 ►Now only relevant to deceased patients ►Human Rights Act 1998 ►Basic right to privacy ►Data protection act 1998 ►Freedom of Information Act 2000 ►General right to request any info held by any public body ►Includes e.g. written local data governance protocols ►Identifiable clinical data is exempt (as governed by DPA) ►Non-identifiable and aggregated results are not exempt ►Health and Social Care Act 2001 (Sections 60 & 61) ►Powers to stop or require information disclosure

16 Data Protection Act 1998 Principles: Exec Summary ►At least one of: ►Consent ►Necessary ►to meet any legal obligations arising out of agreement with subject ►to protect data subject from death ►No infringement of rights or interests of data subject ►Plus, if sensitive, at least one of: ►Explicit consent ►Necessary to meet employment rights/obligations ►Processor is NPO ►Information already in public domain ►Required for legal proceedings ►Necessary for healthcare, and undertaken by healthcare professional with duty of confidentiality ►Obtained for specified (lawful) purposes, and not used in any incompatible manner ►Must not hold or acquire data not needed to fulfil stated purposes ►Data to be accurate and up to date ►Destroyed once purposes met ►Data subject must have access, right to correct and right to prevent processing that causes distress ►Appropriate safeguards to prevent unlawful processing, or accidental loss. ►Must not transfer data outside EEC unless to territory has adequate protection

17 Section 60 of the Health and Social Care Act 2001 ►DPA would have closed down the Cancer Registries ►Data collected without consent, because of numbers ►Identifiers included to assist detection of duplicate reporting ►DoH wants to block as well as enable data flows

18 Section 60 of the Health and Social Care Act 2001 ►Regulates use of identifiable patient data without consent ►Defines ‘patient information’ ►Defines ‘confidential patient information’ ►2 types of support ►Specific support ►Where purpose of collection is complex or controversial ►Requires debate in parliament, advised by PIAG ►Class support ►Where purpose is one of 6 (relatively) uncontroversial kinds ►Requires approval by Secretary of State, advised by PIAG ►Exemption is reviewed annually ►Supposed to be a transitional measure

19 Patient Information Advisory Group (PIAG) ►Established in December 2001 ►13 members, meet every 3 months ►Applications MUST demonstrate: ►Why collecting the data is medical useful ►Why consent can not be obtained ►That data will be destroyed when no longer needed ►A clear exit strategy that involves either: ►Obtaining informed consent in future ►Anonymising data ►Explicit remit to work itself out of a job ►By encouraging change in culture & practise

20 Security and Confidentiality Advisory Group (SCAG) ►Established in 1996 ►Governs access to 3 NHS databases ►Hospital Episode Statistics database ►NHS-Wide Clearing Service database ►NHS Strategic Tracing Service.

21 UK: Ethical Oversight

22 Ethical Regulation: General Medical Council ►ABSOLUTE ideal of consent if possible ►Even if patient not identifiable ►Minimum disclosure ►Use deidentified information wherever possible, even if you have consent ►Consent to treatment implies consent to share information needed to effect treatment ►Recipient of information given must be under duty of confidence (ie know that info is not in public domain) September 2000

23 Consent even if not identifiable? Source Informatics Ltd v Department of Health ►Source Informatics Ltd ►Scheme to buy data from pharmacists: content of NHS prescription forms, except identity of the patient ►Aggregated info to be sold to pharmaceutical companies, to be used to target marketing at GPs based on their known prescribing behaviour ►DoH ►Concerned that use of anonymous information could be used to increase national drug bill ►Guidance document: this information is confidential

24 Consent even if not identifiable? The Legal Decision ►High Court (May 1999) ►Anonymised and aggregated data was patient confidential and could not be disclosed without consent from each patient. ►Except that disclosure of data within the NHS might be justified ‘in the public interest’ or on the basis of implied consent. ►Court of Appeal (December 1999) ►GMC makes representation (costing GBP 40k) ►High Court overruled: Privacy is the only issue: patients have no proprietorial claim to the information ►Section 60 Health and Social Care Bill ►NHS applies for powers to regulate or require use of data it generates ►Granted, but GMC succeeds in lobbying for PIAG to regulate the Secretary of State

25 So: no consent if anonymised Why still in GMC guidance? ►Patient Groups ►Trust between doctors and patients can only be maintained if patients must give express consent to all disclosures ►Research and Public Health ►strong public interest in information being available ►GMC Compromise: ►Seek patients’ consent to disclosure of any information (whether or not identifiable) wherever possible ►Anonymise data where unidentifiable data will serve the purpose (even if you have consent) ►Keep disclosures to the minimum necessary

26 GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) ►Section 4 - Disclosure other than for treatment ►Seek consent wherever possible ►Whether or not identifiable ►Anonymise, even if consented ►Principle of minimum disclosure ►Section 15 – when unlikely to cause harm ►Obtain consent to use of identifiable data ►OR ►Member of health care team should anonymise

27 GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) ►Section 16 – if consent and anonymisation by carer not practical ►Can disclose to non-carer for anonymisation ►provided ethics committee approves ►Only where identification is essential may identifiable info be disclosed ►Provided patient is told: ►Data is being disclosed, why it is being disclosed, that person getting the data is under duty of confidentiality ►That they can object ►Section 17 ►Do not release under section 15/16 unless trained and authorised by health authority and subject to duty of confidentiality through contract

28 GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) ►Sections 40-42: after death ►Duty of confidentiality continues after death ►Circumstances dictate how much ►Risk of distress to the living ►Recognised situations ►Coroner’s investigation (inquest to cause) ►CEPOD, clinical event audit, education, research (but: anonymise) ►Public health ►Conflicts ►E.g. life insurer vs widow

29 GMC Guidance 2000 IdentifiableAnonymised HarmlessHarmful Obtain Opt-In Consent Implied Opt-Out Consent Consent Possible Consent Impractical Public Good No Public Good No Consent (At your peril) STOP

30 GMC Guidance Confidentiality: Protecting and Providing Information (April 2004) ►Ensure patients know about all actual or possible disclosures and have had the opportunity to opt-out ►Use deidentified information wherever possible, even if you have consent ►Minimum disclosure ►Disclosure of identifiable data, other than to treat or for clinical audit by the caring team, requires opt-in consent ►Clinical audit by anybody other than the caring team must be on anonymised data, otherwise opt-in consent is needed ►Disclosure of identifiable data for non-audit but harmless purposes requires either opt-in consent or section 60 exemption

31 GMC Guidance 2004 AnonymisedIdentifiable Obtain Opt-In Consent Implied Opt-Out Consent Consent Possible Consent Impractical Public Good No Public Good STOP No Consent Needed No PIAG Support PIAG Support STOP Non-local audit or research Local treatment or audit Exit strategy

32 Ethical Regulation: Medical Research Council ►Summarises regulatory environment (PIAG, COREC etc) ►Extracts of relevant legislation ►Raises issue of statistical disclosure control ►Set of requirements for physical and logical data security ►Recommendations for data preservation and sharing ►New guidance in draft (2005)

33 Ethical Regulation: British Medical Association

34 UK: Putting it into practice

35 NHS Code of Practice (2003) ►Summarises regulatory environment (Statutes, PIAG, COREC etc) ►Extracts of relevant legislation ►Decision flow diagrams ►Mentions Privacy Enhancing Technologies ►Strong authentication for CfH NCRS under development

36 Caldicott Guardians: Origins ►Review commissioned in 1997 by CMO ►Increasing concern about ways NHS uses patient information ►Need to protect confidentiality ►Concern largely due to fears that information technology has capacity to rapidly and extensively disseminate information about patients ►Committee chaired by Dame Fiona Caldicott ►Principal of Somerville College Oxford ►Previous President Royal College of Psychiatrists ►Reported December 1997

37 Caldicott Report: Guiding Principles 1. Justify why patient data is needed 2. Don't use patient-identifiable information unless necessary 3.Use the minimum necessary identifiable information 4.Strict ‘need to know’ access to identifiable information 5.Everyone should be aware of their responsibilities to maintain confidentiality 6.Understand and comply with the law, in particular the Data Protection Act

38 Caldicott Report: Recommendations (not legally binding) 1.Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly. 2.A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS. 3.A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information. 4.Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information. 5.Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies. 6.The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated. 7.An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered. 8.The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers. 9.Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used. 10.Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored. 11.Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage. 12.Where practicable, the internal structure and administration of databases holding patient- identifiable information should reflect the principles developed in this report. 13.The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible. 14.The design of new systems for the transfer of prescription data should incorporate the principles developed in this report. 15.Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted. 16.Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.

39 Caldicott Report Recommendations (Summarised) 1.All data flows should be subject to ‘good’ practise 2.Promote awareness in NHS 3.Caldicott Guardians 4.Guidance for safe use of identifiable data 5.Protocols for exchange with non-NHS bodies 6.Identify those responsible 7.Recognise who does good job 8.Use NHS Number only 9.Strict access controls 10.Privacy enhancing technology for sensitive data 11.Design good practice into clinical systems 12.Database structure and admin should reflect principles 13.Use NHS number on GP item of service claims asap 14.ETP systems design should reflect principles 15.Systems to determine GP pay should not require identifiable patient data 16.Same as 15

40 Caldicott Guardians ‘A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information’ (ie CYA for the organisation) …so there’s more than one guardian in a multi-centre study

41 Role of Caldicott Guardian: To ensure that.. ►All data disclosures are formally justified ►Information is exchanged only when absolutely necessary ►Only minimum data required for job is exchanged ►Appropriate access controls are implemented ►All data users know their responsibilities ►Law is complied with

42 Meanwhile….the real world

43 Meanwhile… The Reality ►Estimated 20,000 successful deliberate unauthorised accesses annually ►Obtained by phoning up and asking ►NHS Clearing centralises NHS order and invoice reconciliation ►But keeps persistent record of all events that pass through it, including name and address ►Draft NHS charter (2003) claims NHS has right to refuse to treat some patients who refuse to allow their information to be shared ►Though right to opt-out from NCRS is now granted (2005)

44 Meanwhile… For sale: Memory Stick and 13 Lancashire Cancer Patient Records Confidential medical records of 13 cancer patients from Royal Bolton Hospital on a portable memory stick sold as new to a Crewe estate agent. Records included dates of birth, home addresses, telephone numbers, family medical histories and GP details, dating back to 1999. Patients' group "absolutely horrified" Cancer charity "very alarmed" MPs "concerning breach” and "inexcusable” (7th March 2003)

45 Meanwhile…How? For sale: Memory Stick and 13 Lancashire Cancer Patient Records Contractor for the hospital's computer systems took a hospital computer to a 3 rd party firm for an upgrade Computer previously used to set up a database of colo-rectal surgery patients Data copied to the stick as backup during upgrade Stick resold as new for £30.

46 Meanwhile.. Backup tape of 57,000 patient records stolen 13 th July 2005 2 computers and 185,000 patient records stolen 28 th March 2005 Register of 6500 HIV patients emailed 22 nd February 2005 1600 medical records stolen with laptop: nobody told October 2004 Bangalore transcriptionist threatens disclosure 28 th October 2004 Redditch Health Centre Computers Stolen 30 th September 2004 8 years of patient pathology data stolen 14 th June 2004 UK Mental Health Team computers stolen (twice) March 2004

47 Meanwhile… Data control and paranoia ►Ian Huntley (Soham Murders) ►DPA forced police to destroy record of multiple unproven allegations ►George and Gertrude Bates ►British Gas cut off couple because unpaid £140 bill and no response after 10 attempts to contact ►Believed DPA prevented disclosure to social services ►Both found dead in their lounge October 2003 ►Cause of death: hypothermia and heart disease ►£277 in cash on table beside bodies ►£1116 in purse in shoe

48 International Comparisons The USA: HIPAA

49 Health Insurance Portability and Accountability Act (1996) ►50,000 people consulted ►Defines data exchange standards ►Standards for Privacy of Individually Identifiable Health Information ►In force from April 2003 ►Rules not fixed until 2000 ►Short implementation timeframe ►Distracted by Y2K

50 HIPAA Penalties ►Executives legally responsible for failures to comply ►Stiff financial and jail penalties in the event that a breach occurs ►Deidentified info is exempt ►11,000 complaints in first 24 months

51 HIPAA and Consent ►Must tell patients of how you plan to control use and disclosure of their data ►Disclose only minimum info needed top fulfil reason for request ►De-identify wherever possible ►Train your employees ►Complaints procedure ►Appoint a privacy officer ►Must obtain consent for all routine use and disclosure ►..and separate explicit consent for each and every instance of non-routine use or disclosure ►Unless exempt: publich health, research etc ►Patients must have right to restrict disclosure ►Patients have right to complete disclosure record

52 HIPAA Deidentification ►Deidentified data does not identify an individual and there is no reason to think it could ►Data is considered to be deidentified iff: ►EITHER An expert says that the risk of re-identification is ‘very small’, and documents why they believe this ►OR…

53 HIPAA Deidentification ►The following identifiers of the data subject ►and their relatives, employers ►and any household members (related or not) are removed AND ►the information supplier has no actual knowledge that the information could be used in any way to re-identify the data subject

54 HIPAA identifier data fields All geographic subdivisions that identify <20k people All date elements except the year including Date of birth & death Date of healthcare event All ages over 89 Telephone/Fax numbers Email addresses SSN, Health plan#, Acct# Certificate or license # Vehicle Ids and license# Device Ids and serial# Web URLs IP numbers Biometric idents, includig voice & finger print Full face photo or similar Any other unique identifying characteristic or code

55 HIPAA one-way key You may use a new unique identifier to allow re-identification by the information originator provided that: ►The new ident is not derived from or related to the data subject and can not itself be used to help re-identify them ►The re-identification key is kept securely

56 HIPAA partial deidentification ►Limited Data Set is partially deidentified ►Can include ►postal code or other geo information ►Dates of significant events ►Date of birth or death ►Provided data subject enters into a specific data use agreement

57 International Comparisons: The EEC

58 EC Directive 95/46/EC ►Europe’s own privacy standard ►Members shall prohibit processing personal data concerning health or sex life except for: ►Diagnosis or treatment ►Public heath ►Criminal offences ►Fulfilling specific contractual obligations ►Legal claims ►For any purpose where consent has been obtained

59 Privacy Enhancing Techniques ►Anonymisation ►Can never totally prevent re-identification ►Shetlands postman problem ►Pseudonymisation ►Can never totally prevent re-identification ►Encryption ►Public Key Infrastructures empirically hard to establish ►Statistical Disclosure Control ►Database privacy gauging for dynamic dilution of database ►Proxy services ►Data flow segmentation

60 Summary ►Increasingly complex area ►Different regulatory regimes militate against internationally based trials ►Tendency for data custodians to avoid all risk by saying ‘no’ ►Complex implementation ►But weak points are human error, not policy ►Possibility of blind siding ►Central assumption that disclosure of medical detail is most likely source of harm to an individual ►Medical records increasingly valuable as substrate for identity theft?

Download ppt "Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics."

Similar presentations

Ads by Google