1 / 60

Medical Data Confidentiality 101

Medical Data Confidentiality 101. Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics. Confidentiality in a nutshell. Don’t tell ANYBODY ANYTHING about a person EVER unless you have their consent. But its not that simple.

lee
Télécharger la présentation

Medical Data Confidentiality 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGPSenior Clinical Fellow in Health InformaticsNorthwest Institute of Bio-Health Informatics

  2. Confidentiality in a nutshell Don’t tell ANYBODYANYTHINGabout a person EVERunless you have their consent

  3. But its not that simple • Obligation to disclose when in public interest • Includes, but not limited to, statutory reporting • Product recall e.g. • faulty surgical implant – need registry • faulty surgeon (HBV) may require naming surgeon • Billing for care provided to organisation commissioning it • Patient name and address by tradition used as order number • Research

  4. Overview • Medical Data Confidentiality in the UK • What patients want • The Law • Ethics • Licensing and policing • The reality • USA and HIPAA • EC Regulation

  5. Protecting ConfidentialityThe UK

  6. Trust me, I’m a doctor… • Until 19th century, reliance on good faith of researchers • A few researchers broke that trust • Burke & Hare 1827 • Organ Retention Scandals - Bristol and Alder Hey 1998 • 19th Century Legislation • Anatomy Act (1832) • Cruelty to Animals Act (1876) • 20th Century Legislation • Animals (Scientific Procedures) Act (1986) • Human Fertilisation and Embryology Act (1990) • Data Protection Act (1998) • Health and Social Care Act (2001) • UK Medicines for Human Use (Clinical Trials) Regulations (2004) • Human Tissue Act (2004)

  7. What do the patients think?Public Consultations ERDIP Share with Care YouGov

  8. NHS Consultations on ConfidentialityERDIP Report #5Electronic record development and implementation programme • October 2002 to January 2003 • Minimal publicity • Consultation of dubious value • Based on 6 focus groups in nursing homes

  9. NHS Consultations on Confidentiality Share with Care(NHS & Consumer’s Assoc 2002) • Lots of trust, no awareness of reality • 60% would not want to put health info into a virtual sealed envelope • More concern on who uses info and whether it is anonymous than how it is used • People prefer to grant access to specific types of people for any purpose, rather than for a specific purpose but by any type of person • Support principles of consent and anonymisation for all non-treatment reasons • Most don’t want to be asked for consent for use of anonymised data, but would like to know as a courtesy • Sex and race difference • Women and Caucasians want confidentiality • Pragmatics: spend money on care, not on systems to protect confidentiality

  10. 2005 YouGov Surveyn=2000 • 75 % do not object to medical records being held on computer • But 25% do • 80% afraid non-health professional will have access to their record • 77% want explicit opt-in consent • 93 % want public consultation first

  11. Medical Data Common & Statute Law PIAG SCAG GMC MRC LREC NHS Policy Information Commissioner Journals 4th Estate You The UK today in a nutshell… CaldicottGuardians

  12. The UK today in a nutshell… • 2 Common Law principles (consent, and privacy) • 5 Acts of Parliament • 5 bodies making policy • Parliament, GMC, MRC, RECs, NHS • More than one document each • 5 oversight/licensing bodies • RECs, Caldicott, PIAG, SCAG, Information Commissioner • Different remits - not bound by each other’s decisions • Approval does not guarantee no possibility of prosecution • Plus 3 more for special occasions (GTAC, MRHA, HTA) • 5 Police Forces • The Law Courts – put you in jail • The GMC – remove license to practise • The Research Councils – refuse grants • The Scientific Press – refuse to publish • The Tabloid Press – public humiliation

  13. UK: The Law

  14. Remember…the law is an ass • Chandler v Webster (1904) • Claimant rented room from which to watch the coronation, at higher than normal price reflecting demand, and left a deposit. Coronation cancelled. • Court agreed that contract was frustrated, but deemed that not only should deposit NOT be returned, but claimant remained liable for the full agreed balance, because losses must ‘lie where they fall’. • Anchor Brewhouse v Berkely House (1987) • Pub seeks court order to stop booms of building cranes swinging over their property. No question of any damage, or likelihood of damage. • Court (reluctantly) obliged to rule that it was technically a trespass, and should stop.

  15. Common Law (Tort) Duty of confidence in absence of consent Right to grant or withhold consent Except, also legal duty to notify Birth, death, infectious disease Access to Health Records Act 1990 Now only relevant to deceased patients Human Rights Act 1998 Basic right to privacy Data protection act 1998 Freedom of Information Act 2000 General right to request any info held by any public body Includes e.g. written local data governance protocols Identifiable clinical data is exempt (as governed by DPA) Non-identifiable and aggregated results are not exempt Health and Social Care Act 2001 (Sections 60 & 61) Powers to stop or require information disclosure UK Legal Regulation

  16. At least one of: Consent Necessary to meet any legal obligations arising out of agreement with subject to protect data subject from death No infringement of rights or interests of data subject Plus, if sensitive, at least one of: Explicit consent Necessary to meet employment rights/obligations Processor is NPO Information already in public domain Required for legal proceedings Necessary for healthcare, and undertaken by healthcare professional with duty of confidentiality Obtained for specified (lawful) purposes, and not used in any incompatible manner Must not hold or acquire data not needed to fulfil stated purposes Data to be accurate and up to date Destroyed once purposes met Data subject must have access, right to correct and right to prevent processing that causes distress Appropriate safeguards to prevent unlawful processing, or accidental loss. Must not transfer data outside EEC unless to territory has adequate protection Data Protection Act 1998Principles: Exec Summary

  17. Section 60 of the Health and Social Care Act 2001 • DPA would have closed down the Cancer Registries • Data collected without consent, because of numbers • Identifiers included to assist detection of duplicate reporting • DoH wants to block as well as enable data flows

  18. Section 60 of the Health and Social Care Act 2001 • Regulates use of identifiable patient data without consent • Defines ‘patient information’ • Defines ‘confidential patient information’ • 2 types of support • Specific support • Where purpose of collection is complex or controversial • Requires debate in parliament, advised by PIAG • Class support • Where purpose is one of 6 (relatively) uncontroversial kinds • Requires approval by Secretary of State, advised by PIAG • Exemption is reviewed annually • Supposed to be a transitional measure

  19. Patient Information Advisory Group (PIAG)http://www.advisorybodies.doh.gov.uk/piag/Index.htm • Established in December 2001 • 13 members, meet every 3 months • Applications MUST demonstrate: • Why collecting the data is medical useful • Why consent can not be obtained • That data will be destroyed when no longer needed • A clear exit strategy that involves either: • Obtaining informed consent in future • Anonymising data • Explicit remit to work itself out of a job • By encouraging change in culture & practise

  20. Security and Confidentiality Advisory Group (SCAG)http://www.advisorybodies.doh.gov.uk/NWCS/ • Established in 1996 • Governs access to 3 NHS databases • Hospital Episode Statistics database • NHS-Wide Clearing Service database • NHS Strategic Tracing Service.

  21. UK: Ethical Oversight

  22. Ethical Regulation: General Medical Council • ABSOLUTE ideal of consent if possible • Even if patient not identifiable • Minimum disclosure • Use deidentified information wherever possible, even if you have consent • Consent to treatment implies consent to share information needed to effect treatment • Recipient of information given must be under duty of confidence (ie know that info is not in public domain) September 2000

  23. Consent even if not identifiable?Source Informatics Ltd v Department of Health • Source Informatics Ltd • Scheme to buy data from pharmacists: content of NHS prescription forms, except identity of the patient • Aggregated info to be sold to pharmaceutical companies, to be used to target marketing at GPs based on their known prescribing behaviour • DoH • Concerned that use of anonymous information could be used to increase national drug bill • Guidance document: this information is confidential

  24. Consent even if not identifiable?The Legal Decision • High Court (May 1999) www.gmc-uk.org/council/1999-11/confid.doc • Anonymised and aggregated data was patient confidential and could not be disclosed without consent from each patient. • Except that disclosure of data within the NHS might be justified ‘in the public interest’ or on the basis of implied consent. • Court of Appeal (December 1999) www.lawreports.co.uk/source.htm • GMC makes representation (costing GBP 40k) • High Court overruled: Privacy is the only issue: patients have no proprietorial claim to the information • Section 60 Health and Social Care Bill • NHS applies for powers to regulate or requireuse of data it generates • Granted, but GMC succeeds in lobbying for PIAGto regulate the Secretary of State

  25. So: no consent if anonymisedWhy still in GMC guidance? • Patient Groups • Trust between doctors and patients can only be maintained if patients must give express consent to all disclosures • Research and Public Health • strong public interest in information being available • GMC Compromise: • Seek patients’ consent to disclosure of any information (whether or not identifiable) wherever possible • Anonymise data where unidentifiable data will serve the purpose (even if you have consent) • Keep disclosures to the minimum necessary

  26. GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000) • Section 4 - Disclosure other than for treatment • Seek consent wherever possible • Whether or not identifiable • Anonymise, even if consented • Principle of minimum disclosure • Section 15 – when unlikely to cause harm • Obtain consent to use of identifiable data • OR • Member of health care team should anonymise

  27. GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000) • Section 16 – if consent and anonymisation by carer not practical • Can disclose to non-carer for anonymisation • provided ethics committee approves • Only where identification is essential may identifiable info be disclosed • Provided patient is told: • Data is being disclosed, why it is being disclosed, that person getting the data is under duty of confidentiality • That they can object • Section 17 • Do not release under section 15/16 unless trained and authorised by health authority and subject to duty of confidentiality through contract

  28. GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000) • Sections 40-42: after death • Duty of confidentiality continues after death • Circumstances dictate how much • Risk of distress to the living • Recognised situations • Coroner’s investigation (inquest to cause) • CEPOD, clinical event audit, education, research (but: anonymise) • Public health • Conflicts • E.g. life insurer vs widow

  29. GMC Guidance 2000 ConsentImpractical ConsentPossible Harmless Harmful PublicGood No PublicGood STOP Anonymised Identifiable ObtainOpt-In Consent No Consent (At your peril) Implied Opt-Out Consent

  30. Ensure patients know about all actual or possible disclosures and have had the opportunity to opt-out Use deidentified information wherever possible, even if you have consent Minimum disclosure Disclosure of identifiable data, other than to treat or for clinical audit by the caring team, requires opt-in consent Clinical audit by anybody other than the caring team must be on anonymised data, otherwise opt-in consent is needed Disclosure of identifiable data for non-audit but harmless purposes requires either opt-in consent or section 60 exemption GMC GuidanceConfidentiality: Protecting and Providing Information(April 2004)

  31. GMC Guidance 2004 Implied Opt-Out Consent Local treatmentor audit Non-localaudit or research ConsentImpractical ConsentPossible Identifiable Anonymised PublicGood No PublicGood STOP No ConsentNeeded ObtainOpt-In Consent PIAGSupport No PIAGSupport STOP Exit strategy

  32. Summarises regulatory environment (PIAG, COREC etc) Extracts of relevant legislation Raises issue of statistical disclosure control Set of requirements for physical and logical data security Recommendations for data preservation and sharing New guidance in draft (2005) Ethical Regulation: Medical Research Council

  33. Ethical Regulation:British Medical Association

  34. UK: Putting it into practice

  35. Summarises regulatory environment (Statutes, PIAG, COREC etc) Extracts of relevant legislation Decision flow diagrams Mentions Privacy Enhancing Technologies Strong authentication for CfH NCRS under development NHS Code of Practice (2003)http://www.dh.gov.uk/PolicyAndGuidance/InformationPolicy/PatientConfidentialityAndCaldicottGuardians/fs/en

  36. Caldicott Guardians:Origins • Review commissioned in 1997 by CMO • Increasing concern about ways NHS uses patient information • Need to protect confidentiality • Concern largely due to fears that information technology has capacity to rapidly and extensively disseminate information about patients • Committee chaired by Dame Fiona Caldicott • Principal of Somerville College Oxford • Previous President Royal College of Psychiatrists • Reported December 1997

  37. Caldicott Report:Guiding Principles • Justify why patient data is needed • Don't use patient-identifiable information unless necessary • Use the minimum necessary identifiable information • Strict ‘need to know’ access to identifiable information • Everyone should be aware of their responsibilities to maintain confidentiality • Understand and comply with the law, in particular the Data Protection Act

  38. Caldicott Report:Recommendations(not legally binding) • Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly. • A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS. • A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information. • Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information. • Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies. • The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated. • An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered. • The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers. • Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used. • Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored. • Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage. • Where practicable, the internal structure and administration of databases holding patient-identifiable information should reflect the principles developed in this report. • The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible. • The design of new systems for the transfer of prescription data should incorporate the principles developed in this report. • Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted. • Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.

  39. All data flows should be subject to ‘good’ practise Promote awareness in NHS Caldicott Guardians Guidance for safe use of identifiable data Protocols for exchange with non-NHS bodies Identify those responsible Recognise who does good job Use NHS Number only Strict access controls Privacy enhancing technology for sensitive data Design good practice into clinical systems Database structure and admin should reflect principles Use NHS number on GP item of service claims asap ETP systems design should reflect principles Systems to determine GP pay should not require identifiable patient data Same as 15 Caldicott ReportRecommendations (Summarised)

  40. Caldicott Guardians ‘A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information’ (ie CYA for the organisation) …so there’s more than one guardian in a multi-centre study

  41. Role of Caldicott Guardian:To ensure that.. • All data disclosures are formally justified • Information is exchanged only when absolutely necessary • Only minimum data required for job is exchanged • Appropriate access controls are implemented • All data users know their responsibilities • Law is complied with

  42. Meanwhile….the real world

  43. Meanwhile…The Reality • Estimated 20,000 successful deliberate unauthorised accesses annually • Obtained by phoning up and asking • NHS Clearing centralises NHS order and invoice reconciliation • But keeps persistent record of all events that pass through it, including name and address • Draft NHS charter (2003) claims NHS has right to refuse to treat some patients who refuse to allow their information to be shared • Though right to opt-out from NCRS is now granted (2005)

  44. Meanwhile…For sale: Memory Stick and 13 Lancashire Cancer Patient Records Confidential medical records of 13 cancer patients from Royal Bolton Hospital on a portable memory stick sold as new to a Crewe estate agent. Records included dates of birth, home addresses, telephone numbers, family medical histories and GP details, dating back to 1999. Patients' group "absolutely horrified" Cancer charity "very alarmed" MPs "concerning breach” and "inexcusable” (7th March 2003)

  45. Meanwhile…How?For sale: Memory Stick and 13 Lancashire Cancer Patient Records Contractor for the hospital's computer systems took a hospital computer to a 3rd party firm for an upgrade Computer previously used to set up a database of colo-rectal surgery patients Data copied to the stick as backup during upgrade Stick resold as new for £30.

  46. Backup tape of 57,000 patient records stolen 13th July 2005 2 computers and 185,000 patient records stolen 28th March 2005 Register of 6500 HIV patients emailed 22nd February 2005 1600 medical records stolen with laptop: nobody toldOctober 2004 Bangalore transcriptionist threatens disclosure 28th October 2004 Redditch Health Centre Computers Stolen 30th September 2004 8 years of patient pathology data stolen 14th June 2004 UK Mental Health Team computers stolen (twice) March 2004 Meanwhile..http://www.cs.man.ac.uk/mig/people/jeremy/Confidentiality.html

  47. Meanwhile…Data control and paranoia • Ian Huntley (Soham Murders) • DPA forced police to destroy record of multiple unproven allegations • George and Gertrude Bates • British Gas cut off couple because unpaid £140 bill and no response after 10 attempts to contact • Believed DPA prevented disclosure to social services • Both found dead in their lounge October 2003 • Cause of death: hypothermia and heart disease • £277 in cash on table beside bodies • £1116 in purse in shoe

  48. International ComparisonsThe USA: HIPAA

  49. Health Insurance Portability and Accountability Act (1996) • 50,000 people consulted • Defines data exchange standards • Standards for Privacy of Individually Identifiable Health Information • In force from April 2003 • Rules not fixed until 2000 • Short implementation timeframe • Distracted by Y2K

  50. HIPAA Penalties • Executives legally responsible for failures to comply • Stiff financial and jail penalties in the event that a breach occurs • Deidentified info is exempt • 11,000 complaints in first 24 months

More Related