Any British organisation that handles or processes sensitive personal information is subject to stringent regulations under the Data Protection Act 1998. In the most serious cases The Information Commissioner has fined firms up to £500,000 for non-compliance.Patient medical records can contain the most sensitive information on any individual — yet their storage and security is often still substandard.
So here are three reasons British medics are reviewing their patient medical record provisions.
The Europe-wide General Data Protection Regulation (GDPR) comes into force in May 2018.
And it will be enforced in the UK despite the impending Brexit process.
The GDPR imposes a higher standard on healthcare professionals processing sensitive patient information in their role as data controllers. And simultaneously bolsters the rights of patients as data subjects.
Medical staff should be aware that patient consent will be required prior to performing many day-to-day data processing procedures. But consent isn’t required in certain circumstances, such as informing central government of a serious public health risk.
Ignorance of the new rules will be given short shrift by regulators — and potential fines under GDPR will be far more punitive than under its predecessor.
General Medical Council (GMC) guidelines introduced in April 2017 emphasise the prime importance of confidentiality in healthcare.
And they provide a firm foundation for any medical practice preparing for GDPR.
All staff should be aware of their legal and ethical responsibilities to hold patient information in strict confidence.
And knowing when it’s appropriate to disclose patient information (and to whom) is just as important as secure storage.
Staff can disclose information in circumstances where the patient has given consent, when it’s required by law and when it can be justified by the public interest.
There are certain situations where disclosure may benefit a patient who lacks capacity to make the decision themselves.
But staff should have a comprehensive understanding of the definition of ‘capacity’ and the dire legal consequences of making false presumptions in this regard.
Medical data breaches
These changes to the legal and procedural framework have occurred against the backdrop of a swathe of high-profile data breaches involving patient medical records.
The Information Commissioner undertook a full-scale investigation into NHS Digital and TPP — the private sector provider of digital systems used to store records of over 3000 GP surgeries in England.
Their ‘SystmOne’ database permitted medical records to be shared with a range of TPP clients who had no legal rights of access. And naturally this was of huge concern to the regulator.
But breaches can involve paper records too, so some doctors might choose to back up electronic databases with lloyd george storage systems that ensure patient notes remain safely within their sight.
Electronic systems are speedy and efficient but are vulnerable to security glitches and cyberattacks —so paper storage systems still have a role to play in 21st century medicine.
Thanks to data breach concerns and new regulations, medics across the UK are eager to ensure their medical records systems are more robust than ever.
Are you aware of your patient confidentiality rights? Share your stories in the comments section.