Are EHRs a legal ‘game changer’?

Last Wednesday a panel of experts gathered at the 2nd International Summit on the Future of Health Privacy in Washington, DC. They all seemed to agree that the stakes are high when it comes to electronic medical records and privacy.

Electronic health records are a legal ‘game changer,’ and many of us who have lived and breathed Health IT recognise this. But as patients become more tech savvy and the push towards encouraging patients to be responsible for their own health intensifies, patients are beginning to not only expect, but demand that clinical information is shared and exchanged amongst those that are caring for them in order to receive the best health outcome.

So with increasing amounts of NHS organisations sharing data electronically in order to meet these demands, there is almost little surprise when just six months into this Jubilee and Olympic year, numerous headlines have showcased some large health data breaches.

Whether it’s outright theft, the actions of a disgruntled employee or overall carelessness, 2012 is already full of noteworthy breaches. And according to recent research the problem is clearly growing, not only in the UK but globally.

Yet the NHS is seeing an even more sinister twist and that is the affordability of the data breach fine. Earlier this year Aneurin Bevan Health Board became the first trust in the UK to be given a monetary fine for its data breach. Hot on its heels was Central London Community Healthcare NHS Trust and now Brighton and Sussex University Hospitals NHS Trust has been served a £325,000 penalty – the largest fine of its kind – after it allowed sensitive information about tens of thousands of patients to be sold on eBay!

Already the CEO of the trust is appealing against the penalty claiming that it “simply cannot afford to pay a £325,000 fine.”

This particular incident is even more interesting as it relates to a managed service. The trust’s IT provider sub-contracted the destruction of data on around 1,000 hard drives held in a locked key-coded room within the hospital.

The trust said no information actually got into the public domain, but the Information Commissioner’s Office (ICO) claims that no explanation has been given as to how the hard drives were removed from the premises. Apparently the individual authorised to destroy the discs did know the code for the door where the discs were stored.

The ICO’s deputy commissioner and director of data protection, David Smith, said: “The amount issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.”

Privacy and security form the bedrock on which the NHS can progress its current goal to provide better and sustainable healthcare so it must be raised high up the NHS agenda. However, getting the right information to the right people at the right time, in a form they can understand, engage with and contribute to, will help individuals take control of their own care, improving self management, shared decision making and more informed choices, as outlined in the recent Information Strategy.

As well as recognising the importance of providing safeguards around access to clinical records online, the NHS Future Forum received a clear message that not sharing information has the potential to do more harm than sharing it.

Unless action is taken to ensure privacy and information governance is simplified, then the future of electronic healthcare is at risk along with the reputations of healthcare providers, senior managers and clinicians. The NHS must protect patient data and use solutions that are now available which can monitor, detect and deter staff breaches of patient data. Scotland is leading the way, with Wales and some far-sighted English trusts not far behind. Yet many English NHS organisations have still not decided to confront the privacy issue, effectively hoping that regulators, police and patients’ lawyers never come knocking on their door!