Document Sample
confidentiality Powered By Docstoc
					Medical Data Confidentiality 101
Dr Jeremy Rogers MD MRCGP
Senior Clinical Fellow in Health Informatics
Northwest Institute of Bio-Health Informatics
Confidentiality in a nutshell

    Don’t tell ANYBODY
       about a person
unless you have their consent
      But its not that simple

► Obligation to disclose when in public interest
    ► Includes, but not limited to, statutory reporting

► Product recall e.g.
    ► faulty surgical implant – need registry
    ► faulty surgeon (HBV) may require naming surgeon

► Billing for care provided to organisation
  commissioning it
    ► Patient name and address by tradition used as order number

► Research

► Medical Data Confidentiality in the UK
   ► What patients want
   ► The Law
   ► Ethics
   ► Licensing and policing
   ► The reality

► EC Regulation
Protecting Confidentiality
The UK
      Trust me, I’m a doctor…

► Until 19th century, reliance on good faith of researchers
► A few researchers broke that trust
    ► Burke & Hare 1827
    ► Organ Retention Scandals - Bristol and Alder Hey 1998
► 19th Century Legislation
    ► Anatomy Act (1832)
    ► Cruelty to Animals Act (1876)
► 20th Century Legislation
    ►   Animals (Scientific Procedures) Act (1986)
    ►   Human Fertilisation and Embryology Act (1990)
    ►   Data Protection Act (1998)
    ►   Health and Social Care Act (2001)
    ►   UK Medicines for Human Use (Clinical Trials) Regulations (2004)
    ►   Human Tissue Act (2004)
What do the patients think?
Public Consultations

     Share with Care
     NHS Consultations on Confidentiality
     ERDIP Report #5
     Electronic record development and implementation programme

► October 2002 to January 2003
► Minimal publicity
► Consultation of dubious value
   ► Based on 6 focus groups in nursing homes
        NHS Consultations on Confidentiality
        Share with Care
        (NHS & Consumer’s Assoc 2002)

► Lots of trust, no awareness of reality
► 60% would not want to put health info into a
  virtual sealed envelope
► More concern on who uses info and
  whether it is anonymous than how it is used
     ► People prefer to grant access to specific types of
       people for any purpose, rather than for a specific
       purpose but by any type of person
► Support principles of consent and
  anonymisation for all non-treatment reasons
► Most don’t want to be asked for consent for
  use of anonymised data, but would like to
  know as a courtesy
► Sex and race difference
     ► Women and Caucasians want confidentiality
► Pragmatics: spend money on care, not on
  systems to protect confidentiality
    2005 YouGov Survey

►75 % do not object to medical records
 being held on computer
   ►But 25% do

►80% afraid non-health professional will
 have access to their record
►77% want explicit opt-in consent
►93 % want public consultation first
                       The UK today in a nutshell…
                                       Medical Data

             Common & Statute Law                               GMC   MRC

                                                NHS Policy


                                    PIAG SCAG    Guardians   LREC     Journals
4th Estate

      The UK today in a nutshell…

► 2 Common Law principles (consent, and privacy)
► 5 Acts of Parliament
► 5 bodies making policy
    ► Parliament, GMC, MRC, RECs, NHS
    ► More than one document each
► 5 oversight/licensing bodies
    ►   RECs, Caldicott, PIAG, SCAG, Information Commissioner
    ►   Different remits - not bound by each other’s decisions
    ►   Approval does not guarantee no possibility of prosecution
    ►   Plus 3 more for special occasions (GTAC, MRHA, HTA)
► 5 Police Forces
    ►   The Law Courts – put you in jail
    ►   The GMC – remove license to practise
    ►   The Research Councils – refuse grants
    ►   The Scientific Press – refuse to publish
    ►   The Tabloid Press – public humiliation
UK: The Law
    Remember…the law is an ass

► Chandler v Webster (1904)
   ► Claimant rented room from which to watch the coronation,
     at higher than normal price reflecting demand, and left a
     deposit. Coronation cancelled.
   ► Court agreed that contract was frustrated, but deemed that
     not only should deposit NOT be returned, but claimant
     remained liable for the full agreed balance, because losses
     must ‘lie where they fall’.
► Anchor Brewhouse v Berkely House (1987)
   ► Pub seeks court order to stop booms of building cranes
     swinging over their property. No question of any damage, or
     likelihood of damage.
   ► Court (reluctantly) obliged to rule that it was technically a
     trespass, and should stop.
    UK Legal Regulation

►Common Law (Tort)               ►Data protection act 1998
  ►Duty of confidence in         ►Freedom of Information
   absence of consent
                                  Act 2000
  ►Right to grant or withhold
   consent                          ►General right to request any
                                     info held by any public body
  ►Except, also legal duty to
   notify                               ►Includes e.g. written local
                                        data governance protocols
     ►Birth, death, infectious
     disease                            ►Identifiable clinical data is
                                        exempt (as governed by DPA)
►Access to Health                       ►Non-identifiable and
 Records Act 1990                       aggregated results are not
  ►Now only relevant to
   deceased patients             ►Health and Social Care
                                  Act 2001 (Sections 60 & 61)
►Human Rights Act
 1998                               ►Powers to stop or require
                                     information disclosure
  ►Basic right to privacy
         Data Protection Act 1998
         Principles: Exec Summary
► At least one of:                                     ► Obtained for specified (lawful)
                                                         purposes, and not used in any
                                                         incompatible manner
                                                       ► Must not hold or acquire data not
        ► to meet any legal obligations arising out of
          agreement with subject                         needed to fulfil stated purposes
        ► to protect data subject from death           ► Data to be accurate and up to
    ►No infringement of rights or interests of           date
     data subject
                                                       ► Destroyed once purposes met
► Plus, if sensitive, at least one of:                 ► Data subject must have access,
    ►Explicit consent                                    right to correct and right to
    ►Necessary to meet employment                        prevent processing that causes
     rights/obligations                                  distress
    ►Processor is NPO                                  ► Appropriate safeguards to
    ►Information already in public domain                prevent unlawful processing, or
                                                         accidental loss.
    ►Required for legal proceedings
    ►Necessary for healthcare, and
                                                       ► Must not transfer data outside
     undertaken by healthcare professional with          EEC unless to territory has
     duty of confidentiality                             adequate protection
     Section 60 of the Health
     and Social Care Act 2001

► DPA would have closed down the Cancer
   ► Data collected without consent, because of numbers
   ► Identifiers included to assist detection of duplicate

► DoH wants to block as well as enable data
      Section 60 of the Health
      and Social Care Act 2001

► Regulates use of identifiable patient data without consent
    ► Defines ‘patient information’
    ► Defines ‘confidential patient information’
► 2 types of support
    ► Specific support
         ►Where purpose of collection is complex or controversial
         ►Requires debate in parliament, advised by PIAG
    ► Class support
         ►Where purpose is one of 6 (relatively) uncontroversial kinds
         ►Requires approval by Secretary of State, advised by PIAG

► Exemption is reviewed annually
► Supposed to be a transitional measure
      Patient Information Advisory Group

► Established in December 2001
► 13 members, meet every 3 months
► Applications MUST demonstrate:
     ► Why collecting the data is medical useful
     ► Why consent can not be obtained
     ► That data will be destroyed when no longer
     ► A clear exit strategy that involves either:
         ►Obtaining informed consent in future
         ►Anonymising data
► Explicit remit to work itself out of a job
     ► By encouraging change in culture & practise
     Security and Confidentiality Advisory
     Group (SCAG)

► Established in 1996
► Governs access to 3 NHS databases
   ► Hospital Episode Statistics database
   ► NHS-Wide Clearing Service database
   ► NHS Strategic Tracing Service.
UK: Ethical Oversight
Ethical Regulation:
General Medical Council

                 ► ABSOLUTE ideal of consent if
                     ► Even if patient not identifiable
                 ► Minimum disclosure
                 ► Use deidentified information
                   wherever possible, even if you
                   have consent
                 ► Consent to treatment implies
                   consent to share information
                   needed to effect treatment
                 ► Recipient of information given
                   must be under duty of
                   (ie know that info is not in
September 2000     public domain)
    Consent even if not identifiable?
    Source Informatics Ltd v Department of Health

►Source Informatics Ltd
   ► Scheme to buy data from pharmacists: content of NHS
     prescription forms, except identity of the patient
   ► Aggregated info to be sold to pharmaceutical companies, to
     be used to target marketing at GPs based on their known
     prescribing behaviour

   ► Concerned that use of anonymous information could be
     used to increase national drug bill
   ► Guidance document: this information is confidential
      Consent even if not identifiable?
      The Legal Decision
► High Court (May 1999)
   ► Anonymised and aggregated data was patient confidential and
     could not be disclosed without consent from each patient.
   ► Except that disclosure of data within the NHS might be justified
     ‘in the public interest’ or on the basis of implied consent.

► Court of Appeal (December 1999)
   ► GMC makes representation (costing GBP 40k)
   ► High Court overruled: Privacy is the only issue: patients have no
     proprietorial claim to the information

► Section 60 Health and Social Care Bill
   ► NHS applies for powers to regulate or require
     use of data it generates
   ► Granted, but GMC succeeds in lobbying for PIAG
     to regulate the Secretary of State
    So: no consent if anonymised
    Why still in GMC guidance?

►Patient Groups
   ► Trust between doctors and patients can only be maintained
     if patients must give express consent to all disclosures

►Research and Public Health
   ► strong public interest in information being available

►GMC Compromise:
   ► Seek patients’ consent to disclosure of any information
     (whether or not identifiable) wherever possible
   ► Anonymise data where unidentifiable data will serve the
     purpose (even if you have consent)
   ► Keep disclosures to the minimum necessary
     GMC Guidance
     Confidentiality: Protecting and Providing Information
     (Sept 2000)

► Section 4 - Disclosure other than for treatment
   ► Seek consent wherever possible
        ►Whether or not identifiable
   ► Anonymise, even if consented
   ► Principle of minimum disclosure

► Section 15 – when unlikely to cause harm
   ► Obtain consent to use of identifiable data
   ► OR
   ► Member of health care team should anonymise
     GMC Guidance
     Confidentiality: Protecting and Providing Information
     (Sept 2000)

► Section 16 – if consent and anonymisation by
  carer not practical
   ► Can disclose to non-carer for anonymisation
        ►provided ethics committee approves
   ► Only where identification is essential may identifiable info be
   ► Provided patient is told:
        ►Data is being disclosed, why it is being disclosed, that person
        getting the data is under duty of confidentiality
        ►That they can object

► Section 17
   ► Do not release under section 15/16 unless trained and
     authorised by health authority and subject to duty of
     confidentiality through contract
     GMC Guidance
     Confidentiality: Protecting and Providing Information
     (Sept 2000)

► Sections 40-42: after death
   ► Duty of confidentiality continues after death
   ► Circumstances dictate how much
   ► Risk of distress to the living

► Recognised situations
   ► Coroner’s investigation (inquest to cause)
   ► CEPOD, clinical event audit, education, research (but:
   ► Public health

► Conflicts
   ► E.g. life insurer vs widow
      GMC Guidance 2000

                                 Consent               Consent
                                Impractical            Possible

 Harmless             Harmful

             Public             No Public
             Good                Good


Anonymised            Identifiable
                                                    Opt-In Consent

          Implied                 No Consent
      Opt-Out Consent             (At your peril)
       GMC Guidance
       Confidentiality: Protecting and Providing Information
       (April 2004)

► Ensure patients know about all actual or possible disclosures and
  have had the opportunity to opt-out
► Use deidentified information wherever possible, even if you have
► Minimum disclosure
► Disclosure of identifiable data, other than to treat or for clinical
  audit by the caring team, requires opt-in consent
► Clinical audit by anybody other than the caring team must be on
  anonymised data, otherwise opt-in consent is needed
► Disclosure of identifiable data for non-audit but harmless purposes
  requires either opt-in consent or section 60 exemption
          GMC Guidance 2004
    Implied               Local treatment                  Non-local
Opt-Out Consent              or audit                   audit or research

                                                Consent             Consent
                                               Impractical          Possible

                  Identifiable             Anonymised

              Public           No Public
              Good              Good


     PIAG              No PIAG             No Consent                Obtain
    Support            Support              Needed               Opt-In Consent

                                        Exit strategy
       Ethical Regulation:
       Medical Research Council

► Summarises regulatory
  environment (PIAG, COREC etc)
► Extracts of relevant legislation
► Raises issue of statistical
  disclosure control
► Set of requirements for physical
  and logical data security
► Recommendations for data
  preservation and sharing
► New guidance in draft (2005)
Ethical Regulation:
British Medical Association
UK: Putting it into practice
      NHS Code of Practice (2003)

► Summarises regulatory
  environment (Statutes,
  PIAG, COREC etc)
► Extracts of relevant
► Decision flow diagrams
► Mentions Privacy
  Enhancing Technologies
    ► Strong authentication for
      CfH NCRS under
      Caldicott Guardians:

► Review commissioned in 1997 by CMO
    ► Increasing concern about ways NHS uses patient information
    ► Need to protect confidentiality
    ► Concern largely due to fears that information technology has capacity
      to rapidly and extensively disseminate information about patients
► Committee chaired by Dame Fiona Caldicott
    ► Principal of Somerville College Oxford
    ► Previous President Royal College of Psychiatrists
► Reported December 1997
     Caldicott Report:
     Guiding Principles

1. Justify why patient data is needed
2. Don't use patient-identifiable information
   unless necessary
3. Use the minimum necessary identifiable
4. Strict ‘need to know’ access to identifiable
5. Everyone should be aware of their
   responsibilities to maintain confidentiality
6. Understand and comply with the law, in
   particular the Data Protection Act
            Caldicott Report:
            (not legally binding)

1.    Every dataflow, current or proposed, should be tested against basic principles of good practice.
      Continuing flows should be re-tested regularly.
2.    A programme of work should be established to reinforce awareness of confidentiality and
      information security requirements amongst all staff within the NHS.
3.    A senior person, preferably a health professional, should be nominated in each health
      organisation to act as a guardian, responsible for safeguarding the confidentiality of patient
4.    Clear guidance should be provided for those individuals/bodies responsible for approving uses of
      patient-identifiable information.
5.    Protocols should be developed to protect the exchange of patient-identifiable information
      between NHS and non-NHS bodies.
6.    The identity of those responsible for monitoring the sharing and transfer of information within
      agreed local protocols should be clearly communicated.
7.    An accreditation system which recognises those organisations following good practice with
      respect to confidentiality should be considered.
8.    The NHS number should replace other identifiers wherever practicable, taking account of the
      consequences of errors and particular requirements for other specific identifiers.
9.    Strict protocols should define who is authorised to gain access to patient identity where the NHS
      number or other coded identifier is used.
10.   Where particularly sensitive information is transferred, privacy enhancing technologies (e.g.
      encrypting identifiers or "patient identifying information") must be explored.
11.   Those involved in developing health information systems should ensure that best practice
      principles are incorporated during the design stage.
12.   Where practicable, the internal structure and administration of databases holding patient-
      identifiable information should reflect the principles developed in this report.
13.   The NHS number should replace the patient's name on Items of Service Claims made by
      General Practitioners as soon as practically possible.
14.   The design of new systems for the transfer of prescription data should incorporate the principles
      developed in this report.
15.   Future negotiations on pay and conditions for General Practitioners should, where possible, avoid
      systems of payment which require patient identifying details to be transmitted.
16.   Consideration should be given to procedures for General Practice claims and payments which do
      not require patient-identifying information to be transferred, which can then be piloted.
        Caldicott Report
        Recommendations (Summarised)
1. All data flows should be      10. Privacy enhancing technology
   subject to ‘good’ practise        for sensitive data
2. Promote awareness in NHS      11. Design good practice into
3. Caldicott Guardians               clinical systems

4. Guidance for safe use of      12. Database structure and admin
   identifiable data                 should reflect principles

5. Protocols for exchange with   13. Use NHS number on GP item
   non-NHS bodies                    of service claims asap

6. Identify those responsible    14. ETP systems design should
                                     reflect principles
7. Recognise who does good job
                                 15. Systems to determine GP pay
8. Use NHS Number only               should not require identifiable
9. Strict access controls            patient data
                                 16. Same as 15
      Caldicott Guardians

‘A senior person, preferably a health
professional, should be nominated in
each health organisation to act as a
guardian, responsible for
safeguarding the confidentiality of
patient information’
(ie CYA for the organisation)

…so there’s more than one guardian
in a multi-centre study
     Role of Caldicott Guardian:
     To ensure that..

► All data disclosures are formally justified
► Information is exchanged only when absolutely
► Only minimum data required for job is exchanged
► Appropriate access controls are implemented
► All data users know their responsibilities
► Law is complied with
Meanwhile….the real world
     The Reality
► Estimated 20,000 successful deliberate
  unauthorised accesses annually
   ► Obtained by phoning up and asking
► NHS Clearing centralises NHS order and
  invoice reconciliation
   ► But keeps persistent record of all events that pass through
     it, including name and address
► Draft NHS charter (2003) claims NHS has right
  to refuse to treat some patients who refuse to
  allow their information to be shared
   ► Though right to opt-out from NCRS is now granted (2005)
       For sale: Memory Stick and 13
       Lancashire Cancer Patient Records
Confidential medical records of 13 cancer patients
from Royal Bolton Hospital on a portable memory
stick sold as new to a Crewe estate agent.
Records included dates of birth, home addresses,
telephone numbers, family medical histories and GP
details, dating back to 1999.
Patients' group "absolutely horrified"
Cancer charity "very alarmed"
MPs "concerning breach” and "inexcusable”

(7th March 2003)
     For sale: Memory Stick and 13
     Lancashire Cancer Patient Records
Contractor for the hospital's computer systems
took a hospital computer to a 3rd party firm for an
Computer previously used to set up a database of
colo-rectal surgery patients
Data copied to the stick as backup during upgrade
Stick resold as new for £30.

Backup tape of 57,000 patient                    Bangalore transcriptionist
records stolen                                   threatens disclosure
13th July 2005                                   28th October 2004

2 computers and 185,000                          Redditch Health Centre
patient records stolen                           Computers Stolen
28th March 2005                                  30th September 2004

Register of 6500 HIV patients                    8 years of patient pathology
emailed                                          data stolen
22nd February 2005                               14th June 2004

1600 medical records stolen                      UK Mental Health Team
with laptop: nobody told                         computers stolen (twice)
October 2004                                     March 2004
    Data control and paranoia

►Ian Huntley (Soham Murders)
  ►DPA forced police to destroy record of multiple
   unproven allegations
►George and Gertrude Bates
  ►British Gas cut off couple because unpaid £140 bill and
   no response after 10 attempts to contact
  ►Believed DPA prevented disclosure to social services
  ►Both found dead in their lounge October 2003
     ►Cause of death: hypothermia and heart disease
     ►£277 in cash on table beside bodies
     ►£1116 in purse in shoe
International Comparisons
     Health Insurance Portability and
     Accountability Act (1996)

► 50,000 people consulted
► Defines data exchange standards
► Standards for Privacy of Individually Identifiable
  Health Information
    ► In force from April 2003

► Rules not fixed until 2000
    ► Short implementation timeframe
    ► Distracted by Y2K
     HIPAA Penalties

► Executives legally responsible for failures to
► Stiff financial and jail penalties in the event that
  a breach occurs
► Deidentified info is exempt
► 11,000 complaints in first 24 months
       HIPAA and Consent

► Must tell patients of how you plan to control use and
  disclosure of their data
    ► Disclose only minimum info needed top fulfil reason for request
    ► De-identify wherever possible
    ► Train your employees
    ► Complaints procedure
    ► Appoint a privacy officer
► Must obtain consent for all routine use and disclosure
► ..and separate explicit consent for each and every instance
  of non-routine use or disclosure
    ► Unless exempt: publich health, research etc
► Patients must have right to restrict disclosure
► Patients have right to complete disclosure record
     HIPAA Deidentification

► Deidentified data does not identify an individual
  and there is no reason to think it could
► Data is considered to be deidentified iff:
    ► EITHER
      An expert says that the risk of re-identification is ‘very
      small’, and documents why they believe this
    ► OR…
      HIPAA Deidentification

► The following identifiers of the data subject
    ► and their relatives, employers
    ► and any household members (related or not)

   are removed AND

► the information supplier has no actual knowledge that the
  information could be used in any way to re-identify the
  data subject
       HIPAA identifier data fields

All geographic subdivisions that   Certificate or license #
    identify <20k people           Vehicle Ids and license#
All date elements except the       Device Ids and serial#
    year including                 Web URLs
    Date of birth & death
                                   IP numbers
    Date of healthcare event
                                   Biometric idents, includig
    All ages over 89
                                      voice & finger print
Telephone/Fax numbers
                                   Full face photo or similar
Email addresses                    Any other unique identifying
SSN, Health plan#, Acct#             characteristic or code
     HIPAA one-way key

You may use a new unique identifier to allow
  re-identification by the information originator
  provided that:

► The new ident is not derived from or related to
  the data subject and can not itself be used to
  help re-identify them
► The re-identification key is kept securely
     HIPAA partial deidentification

► Limited Data Set is partially deidentified
► Can include
    ► postal code or other geo information
    ► Dates of significant events
    ► Date of birth or death

► Provided data subject enters into a specific data
  use agreement
International Comparisons:
     EC Directive 95/46/EC

► Europe’s own privacy standard
► Members shall prohibit processing personal
  data concerning health or sex life except for:
    ► Diagnosis or treatment
    ► Public heath
    ► Criminal offences
    ► Fulfilling specific contractual obligations
    ► Legal claims
    ► For any purpose where consent has been obtained
     Privacy Enhancing Techniques

► Anonymisation
    ► Can never totally prevent re-identification
    ► Shetlands postman problem

► Pseudonymisation
    ► Can never totally prevent re-identification

► Encryption
    ► Public Key Infrastructures empirically hard to establish

► Statistical Disclosure Control
    ► Database privacy gauging for dynamic dilution of database

► Proxy services
► Data flow segmentation

► Increasingly complex area
    ► Different regulatory regimes militate against internationally
      based trials
► Tendency for data custodians to avoid all risk by
  saying ‘no’
► Complex implementation
    ► But weak points are human error, not policy
► Possibility of blind siding
    ► Central assumption that disclosure of medical detail is most
      likely source of harm to an individual
    ► Medical records increasingly valuable as substrate for
      identity theft?