ANNE WARD PLATT
Management Consultancy Director
Anne is the director of a management consultancy specialising in conciliation, complaints and conflict management. She is the author of Conciliation in Healthcare: managing and resolving complaints and conflict (2008). Anne is also a non-executive director and deputy chairman of Northumberland, Tyne and Wear NHS Foundation Trust
The roll out of the Summary Care Record (SCR) in England reached me on 1 April this year.(1) As I read through the explanatory leaflet, the date seemed significant when I noticed the answer given to the frequently asked question, "How will you protect my confidentiality?" I was assured that "by law, everyone working for us, or on our behalf, must respect your confidentiality and keep all information about you secure". Equally reassuring, I was informed about the 'NHS Care Record Guarantee for England', which details "how the NHS will collect, store and allow access to your electronic records".
In the face of data loss in recent years affecting thousands of patients, a 'guarantee' sounds too good to be true.(2) In fact, the earlier statements in the leaflet are qualified by the comment, "No matter how careful we are, there are always risks when information is held on computers, as there are when they are held on paper". This is all too apparent, as the recent furore over the breach of Sony PlayStation Network data – in which users' credit card details and other personal information was hacked into, leading to a lawsuit filed against the US firm – demonstrates.
Practice managers will be only too well aware that it was concern about the risks attached to uploading entire health records that resulted in the current compromise. In fact, ensuring the confidentiality, integrity and appropriate availability of patient information in your practice is likely to rate among your chief concerns. This was certainly a finding from the clinical risk self-assessments carried out by the Medical Protection Society in 2009, which found that confidentiality and issues relating to Caldicott principles were rated as the top risk in all practices included in the sample.(3)
Similarly, the National Patient Safety Agency has reported that issues relating to confidentiality are among the top reported incident types in general practice.(4)
Your practice risk register is an invaluable tool in helping you to identify, and where possible eliminate or mitigate, risks in relation to confidentiality. But it must be regularly updated to ensure it is an accurate reflection of the current risks the practice faces at any time. Is this true of your risk register? Do you think it provides a good reflection of the risks the practice is exposed to in this area as well as the actions being taken to manage those risks? And have you considered the actions you should take in relation to a breach in data security?
All practices should have a strategy in place with which staff are familiar, and know what steps to take in the event of such a breach. Your strategy should include:
Inadvertent breaches of patient confidentiality can occur in a range of circumstances, including:
Practices have to be registered with the Information Commissioner's Office. Financial penalties can be imposed for serious breaches of data security under the Data Protection Act (1998).
Bear in mind that in addition to health records, for which the Information Commissioner has published specific guidance, practices will hold many other kinds of personal data, such as information about employees, that are equally subject to the Act.5 Best practice in information governance is to follow the Caldicott principles and to have a clinician in the practice who takes responsibility for this function.(6)
Aim to develop a culture within your practice in which the observance of confidentiality is seen by all staff as key to their interaction with patients and an important part of the quality of the patient/customer experience. You can use training opportunities to develop staff awareness not only of the practice's policies and procedures, but also of the areas in which inadvertent breaches of confidentiality may occur in day-to-day work. The best kind of training involves scenarios with real-time examples. The General Medical Council has an interactive web section in which issues relating to confidentiality are included in the range of case studies presented.
Looking critically at what goes on in your own practice may prove an eye-opener. A study of confidentiality in the waiting room, carried out in 2007 in a group of practices, showed that there were 44 inadvertent breaches of confidentiality over 26 hours of observation (see Box 3).(7)
All staff need to be aware of the requirements of the NHS code of confidentiality 2003, together with the supplementary guidance in relation to public interest disclosures 2010, and data sharing issues relating to children and vulnerable adults.8-10 Regular training in security and confidentiality should include non-clinical staff, such as receptionists, who represent the practice's front-of-house and may be the first people with whom a patient has contact.
In 2005, the British Medical Association published a discussion paper entitled Confidentiality as part of a bigger picture.11 The key findings are as applicable now as they were then. Patients were:
It is, therefore, vital that patients feel confident their personal details will not be divulged inappropriately. This is essential where staff may be handling data relating to neighbours, relatives or friends, and you should be aware of any areas in which there is a potential for conflicts of interest to arise. Deliberate and unlawful breaches of confidentiality can and do occur and, for some patients, fear that their confidentiality may be breached can prevent them accessing necessary healthcare.(12)
Since confidentiality is such an important component of the delivery of high-quality healthcare, you will want to ensure that your practice communicates effectively with patients on this subject. Your website and practice literature will need to cover the key aspects of this topic in a way that reassures the patient but is also factually accurate. It is helpful for patients to know:
Issues relating to confidentiality will always remain a key risk for practices. No system will ever be foolproof and no cast-iron guarantee can ever be made. There is always the potential for human error or deliberate misuse of personal data. You can, however, take steps to mitigate the risks through a proactive and vigilant approach, and by recruiting high-calibre staff for whom observance of confidentiality is seen as central to the delivery of high- quality healthcare.
1. NHS Summary Care Records. Your emergency care summary. Available from: http://www.nhscarerecords.nhs.uk/security
2. The Information Commissioner. Poor data security in the NHS. Press release, 15 June 2010. Available from: http://www.ico.gov.uk/~/media/documents/pressreleases/2010/NHS_STOKE_ON_...
3. Medical Protection Society. New MPS data identifies the top five risks to general practices in 2009. Press release, 24 February 2010. Available from: http://www.medicaprotection.org/uk/press-releases
4. The National Patient Safety Agency. Seven steps to patient safety in general practice. London: NPSA; 2009.
5. The Information Commissioner. Use and disclosure of health data: Guidance on the Application of the Data Protection Act 1998. Available from http://www.ico.gov.uk/tools_and_resources/document_library/data_protecti...
6. NHS Information Governance Toolkit. Available from: http://www.igt.connectingforhealth.nhs.uk
7. Scott K, Middlemass JB, Dyas JV, et al. Confidentiality in the waiting room: an observational study in general practice. Br J Gen Pract 2007;57:490-3.
8. Department of Health. Confidentiality: NHS Code of Practice. London: DH; 2003.
9. Department of Health. Confidentiality: NHS Code of Practice. Supplementary Guidance: Public Interest Disclosures. London: HM Government; 2010.
10. General Medical Council. Confidentiality. London: GMC; 2009.
11. British Medical Association. Confidentiality as part of a bigger picture. London: BMA; 2005.
12. Ward Platt, A. Keeping confidence: how easy is it? Management in Practice 2011;24:46-8.