Embed Size (px)
DESCRIPTION
Medical Data Confidentiality 101. Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics. Confidentiality in a nutshell. Don’t tell ANYBODY ANYTHING about a person EVER unless you have their consent. But its not that simple. - PowerPoint PPT Presentation
Citation preview
Medical Data Confidentiality 101Dr Jeremy Rogers MD MRCGPSenior Clinical Fellow in Health InformaticsNorthwest Institute of Bio-Health Informatics
Confidentiality in a nutshell
Don’t tell ANYBODY ANYTHING
about a person EVER
unless you have their consent
But its not that simple
► Obligation to disclose when in public interest► Includes, but not limited to, statutory reporting
► Product recall e.g.► faulty surgical implant – need registry
► faulty surgeon (HBV) may require naming surgeon
► Billing for care provided to organisation commissioning it
► Patient name and address by tradition used as order number
► Research
Overview
► Medical Data Confidentiality in the UK► What patients want
► The Law
► Ethics
► Licensing and policing
► The reality
► USA and HIPAA
► EC Regulation
Protecting ConfidentialityThe UK
Trust me, I’m a doctor…
► Until 19th century, reliance on good faith of researchers
► A few researchers broke that trust ► Burke & Hare 1827► Organ Retention Scandals - Bristol and Alder Hey 1998
► 19th Century Legislation► Anatomy Act (1832) ► Cruelty to Animals Act (1876)
► 20th Century Legislation► Animals (Scientific Procedures) Act (1986)► Human Fertilisation and Embryology Act (1990)► Data Protection Act (1998)► Health and Social Care Act (2001)► UK Medicines for Human Use (Clinical Trials) Regulations (2004)► Human Tissue Act (2004)
What do the patients think?Public Consultations
ERDIP
Share with Care
YouGov
NHS Consultations on Confidentiality
ERDIP Report #5Electronic record development and implementation programme
► October 2002 to January 2003
► Minimal publicity
► Consultation of dubious value► Based on 6 focus groups in nursing homes
NHS Consultations on Confidentiality
Share with Care(NHS & Consumer’s Assoc 2002)
► Lots of trust, no awareness of reality
► 60% would not want to put health info into a virtual sealed envelope
► More concern on who uses info and whether it is anonymous than how it is used
► People prefer to grant access to specific types of people for any purpose, rather than for a specific purpose but by any type of person
► Support principles of consent and anonymisation for all non-treatment reasons
► Most don’t want to be asked for consent for use of anonymised data, but would like to know as a courtesy
► Sex and race difference► Women and Caucasians want confidentiality
► Pragmatics: spend money on care, not on systems to protect confidentiality
2005 YouGov Surveyn=2000
►75 % do not object to medical records being held on computer
►But 25% do
►80% afraid non-health professional will have access to their record
►77% want explicit opt-in consent
►93 % want public consultation first
The UK today in a nutshell…
Common & Statute Law
PIAG
GMC MRC
NHS Policy
CaldicottGuardians
You
Information Commissioner
SCAG LREC Journals
Medical Data
4th Estate
The UK today in a nutshell…
► 2 Common Law principles (consent, and privacy)
► 5 Acts of Parliament
► 5 bodies making policy► Parliament, GMC, MRC, RECs, NHS
► More than one document each
► 5 oversight/licensing bodies► RECs, Caldicott, PIAG, SCAG, Information Commissioner
► Different remits - not bound by each other’s decisions
► Approval does not guarantee no possibility of prosecution
► Plus 3 more for special occasions (GTAC, MRHA, HTA)
► 5 Police Forces► The Law Courts – put you in jail
► The GMC – remove license to practise
► The Research Councils – refuse grants
► The Scientific Press – refuse to publish
► The Tabloid Press – public humiliation
UK: The Law
Remember…the law is an ass
► Chandler v Webster (1904)► Claimant rented room from which to watch the coronation,
at higher than normal price reflecting demand, and left a deposit. Coronation cancelled.
► Court agreed that contract was frustrated, but deemed that not only should deposit NOT be returned, but claimant remained liable for the full agreed balance, because losses must ‘lie where they fall’.
► Anchor Brewhouse v Berkely House (1987)► Pub seeks court order to stop booms of building cranes
swinging over their property. No question of any damage, or likelihood of damage.
► Court (reluctantly) obliged to rule that it was technically a trespass, and should stop.
UK Legal Regulation
►Common Law (Tort)►Duty of confidence in
absence of consent►Right to grant or withhold
consent►Except, also legal duty to
notify►Birth, death, infectious disease
►Access to Health Records Act 1990
►Now only relevant to deceased patients
►Human Rights Act 1998►Basic right to privacy
►Data protection act 1998
►Freedom of Information Act 2000
►General right to request any info held by any public body
►Includes e.g. written local data governance protocols
►Identifiable clinical data is exempt (as governed by DPA)
►Non-identifiable and aggregated results are not exempt
►Health and Social Care Act 2001 (Sections 60 & 61)
►Powers to stop or require information disclosure
Data Protection Act 1998Principles: Exec Summary
► At least one of:►Consent
►Necessary ► to meet any legal obligations arising out of
agreement with subject► to protect data subject from death
►No infringement of rights or interests of data subject
► Plus, if sensitive, at least one of:►Explicit consent
►Necessary to meet employment rights/obligations
►Processor is NPO
►Information already in public domain
►Required for legal proceedings
►Necessary for healthcare, and undertaken by healthcare professional with duty of confidentiality
► Obtained for specified (lawful) purposes, and not used in any incompatible manner
► Must not hold or acquire data not needed to fulfil stated purposes
► Data to be accurate and up to date
► Destroyed once purposes met► Data subject must have access,
right to correct and right to prevent processing that causes distress
► Appropriate safeguards to prevent unlawful processing, or accidental loss.
► Must not transfer data outside EEC unless to territory has adequate protection
Section 60 of the Health and Social Care Act 2001
► DPA would have closed down the Cancer Registries
► Data collected without consent, because of numbers
► Identifiers included to assist detection of duplicate reporting
► DoH wants to block as well as enable data flows
Section 60 of the Health and Social Care Act 2001
► Regulates use of identifiable patient data without consent
► Defines ‘patient information’
► Defines ‘confidential patient information’
► 2 types of support
► Specific support
►Where purpose of collection is complex or controversial
►Requires debate in parliament, advised by PIAG
► Class support
►Where purpose is one of 6 (relatively) uncontroversial kinds
►Requires approval by Secretary of State, advised by PIAG
► Exemption is reviewed annually
► Supposed to be a transitional measure
Patient Information Advisory Group (PIAG)http://www.advisorybodies.doh.gov.uk/piag/Index.htm
► Established in December 2001
► 13 members, meet every 3 months
► Applications MUST demonstrate:► Why collecting the data is medical useful
► Why consent can not be obtained
► That data will be destroyed when no longer needed
► A clear exit strategy that involves either:
►Obtaining informed consent in future
►Anonymising data
► Explicit remit to work itself out of a job
► By encouraging change in culture & practise
Security and Confidentiality Advisory Group (SCAG)http://www.advisorybodies.doh.gov.uk/NWCS/
► Established in 1996
► Governs access to 3 NHS databases ► Hospital Episode Statistics database
► NHS-Wide Clearing Service database
► NHS Strategic Tracing Service.
UK: Ethical Oversight
Ethical Regulation: General Medical Council
► ABSOLUTE ideal of consent if possible
► Even if patient not identifiable
► Minimum disclosure
► Use deidentified information wherever possible, even if you have consent
► Consent to treatment implies consent to share information needed to effect treatment
► Recipient of information given must be under duty of confidence (ie know that info is not in public domain)
September 2000
Consent even if not identifiable?Source Informatics Ltd v Department of Health
►Source Informatics Ltd ► Scheme to buy data from pharmacists: content of NHS
prescription forms, except identity of the patient
► Aggregated info to be sold to pharmaceutical companies, to be used to target marketing at GPs based on their known prescribing behaviour
►DoH► Concerned that use of anonymous information could be used
to increase national drug bill
► Guidance document: this information is confidential
Consent even if not identifiable?The Legal Decision
► High Court (May 1999) www.gmc-uk.org/council/1999-11/confid.doc
► Anonymised and aggregated data was patient confidential and could not be disclosed without consent from each patient.
► Except that disclosure of data within the NHS might be justified ‘in the public interest’ or on the basis of implied consent.
► Court of Appeal (December 1999) www.lawreports.co.uk/source.htm
► GMC makes representation (costing GBP 40k)
► High Court overruled: Privacy is the only issue: patients have no proprietorial claim to the information
► Section 60 Health and Social Care Bill► NHS applies for powers to regulate or require
use of data it generates
► Granted, but GMC succeeds in lobbying for PIAGto regulate the Secretary of State
So: no consent if anonymisedWhy still in GMC guidance?
►Patient Groups► Trust between doctors and patients can only be maintained
if patients must give express consent to all disclosures
►Research and Public Health► strong public interest in information being available
►GMC Compromise:► Seek patients’ consent to disclosure of any information
(whether or not identifiable) wherever possible
► Anonymise data where unidentifiable data will serve the purpose (even if you have consent)
► Keep disclosures to the minimum necessary
GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000)
► Section 4 - Disclosure other than for treatment► Seek consent wherever possible
►Whether or not identifiable
► Anonymise, even if consented
► Principle of minimum disclosure
► Section 15 – when unlikely to cause harm► Obtain consent to use of identifiable data
► OR
► Member of health care team should anonymise
GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000)
► Section 16 – if consent and anonymisation by carer not practical
► Can disclose to non-carer for anonymisation
►provided ethics committee approves
► Only where identification is essential may identifiable info be disclosed
► Provided patient is told:
►Data is being disclosed, why it is being disclosed, that person getting the data is under duty of confidentiality
►That they can object
► Section 17► Do not release under section 15/16 unless trained and
authorised by health authority and subject to duty of confidentiality through contract
GMC GuidanceConfidentiality: Protecting and Providing Information(Sept 2000)
► Sections 40-42: after death► Duty of confidentiality continues after death
► Circumstances dictate how much
► Risk of distress to the living
► Recognised situations► Coroner’s investigation (inquest to cause)
► CEPOD, clinical event audit, education, research (but: anonymise)
► Public health
► Conflicts► E.g. life insurer vs widow
GMC Guidance 2000
IdentifiableAnonymised
Harmless Harmful
ObtainOpt-In Consent
Implied Opt-Out Consent
ConsentPossible
ConsentImpractical
PublicGood
No PublicGood
No Consent
(At your peril)
STOP
GMC GuidanceConfidentiality: Protecting and Providing Information(April 2004)
► Ensure patients know about all actual or possible disclosures and have had the opportunity to opt-out
► Use deidentified information wherever possible, even if you have consent
► Minimum disclosure
► Disclosure of identifiable data, other than to treat or for clinical audit by the caring team, requires opt-in consent
► Clinical audit by anybody other than the caring team must be on anonymised data, otherwise opt-in consent is needed
► Disclosure of identifiable data for non-audit but harmless purposes requires either opt-in consent or section 60 exemption
GMC Guidance 2004
AnonymisedIdentifiable
ObtainOpt-In Consent
Implied Opt-Out Consent
ConsentPossible
ConsentImpractical
PublicGood
No PublicGood
STOP
No ConsentNeeded
No PIAGSupport
PIAGSupport
STOP
Non-localaudit or research
Local treatmentor audit
Exit strategy
Ethical Regulation: Medical Research Council
► Summarises regulatory environment (PIAG, COREC etc)
► Extracts of relevant legislation
► Raises issue of statistical disclosure control
► Set of requirements for physical and logical data security
► Recommendations for data preservation and sharing
► New guidance in draft (2005)
Ethical Regulation:British Medical Association
UK: Putting it into practice
NHS Code of Practice (2003)http://www.dh.gov.uk/PolicyAndGuidance/InformationPolicy/PatientConfidentialityAndCaldicottGuardians/fs/en
► Summarises regulatory environment (Statutes, PIAG, COREC etc)
► Extracts of relevant legislation
► Decision flow diagrams
► Mentions Privacy Enhancing Technologies
► Strong authentication for CfH NCRS under development
Caldicott Guardians:Origins
► Review commissioned in 1997 by CMO
► Increasing concern about ways NHS uses patient information
► Need to protect confidentiality
► Concern largely due to fears that information technology has capacity to rapidly and extensively disseminate information about patients
► Committee chaired by Dame Fiona Caldicott
► Principal of Somerville College Oxford
► Previous President Royal College of Psychiatrists
► Reported December 1997
Caldicott Report:Guiding Principles
1. Justify why patient data is needed
2. Don't use patient-identifiable information unless necessary
3. Use the minimum necessary identifiable information
4. Strict ‘need to know’ access to identifiable information
5. Everyone should be aware of their responsibilities to maintain confidentiality
6. Understand and comply with the law, in particular the Data Protection Act
Caldicott Report: Recommendations(not legally binding)
1. Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly.
2. A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS.
3. A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.
4. Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information.
5. Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies.
6. The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated.
7. An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.
8. The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers.
9. Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used.
10. Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored.
11. Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage.
12. Where practicable, the internal structure and administration of databases holding patient-identifiable information should reflect the principles developed in this report.
13. The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible.
14. The design of new systems for the transfer of prescription data should incorporate the principles developed in this report.
15. Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted.
16. Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.
Caldicott Report Recommendations (Summarised)
1. All data flows should be subject to ‘good’ practise
2. Promote awareness in NHS
3. Caldicott Guardians
4. Guidance for safe use of identifiable data
5. Protocols for exchange with non-NHS bodies
6. Identify those responsible
7. Recognise who does good job
8. Use NHS Number only
9. Strict access controls
10. Privacy enhancing technology for sensitive data
11. Design good practice into clinical systems
12. Database structure and admin should reflect principles
13. Use NHS number on GP item of service claims asap
14. ETP systems design should reflect principles
15. Systems to determine GP pay should not require identifiable patient data
16. Same as 15
Caldicott Guardians
‘A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information’ (ie CYA for the organisation)
…so there’s more than one guardian in a multi-centre study
Role of Caldicott Guardian:To ensure that..
► All data disclosures are formally justified
► Information is exchanged only when absolutely necessary
► Only minimum data required for job is exchanged
► Appropriate access controls are implemented
► All data users know their responsibilities
► Law is complied with
Meanwhile….the real world
Meanwhile…The Reality
► Estimated 20,000 successful deliberate unauthorised accesses annually
► Obtained by phoning up and asking
► NHS Clearing centralises NHS order and invoice reconciliation
► But keeps persistent record of all events that pass through it, including name and address
► Draft NHS charter (2003) claims NHS has right to refuse to treat some patients who refuse to allow their information to be shared
► Though right to opt-out from NCRS is now granted (2005)
Meanwhile…For sale: Memory Stick and 13 Lancashire Cancer Patient Records
Confidential medical records of 13 cancer patients from Royal Bolton Hospital on a portable memory stick sold as new to a Crewe estate agent.
Records included dates of birth, home addresses, telephone numbers, family medical histories and GP details, dating back to 1999.
Patients' group "absolutely horrified"
Cancer charity "very alarmed"
MPs "concerning breach” and "inexcusable”
(7th March 2003)
Meanwhile…How?For sale: Memory Stick and 13 Lancashire Cancer Patient Records
Contractor for the hospital's computer systems took a hospital computer to a 3rd party firm for an upgrade
Computer previously used to set up a database of colo-rectal surgery patients
Data copied to the stick as backup during upgrade
Stick resold as new for £30.
Meanwhile..http://www.cs.man.ac.uk/mig/people/jeremy/Confidentiality.html
Backup tape of 57,000 patient records stolen13th July 2005
2 computers and 185,000 patient records stolen28th March 2005
Register of 6500 HIV patients emailed22nd February 2005
1600 medical records stolen with laptop: nobody toldOctober 2004
Bangalore transcriptionist threatens disclosure28th October 2004
Redditch Health Centre Computers Stolen30th September 2004
8 years of patient pathology data stolen14th June 2004
UK Mental Health Team computers stolen (twice)March 2004
Meanwhile…Data control and paranoia
►Ian Huntley (Soham Murders)►DPA forced police to destroy record of multiple
unproven allegations
►George and Gertrude Bates►British Gas cut off couple because unpaid £140 bill and
no response after 10 attempts to contact
►Believed DPA prevented disclosure to social services
►Both found dead in their lounge October 2003
►Cause of death: hypothermia and heart disease
►£277 in cash on table beside bodies
►£1116 in purse in shoe
International ComparisonsThe USA: HIPAA
Health Insurance Portability and Accountability Act (1996)
► 50,000 people consulted
► Defines data exchange standards
► Standards for Privacy of Individually Identifiable Health Information
► In force from April 2003
► Rules not fixed until 2000► Short implementation timeframe
► Distracted by Y2K
HIPAA Penalties
► Executives legally responsible for failures to comply
► Stiff financial and jail penalties in the event that a breach occurs
► Deidentified info is exempt
► 11,000 complaints in first 24 months
HIPAA and Consent
► Must tell patients of how you plan to control use and disclosure of their data
► Disclose only minimum info needed top fulfil reason for request
► De-identify wherever possible
► Train your employees
► Complaints procedure
► Appoint a privacy officer
► Must obtain consent for all routine use and disclosure
► ..and separate explicit consent for each and every instance of non-routine use or disclosure
► Unless exempt: publich health, research etc
► Patients must have right to restrict disclosure
► Patients have right to complete disclosure record
HIPAA Deidentification
► Deidentified data does not identify an individual and there is no reason to think it could
► Data is considered to be deidentified iff:► EITHER
An expert says that the risk of re-identification is ‘very small’, and documents why they believe this
► OR…
HIPAA Deidentification
► The following identifiers of the data subject
► and their relatives, employers
► and any household members (related or not)
are removed AND
► the information supplier has no actual knowledge that the information could be used in any way to re-identify the data subject
HIPAA identifier data fields
All geographic subdivisions that identify <20k people
All date elements except the year including
Date of birth & death
Date of healthcare event
All ages over 89
Telephone/Fax numbers
Email addresses
SSN, Health plan#, Acct#
Certificate or license #
Vehicle Ids and license#
Device Ids and serial#
Web URLs
IP numbers
Biometric idents, includig voice & finger print
Full face photo or similar
Any other unique identifying characteristic or code
HIPAA one-way key
You may use a new unique identifier to allow re-identification by the information originator provided that:
► The new ident is not derived from or related to the data subject and can not itself be used to help re-identify them
► The re-identification key is kept securely
HIPAA partial deidentification
► Limited Data Set is partially deidentified
► Can include ► postal code or other geo information
► Dates of significant events
► Date of birth or death
► Provided data subject enters into a specific data use agreement
International Comparisons: The EEC
EC Directive 95/46/EC
► Europe’s own privacy standard
► Members shall prohibit processing personal data concerning health or sex life except for:
► Diagnosis or treatment
► Public heath
► Criminal offences
► Fulfilling specific contractual obligations
► Legal claims
► For any purpose where consent has been obtained
Privacy Enhancing Techniques
► Anonymisation► Can never totally prevent re-identification
► Shetlands postman problem
► Pseudonymisation► Can never totally prevent re-identification
► Encryption► Public Key Infrastructures empirically hard to establish
► Statistical Disclosure Control► Database privacy gauging for dynamic dilution of database
► Proxy services
► Data flow segmentation
Summary
► Increasingly complex area► Different regulatory regimes militate against internationally
based trials
► Tendency for data custodians to avoid all risk by saying ‘no’
► Complex implementation► But weak points are human error, not policy
► Possibility of blind siding► Central assumption that disclosure of medical detail is most
likely source of harm to an individual
► Medical records increasingly valuable as substrate for identity theft?
