Medical Data Confidentiality 101 Dr Jeremy Rogers MD MRCGP Senior Clinical Fellow in Health Informatics Northwest Institute of Bio-Health Informatics Confidentiality in a nutshell Dont tell ANYBODY ANYTHING about a person EVER unless you have their consent But its not that simple Obligation to disclose when in public interest Includes, but not limited to, statutory reporting

Product recall e.g. faulty surgical implant need registry faulty surgeon (HBV) may require naming surgeon Billing for care provided to organisation commissioning it Patient name and address by tradition used as order number Research Overview Medical Data Confidentiality in the UK What patients want The Law Ethics

Licensing and policing The reality USA and HIPAA EC Regulation Protecting Confidentiality The UK Trust me, Im a doctor Until 19th century, reliance on good faith of researchers A few researchers broke that trust Burke & Hare 1827 Organ Retention Scandals - Bristol and Alder Hey 1998 19th Century Legislation Anatomy Act (1832)

Cruelty to Animals Act (1876) 20th Century Legislation Animals (Scientific Procedures) Act (1986) Human Fertilisation and Embryology Act (1990) Data Protection Act (1998) Health and Social Care Act (2001) UK Medicines for Human Use (Clinical Trials) Regulations (2004) Human Tissue Act (2004)

What do the patients think? Public Consultations ERDIP Share with Care YouGov NHS Consultations on Confidentiality ERDIP Report #5 Electronic record development and implementation programme October 2002 to January 2003 Minimal publicity Consultation of dubious value Based on 6 focus groups in nursing homes

NHS Consultations on Confidentiality Share with Care (NHS & Consumers Assoc 2002) Lots of trust, no awareness of reality 60% would not want to put health info into a virtual sealed envelope More concern on who uses info and whether it is anonymous than how it is used People prefer to grant access to specific types of people for any purpose, rather than for a specific purpose but by any type of person Support principles of consent and anonymisation for all non-treatment reasons Most dont want to be asked for consent for use of anonymised data, but would like to

know as a courtesy Sex and race difference Women and Caucasians want confidentiality Pragmatics: spend money on care, not on systems to protect confidentiality 2005 YouGov Survey n=2000 75 % do not object to medical records being held on computer But 25% do 80% afraid non-health professional will have access to their record 77% want explicit opt-in consent 93 % want public consultation first

The UK today in a nutshell Medical Data Common & Statute Law GMC MRC NHS Policy Information Commissioner 4th Estate

PIAG SCAG Caldicott Guardians You LREC Journals The UK today in a nutshell 2 Common Law principles (consent, and privacy) 5 Acts of Parliament 5 bodies making policy Parliament, GMC, MRC, RECs, NHS More than one document each

5 oversight/licensing bodies RECs, Caldicott, PIAG, SCAG, Information Commissioner Different remits - not bound by each others decisions Approval does not guarantee no possibility of prosecution Plus 3 more for special occasions (GTAC, MRHA, HTA) 5 Police Forces

The Law Courts put you in jail The GMC remove license to practise The Research Councils refuse grants The Scientific Press refuse to publish The Tabloid Press public humiliation UK: The Law Rememberthe law is an ass Chandler v Webster (1904) Claimant rented room from which to watch the coronation, at higher than normal price reflecting demand, and left a deposit. Coronation cancelled. Court agreed that contract was frustrated, but deemed that not only should deposit NOT be returned, but claimant

remained liable for the full agreed balance, because losses must lie where they fall. Anchor Brewhouse v Berkely House (1987) Pub seeks court order to stop booms of building cranes swinging over their property. No question of any damage, or likelihood of damage. Court (reluctantly) obliged to rule that it was technically a trespass, and should stop. UK Legal Regulation Common Law (Tort) Duty of confidence in absence of consent Right to grant or withhold consent Except, also legal duty to

notify Birth, death, infectious disease Access to Health Records Act 1990 Now only relevant to deceased patients Human Rights Act 1998 Basic right to privacy Data protection act 1998 Freedom of Information Act 2000 General right to request any info held by any public body

Includes e.g. written local data governance protocols Identifiable clinical data is exempt (as governed by DPA) Non-identifiable and aggregated results are not exempt Health and Social Care Act 2001 (Sections 60 & 61) Powers to stop or require information disclosure Data Protection Act 1998 Principles: Exec Summary At least one of: Consent

Necessary to meet any legal obligations arising out of agreement with subject to protect data subject from death No infringement of rights or interests of data subject Plus, if sensitive, at least one of: Explicit consent Necessary to meet employment rights/obligations Processor is NPO Information already in public domain Required for legal proceedings Necessary for healthcare, and undertaken by healthcare professional

with duty of confidentiality Obtained for specified (lawful) purposes, and not used in any incompatible manner Must not hold or acquire data not needed to fulfil stated purposes Data to be accurate and up to date Destroyed once purposes met Data subject must have access, right to correct and right to prevent processing that causes distress Appropriate safeguards to prevent unlawful processing, or accidental loss.

Must not transfer data outside EEC unless to territory has adequate protection Section 60 of the Health and Social Care Act 2001 DPA would have closed down the Cancer Registries Data collected without consent, because of numbers Identifiers included to assist detection of duplicate reporting DoH wants to block as well as enable data flows Section 60 of the Health and Social Care Act 2001

Regulates use of identifiable patient data without consent Defines patient information Defines confidential patient information 2 types of support Specific support Where purpose of collection is complex or controversial Requires debate in parliament, advised by PIAG Class support Where purpose is one of 6 (relatively) uncontroversial kinds Requires approval by Secretary of State, advised by PIAG Exemption is reviewed annually Supposed to be a transitional measure Patient Information Advisory Group

(PIAG) Established in December 2001 13 members, meet every 3 months Applications MUST demonstrate: Why collecting the data is medical useful Why consent can not be obtained That data will be destroyed when no longer needed A clear exit strategy that involves either: Obtaining informed consent in future Anonymising data Explicit remit to work itself out of a job By encouraging change in culture & practise

Security and Confidentiality Advisory Group (SCAG) Established in 1996 Governs access to 3 NHS databases Hospital Episode Statistics database NHS-Wide Clearing Service database NHS Strategic Tracing Service. UK: Ethical Oversight Ethical Regulation: General Medical Council ABSOLUTE ideal of consent if possible Even if patient not identifiable

Minimum disclosure Use deidentified information wherever possible, even if you have consent Consent to treatment implies consent to share information needed to effect treatment Recipient of information given must be under duty of confidence (ie know that info is not in public domain) September 2000 Consent even if not identifiable? Source Informatics Ltd v Department of Health

Source Informatics Ltd Scheme to buy data from pharmacists: content of NHS prescription forms, except identity of the patient Aggregated info to be sold to pharmaceutical companies, to be used to target marketing at GPs based on their known prescribing behaviour DoH Concerned that use of anonymous information could be used to increase national drug bill Guidance document: this information is confidential Consent even if not identifiable? The Legal Decision High Court (May 1999)

Anonymised and aggregated data was patient confidential and could not be disclosed without consent from each patient. Except that disclosure of data within the NHS might be justified in the public interest or on the basis of implied consent. Court of Appeal (December 1999) GMC makes representation (costing GBP 40k) High Court overruled: Privacy is the only issue: patients have no proprietorial claim to the information Section 60 Health and Social Care Bill NHS applies for powers to regulate or require use of data it generates Granted, but GMC succeeds in lobbying for PIAG

to regulate the Secretary of State So: no consent if anonymised Why still in GMC guidance? Patient Groups Trust between doctors and patients can only be maintained if patients must give express consent to all disclosures Research and Public Health strong public interest in information being available GMC Compromise: Seek patients consent to disclosure of any information (whether or not identifiable) wherever possible Anonymise data where unidentifiable data will serve the purpose (even if you have consent) Keep disclosures to the minimum necessary

GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) Section 4 - Disclosure other than for treatment Seek consent wherever possible Whether or not identifiable Anonymise, even if consented Principle of minimum disclosure Section 15 when unlikely to cause harm Obtain consent to use of identifiable data OR Member of health care team should anonymise

GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) Section 16 if consent and anonymisation by carer not practical Can disclose to non-carer for anonymisation provided ethics committee approves Only where identification is essential may identifiable info be disclosed Provided patient is told: Data is being disclosed, why it is being disclosed, that person getting the data is under duty of confidentiality That they can object Section 17

Do not release under section 15/16 unless trained and authorised by health authority and subject to duty of confidentiality through contract GMC Guidance Confidentiality: Protecting and Providing Information (Sept 2000) Sections 40-42: after death Duty of confidentiality continues after death Circumstances dictate how much Risk of distress to the living Recognised situations Coroners investigation (inquest to cause) CEPOD, clinical event audit, education, research (but: anonymise)

Public health Conflicts E.g. life insurer vs widow GMC Guidance 2000 Consent Impractical Harmless Consent Possible Harmful Public Good

No Public Good STOP Anonymised Identifiable Implied Opt-Out Consent No Consent (At your peril) Obtain Opt-In Consent

GMC Guidance Confidentiality: Protecting and Providing Information (April 2004) Ensure patients know about all actual or possible disclosures and have had the opportunity to opt-out Use deidentified information wherever possible, even if you have consent Minimum disclosure Disclosure of identifiable data, other than to treat or for clinical audit by the caring team, requires opt-in consent Clinical audit by anybody other than the caring team must be on anonymised data, otherwise opt-in consent is needed Disclosure of identifiable data for non-audit but harmless purposes requires either opt-in consent or section 60 exemption

GMC Guidance 2004 Implied Opt-Out Consent Local treatment or audit Non-local audit or research Consent Impractical Identifiable Public Good Consent

Possible Anonymised No Public Good STOP PIAG Support No PIAG Support STOP No Consent Needed

Exit strategy Obtain Opt-In Consent Ethical Regulation: Medical Research Council Summarises regulatory environment (PIAG, COREC etc) Extracts of relevant legislation Raises issue of statistical disclosure control Set of requirements for physical and logical data security Recommendations for data preservation and sharing

New guidance in draft (2005) Ethical Regulation: British Medical Association UK: Putting it into practice NHS Code of Practice (2003) Summarises regulatory environment (Statutes, PIAG, COREC etc) Extracts of relevant legislation Decision flow diagrams Mentions Privacy

Enhancing Technologies Strong authentication for CfH NCRS under development Caldicott Guardians: Origins Review commissioned in 1997 by CMO Increasing concern about ways NHS uses patient information Need to protect confidentiality Concern largely due to fears that information technology has capacity to rapidly and extensively disseminate information about patients Committee chaired by Dame Fiona Caldicott Principal of Somerville College Oxford Previous President Royal College of Psychiatrists

Reported December 1997 Caldicott Report: Guiding Principles 1. Justify why patient data is needed 2. Don't use patient-identifiable information unless necessary 3. Use the minimum necessary identifiable information 4. Strict need to know access to identifiable information 5. Everyone should be aware of their responsibilities to maintain confidentiality 6. Understand and comply with the law, in particular the Data Protection Act Caldicott Report:

Recommendations (not legally binding) 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.

16. Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly. A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS. A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information. Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information. Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies. The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated. An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.

The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers. Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used. Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored. Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage. Where practicable, the internal structure and administration of databases holding patientidentifiable information should reflect the principles developed in this report. The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible. The design of new systems for the transfer of prescription data should incorporate the principles developed in this report. Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted. Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.

Caldicott Report Recommendations (Summarised) 1. All data flows should be subject 10. Privacy enhancing technology to good practise for sensitive data 2. Promote awareness in NHS 3. Caldicott Guardians 4. Guidance for safe use of identifiable data 5. Protocols for exchange with non-NHS bodies 6. Identify those responsible 7. Recognise who does good job 8. Use NHS Number only 9. Strict access controls

11. Design good practice into clinical systems 12. Database structure and admin should reflect principles 13. Use NHS number on GP item of service claims asap 14. ETP systems design should reflect principles 15. Systems to determine GP pay should not require identifiable patient data 16. Same as 15 Caldicott Guardians A senior person, preferably a health professional, should be nominated in each health organisation to act as

a guardian, responsible for safeguarding the confidentiality of patient information (ie CYA for the organisation) so theres more than one guardian in a multi-centre study Role of Caldicott Guardian: To ensure that.. All data disclosures are formally justified Information is exchanged only when absolutely necessary Only minimum data required for job is exchanged Appropriate access controls are implemented All data users know their responsibilities Law is complied with

Meanwhile.the real world Meanwhile The Reality Estimated 20,000 successful deliberate unauthorised accesses annually Obtained by phoning up and asking NHS Clearing centralises NHS order and invoice reconciliation But keeps persistent record of all events that pass through it, including name and address Draft NHS charter (2003) claims NHS has right to refuse to treat some patients who refuse to allow their information to be shared Though right to opt-out from NCRS is now granted (2005)

Meanwhile For sale: Memory Stick and 13 Lancashire Cancer Patient Records Confidential medical records of 13 cancer patients from Royal Bolton Hospital on a portable memory stick sold as new to a Crewe estate agent. Records included dates of birth, home addresses, telephone numbers, family medical histories and GP details, dating back to 1999. Patients' group "absolutely horrified" Cancer charity "very alarmed" MPs "concerning breach and "inexcusable (7th March 2003) MeanwhileHow? For sale: Memory Stick and 13

Lancashire Cancer Patient Records Contractor for the hospital's computer systems took a hospital computer to a 3rd party firm for an upgrade Computer previously used to set up a database of colo-rectal surgery patients Data copied to the stick as backup during upgrade Stick resold as new for 30. Meanwhile.. Backup tape of 57,000 patient records stolen Bangalore transcriptionist threatens disclosure

13th July 2005 28th October 2004 2 computers and 185,000 patient records stolen Redditch Health Centre Computers Stolen 28th March 2005 30th September 2004 Register of 6500 HIV patients emailed

8 years of patient pathology data stolen 22nd February 2005 14th June 2004 1600 medical records stolen with laptop: nobody told UK Mental Health Team computers stolen (twice) October 2004 March 2004

Meanwhile Data control and paranoia Ian Huntley (Soham Murders) DPA forced police to destroy record of multiple unproven allegations George and Gertrude Bates British Gas cut off couple because unpaid 140 bill and no response after 10 attempts to contact Believed DPA prevented disclosure to social services Both found dead in their lounge October 2003 Cause of death: hypothermia and heart disease 277 in cash on table beside bodies 1116 in purse in shoe International Comparisons

The USA: HIPAA Health Insurance Portability and Accountability Act (1996) 50,000 people consulted Defines data exchange standards Standards for Privacy of Individually Identifiable Health Information In force from April 2003 Rules not fixed until 2000 Short implementation timeframe Distracted by Y2K HIPAA Penalties Executives legally responsible for failures to

comply Stiff financial and jail penalties in the event that a breach occurs Deidentified info is exempt 11,000 complaints in first 24 months HIPAA and Consent Must tell patients of how you plan to control use and disclosure of their data Disclose only minimum info needed top fulfil reason for request De-identify wherever possible Train your employees Complaints procedure Appoint a privacy officer Must obtain consent for all routine use and disclosure ..and separate explicit consent for each and every instance

of non-routine use or disclosure Unless exempt: publich health, research etc Patients must have right to restrict disclosure Patients have right to complete disclosure record HIPAA Deidentification Deidentified data does not identify an individual and there is no reason to think it could Data is considered to be deidentified iff: EITHER An expert says that the risk of re-identification is very small, and documents why they believe this OR HIPAA Deidentification

The following identifiers of the data subject and their relatives, employers and any household members (related or not) are removed AND the information supplier has no actual knowledge that the information could be used in any way to re-identify the data subject HIPAA identifier data fields All geographic subdivisions that identify <20k people Certificate or license # All date elements except the

year including Device Ids and serial# Date of birth & death Date of healthcare event All ages over 89 Telephone/Fax numbers Email addresses SSN, Health plan#, Acct# Vehicle Ids and license# Web URLs IP numbers Biometric idents, includig voice & finger print

Full face photo or similar Any other unique identifying characteristic or code HIPAA one-way key You may use a new unique identifier to allow re-identification by the information originator provided that: The new ident is not derived from or related to the data subject and can not itself be used to help re-identify them The re-identification key is kept securely HIPAA partial deidentification Limited Data Set is partially deidentified

Can include postal code or other geo information Dates of significant events Date of birth or death Provided data subject enters into a specific data use agreement International Comparisons: The EEC EC Directive 95/46/EC Europes own privacy standard Members shall prohibit processing personal data concerning health or sex life except for: Diagnosis or treatment Public heath

Criminal offences Fulfilling specific contractual obligations Legal claims For any purpose where consent has been obtained Privacy Enhancing Techniques Anonymisation Can never totally prevent re-identification Shetlands postman problem Pseudonymisation Can never totally prevent re-identification Encryption Public Key Infrastructures empirically hard to establish Statistical Disclosure Control

Database privacy gauging for dynamic dilution of database Proxy services Data flow segmentation Summary Increasingly complex area Different regulatory regimes militate against internationally based trials Tendency for data custodians to avoid all risk by saying no Complex implementation But weak points are human error, not policy Possibility of blind siding Central assumption that disclosure of medical detail is most

likely source of harm to an individual Medical records increasingly valuable as substrate for identity theft?

Recently Viewed Presentations

  • What is Community Psychology?

    What is Community Psychology?

    Psychological Sense of Community (SoC) Fall 2010 * strength of bonding among community members (Sarason, 1974) McMillan & Chavis (1986) expanded on this definition: Feeling that members belong Feeling that members matter to one another & to group Shared faith...
  • EE 345S Real-Time Digital Signal Processing Lab Fall 2007

    EE 345S Real-Time Digital Signal Processing Lab Fall 2007

    EE 445S Real-Time Digital Signal Processing Lab Fall 2011 Lab #3.1 Digital Filters Debarati Kundu (With the help of Mr. Eric Wilbur, TI) Discrete-Time Sinusoidal Response Discrete-Time Sinusoidal Response * Outline Discrete-Time Convolution FIR Filter Design Convolution Using Circular Buffer...
  • Framework - Eastern Illinois University

    Framework - Eastern Illinois University

    Different services have different weaknesses Host's operating system, version number, etc. Whois database at also used when ping scans fail Social engineering Tricking employees into giving out info (passwords, keys, etc.) Deciding the type of attacks to launch given...
  • BIOLOGY Unit 9-Earthworm Notes

    BIOLOGY Unit 9-Earthworm Notes

    Earthworm Notes (1) External Parts Setae: Rings / Segments Contain tiny hairs to help with movement + sex. Clitellum: Knob near center-length of worm. Secretes fluid to enclose fertilized eggs. Mouth vs. Anus: Mouth = Closer to Clitellum Anus =...


    Spinning jenny, 1765. Home-based machine that spun thread 8 times faster than when spun by hand. Richard Arkwright (English) Water frame, 1769. Water-powered spinning machine that was too large for use in a home - led to the creation of...
  • PowerPoint 簡報 - NCKU

    PowerPoint 簡報 - NCKU

    , simply create a trie node with decision . d. The Cost(t) of a trie. t: the number of nodes with a decision, which corresponds to the number of TCAM rules needed for that trie. LRMerge(l,r) two tries: we create...
  • Product Priorities For Europe - englishbookeducation

    Product Priorities For Europe - englishbookeducation

    We can link from your LMS platform to MyLab & Mastering and REVEL. Access assignments and rosters, transfer grades with ease, and link to MyLab & Mastering content from within Blackboard, Brightspace by D2L, Canvas, or Moodle [NB: REVEL /...