News  

There is a tussle going on in the health service over which
organisations may see a patient's confidential records without their
consent and why.

Although the Data Protection Act confers ownership of the information on
patients themselves, there are many perfectly legitimate reasons why a
PCT might wish to view records.

Checking on GPs' probity and monitoring the new GMS contract quality and
outcomes framework are not unexpected reasons. Post-payment verification
was required under the Red Book and patient-identifiable information has
been used to support payments to GPs.

However, the DoH wants the powers to go further than this. It is seeking
an extension of its powers under Section 60 of the Health and Social
Care Act 2001 to allow a wide range of NHS bodies to access confidential
patient information for their databases.

Temporary access

Section 60 was supposed to be an interim measure to allow bodies to
access patient-identifiable information without consent to support
essential NHS activities. It is supposed to operate only until NHS IT
systems are capable of creating anonymised data.

Until now, the key uses of Section 60 have been to set up cancer
registries and keep track of infectious diseases.

Surprising as it may seem, one reason for the planned Section 60
extension is that the key to anonymising the data - the NHS number - is
not recognised by all NHS systems. Additionally, temporary residents
rarely know their NHS number making it difficult to add their data.

The extension of Section 60 was okayed by the supposedly sharp-toothed
Section 60 watchdog, the Patient Information Advisory Group (PIAG). But
GP leaders are unconvinced. The GPC and the RCGP have jointly slammed
the extended powers, saying that they 'increase the risk of breaches of
confidentiality'.

Many grassroots GPs are not particularly interested in data protection.
But Kenilworth GP Dr Paul Thornton thinks they should. He warns that GPs
can be fined if they withhold patient information from the PCT.

GPs risk fines

'If a patient declines consent and the doctor withholds information, the
GP could be liable to a £5,000 fine,' he said.

Dr Thornton insists that using an identifier to link records is
perfectly possible.

'A unique number, allocated to each patient on each practice system,
known to the practice but not released further if attached to patient
identifiable data, would allow for financial audit,' he says.

'This is perfectly possible with some tweaking to the software,' he
added.

The DoH disagrees. But the department has an uncomfortable history in
this field. Last year, officials asked for assent from the PIAG for PCTs
to access medical records without consent if a GP is suspected of fraud
or other misconduct.

The PIAG's response was swift and incisive. 'Since it is likely that
many of these audits will be carried out by PCT staff who live in the
same locality as the patients involved, these powers will potentially
have a very detrimental effect on patient confidentiality,' said PIAG
chairman Professor Joan Higgins.

Health minister John Hutton insisted on the power, adding reassurances
that PCT staff would be 'suitably trained and qualified to interpret the
data they are checking'.

These reassurances were enough to silence the watchdog.

One problem remains. Annual review to ensure probity under the new
contract involves direct inspection of patient records. Assessors may
not be medically qualified and some assessment teams may not include a
medically qualified member.

'I can see that there is a problem with lay assessors. We haven't talked
about them yet,' said Professor Higgins.

The regulations stipulate that anyone inspecting records who is not a
doctor should be 'a person who owes a duty of confidentiality which is
equivalent to that which would arise if that person were a health
professional'. But how this is interpreted in practice remains to be
seen.

Meanwhile there are legally trained GPs who would not trust their data
to the system.

Dr Christine Dewbury, medical secretary of Wessex LMCs, said: 'A
requirement of the Data Protection Act is that people are aware of the
use to which their information is put and have the opportunity to
object.

'The reassurances I have been given by people at the highest level
really do not hold water.

'If I had anything to hide I would not see a doctor in the health
service.'