THE UK Government has pledged that as of April 2015 all GPs in England should offer their patients online access to summary information in their records. Data published in May of this year by the Health and Social Care Information Centre (HSCIC) showed that over 97 per cent of patients in England can now take advantage of online services (including appointment and repeat prescription requests). This is a huge increase from 3 per cent in April 2014 and is welcomed by many patients.
There are some obvious advantages for patients in being able to easily access personal medical information – and also potential benefits to practices who now manually manage increasing numbers of subject access requests under the Data Protection Act 1998. But is some caution advised?
Simply making a medical record available online does not negate the responsibility to comply with requirements of the Data Protection Act, especially in relation to the lawful processing of “personal sensitive data” as defined by the Act.
Current arrangements for responding to subject access requests, for example, mean that data controllers must take steps to ensure that accessed or copied medical records are appropriately redacted of any inappropriate third party identifiers, and also information that could cause serious harm to the patient or other individual if they became aware of it. These requirements will continue to exist even where patients have full unrestricted online access to their medical records. And there are other specific issues that need to be considered in our new cyber-world.
Clear medical utility
Researchers from the Institute of Child Health, Queen Mary University of London, and the University of Bristol have recently highlighted concerns about the potential for unintended harm in providing patients online access to records. They expressed concerns over the possible adverse effect on vulnerable patients in accessing their personal data. They recommended limiting online access to recent information that has “clear medical utility, such as test results, referral letters, clinic letters, current medication and allergies”.
The researchers also cautioned that online access to full medical records should be implemented slowly in a staged process and with thorough evaluation. This all suggests that practices will now still have to “go through the burn” of inspecting each medical record thoroughly before it is made available for online access by the patient. Such an approach seems to be fairly logical and risk-averse, but I am presently unaware of many protests from data controllers in this respect, which does make me wonder how many practices are actually undertaking this task before making a record available online.
Of course, there is a plus side to inspecting records for online access in that once it’s done it’s done, meaning that in the longer term practices may become less burdened with responding to written subject access requests. Practices will of course still have to find ways of ensuring that any new entries in the patient record comply with redaction principles.
Access by whom
The researchers were also particularly concerned about the Alan Frame looks at the benefits and risks of patient access to online medical records Summer 2015 15 potential for coercion, when patients may feel pressured to give others access to their online medical record. Older people, teenagers and those with learning difficulties could be most at risk from this: for example, from overt threats or physical force in an abusive relationship, or under the guise of helping a vulnerable relative, especially older people or those with learning disabilities.
This is an important consideration as traditional subject access requests are made in writing, which may provide an additional safety net to vulnerable patients as the practice or data controller will at the very least take steps to ensure that the individual claiming to make a request on the patient’s behalf has a legitimate right to do so. Where coercion is suspected, steps can then be taken to investigate the matter further, but this important opportunity is likely to be lost where the medical record can be accessed remotely online on an ongoing or frequent basis, simply by providing a user identifier and password.
Patients will rightly expect their personal data to be correct and up-to-date
Parental rights of access also come under the microscope, with current proposals suggesting that parents will not have automatic access to a child’s record after age 12. However, the risk here is that teenagers may still find it difficult to refuse parental requests for access if they are worried it may look like they have something to hide. And what happens when a parent still has access when a competent teenager attends on their own, without their parents’ knowledge, and the practice “forget” parental access is no longer valid. Such a prospect suggests that practice managers and GPs may be in for some interesting conversations with parents who suddenly find that they are automatically blocked online from accessing their child’s medical record.
Another issue of concern identified by the researchers relates to the clinician who may be worried about coercion or third-party information leakage within households and may play safe by not recording anything deemed to be sensitive, including early concerns about abuse or maltreatment. This may impact on care of the patient – and the use of the medical record as a communication tool between clinicians – causing early warning signs to be missed before concerns are raised.
So what practical considerations could help manage these significant changes? It is important that practices consider:
• Providing patient information leaflets about online access arrangements with an explanation regarding various items in the record. This should include a process for patients to follow with a note of whom to speak to if they are concerned/confused about anything they find in their online record.
• Reviewing notes before allowing access, specifically relating to third-party and seriously harmful information. As medical records are routinely updated, practices will also require processes in place for ongoing review.
• Devising an identity verification and consent process, including the management of proxy access.
• The importance of the data quality of records in the knowledge that patients are going to be viewing their data online. Patients have long been able to request access to their records, but ease of online access will increase the numbers of patients who consult their records.
• Patients will rightly expect their personal data to be correct and up-to-date. Confusion and concern may be caused by abbreviations, euphemisms, technical language or administrative data. It is important therefore that all staff involved with recording clinical information in the practice are aware and alert that patients will be more likely to read what they record.
Time will tell if online access makes life easier for practices in the long term. NHS England is certainly convinced. National Director for Patients and Information Tim Kelsey has said: “Giving patients access to their full medical records online is a world first – it opens the NHS up to those who use it.
“It will be so much easier for people to navigate the NHS. When online banking started back in 1998, people were distrustful. Now more than 22 million people are using it.
“These kinds of changes don’t just reduce costs – they also empower people and allow them to take more control.”
Alan Frame is a risk adviser at MDDUS