Secure patient data

Failure to adequately secure electronic medical records could present significant legal and professional risks for doctors.

This was recently highlighted by the theft of a personal laptop containing thousands of confidential patient records from the home of a Midlands GP. A Wolverhampton practice has written to all 11,000 of its patients to alert them and apologise.

GMC ethical guidance warns that patient records must be effectively protected against disclosure at all times. In other words, GPs must take all reasonable steps to ensure patient records remain confidential, or face a potential GMC summons.

Additionally, the Data Protection Act 1998 (DPA) requires “appropriate technical and organisational measures” to prevent “unauthorised or unlawful processing of personal data”. Under Section 55 of the DPA it is a criminal offence to intentionally or recklessly disclose personal data without appropriate consent, for instance of a GP practice.

The law could view taking patient information home on an unencrypted laptop, memory stick or other device, or leaving it in a car or office – all with the risk of theft – as ‘reckless’. Breaching patient confidentiality could also lead to a patient claim for compensation. Protecting information by passwords may no longer be enough. If necessary, take professional advice on encryption.

GPs are increasingly using laptops and PDAs (personal digital assistants) to record information during home visits. This is fine to achieve the GMC stipulation of keeping, clear, accurate and legible records, but do store data securely.

ACTION: Ensure adequate data security especially for electronic patient records held on laptops, PDAs and other mobile devices. If necessary take professional advice on data encryption.

Dr George Fernie, medico-legal adviser, MDDUS