Clinicians should resist the temptation to access patient records without a sound clinical reason to do so
In June of this year BMA Scotland reported that its staff had been involved in a number of disciplinary hearings representing members who allegedly accessed electronic medical records for inappropriate reasons.
The separate incidents involved doctors of all grades consulting either their own records or those of patients not under their treatment, including family members, colleagues and some high-profile individuals. MDDUS has also seen an increase in the number of such cases among its members.
Two obvious factors are behind the growing number of confidentiality breaches of this type: the greater ease of access due to the near universal digitisation of patient records and the ability to audit such access and spot irregularities. The guidance for all healthcare professionals on these matters is clear – access to patient records should be restricted to clinical purposes only. Inappropriate access can lead not only to disciplinary action from local health boards or PCTs and GMC/GDC sanctions but also potential prosecution against an employer under the Data Protection Act.
Not only should clinicians be diligent about their own practice it is essential that employed staff also understand that accessing medical records without just cause is a serious matter. The Data Protection Act says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” The Act requires that security measures are put in place to ensure that only authorised people can access personal data and that these people should “only act within the scope of their authority”.
In its guidance on confidentiality the GMC is also clear on this point: “You must make sure that any personal information about patients that you hold or control is effectively protected at all times against improper disclosure.”
It states further: “If you are responsible for the management of patient records or other patient information, you should make sure that they are held securely and that any staff you manage are trained and understand their responsibilities. You should make use of professional expertise when selecting and developing systems to record, access and send electronic data. You should make sure that administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.”
Practices and other healthcare providers should ensure that robust procedures and policies are in place to prevent inappropriate access to patient records – be it intentional or inadvertent. There should also be regular reminders and updates to staff on data protection policies to reinforce this message.
Just as the BMA has noted – defending such breaches can be very difficult given the clear rules on confidentiality and the incontrovertible evidence provided by electronic audit.
ACTION: MDDUS urges members: do not be tempted to access the medical records of individuals who are not patients – including your own. Accessing records should be for clinical purposes only. Employing clinicians must also ensure that robust procedures are in place to prevent unwarranted access by staff.