CAUTIONARY tales about lost or stolen laptops and USB sticks with unencrypted patient data are now reported with regularity in the newspapers and medical and dental tabloids. But just as practices and hospitals are still far from being fully paperless, neither are the risks when it comes to protecting patient confidentiality.
Earlier this month The Information Commissioner's Office (ICO) served a monetary penalty of £130,000 to Powys County Council for a serious breach of the Data Protection Act when the details of a child protection case were sent to the wrong recipient.
The breach occurred when two separate paper reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then collected with the papers from another case and sent out without being checked. The recipient who mistakenly received the two pages of the report knew the identities of the parent and child whose personal details were included in the papers.
The breach followed a similar incident - which was reported to the ICO in June 2010 – when a social worker at Powys County Council sent information relating to another vulnerable child to the same recipient.
Assistant Commissioner for Wales, Anne Jones said: “The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations."
Confusing pages in a shared photocopier is easily done and might seem an almost trivial error. Yet the consequences in this case could hardly be more severe and highlight the need for all practice and hospital staff to be vigilant in dealing with paper records. Misfiling letters or test results into the wrong patient file could easily result in a similar confidentiality breach.
The ICO can serve a penalty of up to £500,000 for a serious contravention of the Data Protection Act likely to cause substantial damage or distress, such as unwarranted disclosure of confidential details. This will apply if a data controller has “failed to take reasonable steps to prevent contravention”.
Risks also include allowing unauthorised access to paper records by failing to secure storage or losing or misplacing originals or copies. Another common breach occurs when obsolete confidential records or copies are not segregated and disposed of securely (shredding and/or incineration depending on local policy).
Doctors and dentists also risk regulatory action from the GMC or GDC if practice policy does not provide adequate protection against unwarranted disclosure.
GMC guidance on confidentially states: “You must make sure that any personal information about patients that you hold or control is effectively protected at all times against improper disclosure. The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance whether or not you work in the NHS.”
And the GDC offers similar guidance: “Make sure that you protect the confidential information you are responsible for when you receive it, store it, send it or get rid of it.”
ACTION In an era of increasing digitisation ensure that you and your staff do not become complacent in regard to the security of confidential paper records.