Emailing confidential patient data

EVERYONE who has ever sent an email will likely have felt that rush of panic at least once. That feeling of alarm just after you have clicked "send" – when you realise the message has gone to the wrong person.

And while the consequences of such a mistake will be minor in most cases, the same cannot be said for healthcare professionals who are emailing confidential patient information. A failure to effectively protect such sensitive data could have serious repercussions both financially and professionally.

The Information Commissioner’s Office has powers to impose monetary penalties, issue undertakings or even launch criminal proceedings against organisations and individuals who fail to protect private data. But, perhaps more seriously, doctors and dentists could also find their fitness to practise being called into question by the General Medical Council or General Dental Council.

As increasing amounts of patient information are stored and transmitted electronically, so the risks of confidentiality breaches also increase. It is more important than ever for doctors and dentists to take care when emailing patient information.

The GMC advises doctors to "always consider whether the use of email services best serves patients’ interests. Due to the risk of interception, make data anonymous or encrypted where practicable."

This is echoed by the ICO who advise: "Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted. The level of protection provided by the encryption should be reviewed and updated periodically."

If encryption is impractical, the GMC says doctors should consider "whether the benefit of electronic transmission is sufficient to warrant sending insecure, identifiable data. Consider seeking the advice of the BMA and/or indemnity organisation as to how best to organise such activities to ensure adequate quality of care, confidentiality and documentation. Appropriate arrangements for the security of personal information must be made where information is sent or received by email or other electronic means."

Risk can also be minimised by double checking your email’s recipients are correct before clicking "send" and by working from within more secure NHS email accounts (rather than personal email accounts) where possible. Emails should include the minimum amount of information necessary for the purpose of the disclosure. It is not advisable to send confidential information to a patient’s private email address without their prior consent to avoid the risk of a third party accessing the message.

The need for caution has been highlighted just this month, when the ICO fined Surrey County Council £120,000 – its largest penalty to date – for a serious breach of the Data Protection Act. Sensitive personal information was emailed to the wrong recipients on three separate occasions. The most significant breach involved a member of the council’s Adult Social Learning team who emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.

Following the ruling, Information Commissioner Christopher Graham said: "This case should act as a warning to others that lax data protection practices will not be tolerated." In recent months, the ICO has taken action against health boards, NHS hospital trusts, NHS boards as well as medical practices, for breaching data protection or privacy laws.

The GDC also advises dentists to keep patient information confidential. They tell practitioners to "make sure you protect the confidential information you are responsible for when you receive it, store it, send it or get rid of it", adding: "If it is not necessary for the patient to be identified, make sure that the patient cannot be identified from the information you release."

ACTION Take extra care when emailing confidential patient data to ensure the information is effectively protected. Use the minimum amount of detail necessary and encrypt data where practical.