Protecting electronic patient data

DATA extraction software for patient records can speed up information requests both for insurance companies and under-pressure GPs - but practices need to ensure essential data protection standards are met.

confidential_square.jpgBUSY practices are receiving increasing numbers of requests for patient health information from insurance companies, prompting many to adopt electronic systems in a bid to lighten their workload.

Using automated data extraction software with patient records can speed up the process for both under-pressure GPs and insurance companies, as well as promising improved data protection safeguards.

In response to this growing trend, the Association of British Insurers (ABI) has drawn up a list of 10 principles setting out the standards expected of insurers when requesting and obtaining medical information electronically from GPs. They were drafted with input from the Information Commissioner’s Office (ICO) and the British Medical Association. The General Medical Council (GMC) has also confirmed that these principles are consistent with its current guidance for doctors.

Provided the principles are followed, the ABI says, practices "can be confident the process is as safe as the current system and, in some areas, is even more robust in ensuring GPs are better able to meet their obligations as a data controller under the Data Protection Act 1998 (DPA)."

Firstly, the principles state that practices who receive a request from an insurance company should make sure it is submitted in accordance with either the Access to Medical Reports Act 1988 (Wales, Scotland and England) or the Access to Personal Files and Medical Reports (Northern Ireland) Order 1991. These two acts provide insurers with the correct legal route to obtain medical information. In the past, some insurers submitted less extensive subject access requests under the DPA but this was stopped in 2015 following a review by the ICO.

Another key requirement set down by the ABI is that any electronic system should provide the GP with the ability to automatically and manually redact, amend or add sensitive personal data to an electronic medical report before it is sent to an insurer. This should prevent the disclosure of third party identifiers as well as any information that could cause serious physical or psychological harm if discovered. It should also ensure only relevant health information is released.

Consent is another important consideration and any electronic process should provide an audit trail for both GPs and patients clearly showing "what consent was granted, by whom, when and why". Systems should meet the relevant guidance set out by the ICO, GMC and meet NHS information governance and technology standards. Data encryption must meet NHS standards.

Insurers who introduce an electronic process for obtaining medical information will undertake a privacy impact assessment (or equivalent) and can confirm with the practice what process was used. (This will be a responsibility for data controllers under the new General Data Protection Regulations GDPR in 2017).

The ABI’s new guidance is available to read in full on their website.

Action: Familiarise yourself with the new ABI principles to ensure insurance company requests meet the necessary standards, including informed patient consent and data protection.