Details have emerged of an incident last year in which the electronic medical records of former England football manager Sir Bobby Robson were viewed illicitly by NHS staff when he went into hospital.
He needed surgery in August 2006 for a brain tumour. He was treated by Newcastle Upon Tyne Hospitals NHS Foundation Trust.
An internal hospital memo, leaked to the Chronicle newspaper in Newcastle, said:
"Over the last few weeks the ongoing security reports relating to the access by staff to the PAS (patient administration system) system and to the Casenote Tracker module has identified inappropriate access which has resulted in a formal disciplinary investigation and written warnings being issued to a number of trust staff who have accessed patients' information for no other reason than personal curiosity."
This might have been the incident North Tees Primary Care Trust was referring to when it warned of a new security risk to the confidentiality of patient records under the NHS’s National Programme for IT [NPfIT].
The North Tees warning had been in a paper to trust board in March 2007 which referred to the Care Records Guarantee – which, under the NPfIT, gives an undertaking to patients that their confidential data will be protected from unauthorised access.
North Tees Primary Care Trust said in the paper:
"A new security risk … has been identified as part of the Care Records Guarantee. This risk is around staff inappropriately accessing [a] patient’s records who are not part of their care load. It was noted in an audit that a recent admission of a celebrity to a hospital had revealed over 50 staff viewing the patient record… Staff should only access records of patients with whom they have a legitimate relationship.”
After an investigation by the Newcastle trust into the incident involving Sir Bobby Robson, only 10 NHS staff received written warnings, but it is possible that more looked up his records.
Officials at NHS Connecting for Health, which runs part of the NPfIT, will be relieved that the breach of confidentiality of Bobby Robson's records happened at a hospital that had a patient administration system not supplied the local service provider. So the breach did not involve an NPfIT system.
But it showed what could happen under the NPFIT. Is such a breach of security more or less likely to happen under the NPfIT, and if it did occur, would it be more likely than now to be spotted during audits?
Newcastle Foundation Trust appears to have had robust and mature business processes and systems which led to its spotting the illicit viewing of medical records. The NPfIT has immature business processes and systems for spotting the illicit viewing of medical records.
NHS Connecting for Health believes that security will be much tighter under the NPfIT in part because smartcards are issued to vetted individuals, and access to a patient's records can be made only on the basis of doctors and nurses having a legitimate reason to view the files. Also, the NHS has to show that it has processes in place to check audit trails to see who has viewed what.
All this is backed up by the threat of dismissal or worse if NHS staff view files they shouldn't.
But it has been known for smartcards to be shared, and for a number of smartcards to be issued with the same passcode. A database of millions of patients would be a more attractive proposition to the curious than a local one.
A commentator to E-Health Insider is not so sure that security under the NPfIT will be water-tight.
“It is surely also an urban myth that CfH [Connecting for Health] systems will automatically be better than local ones at controlling inappropriate access. Our existing system does have audit trail records, and Information Governance staff trawl through them, and recognise the user names, roles and current staffing issues. The audit trail is also available to be viewed by users on the record, so could be shared with the patient. How you can sensibly track activity across the whole cluster, or in SCR [Summary Care Record] case, country, is a puzzle, and not something I have seen detailed.”
The writer of this comment has a point. With a local system under local control, as at Newcastle, it's possible to see how NHS staff who break the rules can be caught and disciplined. But could the same be said of national systems that are under the control of nobody in particular?