Catering staff given access to electronic health records

The Irish Independent says that catering staff were able to access confidential patient information held on a £54m health service record system which is being rolled out across Ireland.

The disclosure, under the Freedom of Information Act, has implications for the roll-out of Summary Care Records in England, as part of the NHS IT programme, NPfIT.

Smartcards for access to the Summary Card Records and other NPfIT systems are issued on the basis of “role-based” access. The idea is that only those staff with a legitimate professional relationship with the patient can use their smartcards to access that patient’s records.

But local operational procedures may require that secretaries and reception staff who collect information on patients have smartcards.

They could be said to have a legitimate professional relationship with patients; and it could be said by some trusts that caterers have a legitimate relationship with patients if they are to ensure that special diets  – diabetic or low-fat – are served. 

It’s not inconceivable, therefore, that under the NPfIT, some trusts may give catering staff access to the system.

In Ireland, an audit found that hospital catering staff at Kerry General Hospital had access codes to the iSoft-based Integrated Patient Management System [IPMS] which is used by 10 acute hospitals and 20 health service centres.

They were able to access ”patient activity history, including admission, discharge; name, address, GP, and a patient’s clinical data”. No clinical data had, at the time of the audit, been uploaded.

Theaudit is said to have warned of five “high-level” security risks in the IPMS.

Fine Gael health spokesman DrJames Reilly said that unless doctors and patients were confident thatinformation would remain confidential, they would not co-operate.

“ITand the further development of it in the health service is critical,but patient confidentiality has to be of the utmost importance,” hesaid.

“People give information to doctors to get the besttreatment available to them, and they don’t expect their personaldetails to be accessible to others.

Only “appropriate authorised personnel” can now use the system.


A separate article on the IPMS system in Ireland, published by the Sunday Business Post Online,  says that the technology has been hit by “operational problems”.

It quotes in more detail the same audit findings which were referred to in the Irish Independent’s article. 

As a result of the problems, the IPMS is “now being rolled out differently ineach location across the country, rather than centrally”.

Theaudit states that the differences between how hospitals operated thesystem were ”fundamental” and would cause considerable difficultiesif the health service in Ireland, the HSE, ever tried to link IPMS into a national database of patientrecords.

It’s reported that the audit gave no assurance that theIPMS could meet its stated requirements for a single nationallyintegrated system.

A lead officer at the health service in Ireland’s technologydirectorate said that work on the development of an ICT strategy had been ”stalled” for some time. It added that the nationalhealthcare agency ”did not have a national director of ICT in post fora lengthy period”.

Ireland’s Health Service Executive entered into a deal with globaltechnology provider iSoft three years ago to roll out the system tomore than 50 hospitals in the country.

ISoft did not comment on the contract due to a nondisclosure agreement, said the article.

Caterers had access to patient files – The Irish Independent

Major flaws in €60 million HSE computer system – the Sunday Business Post Online

No qualifications needed to access NPfIT database – IT Projects Blog