Patient confidentiality policy for UK electronic health records

While electronic health records could provide valuable information in an emergency, they present patient confidentiality concerns. This Royal Holloway thesis examines the issue.

There are many complex security and privacy questions surrounding UK electronic health records. When is it right to presume consent from the patient, and when should explicit consent be sought before information is released?

Computerisation of the NHS and the centralisation of medical records could deliver huge benefits in terms of efficiency and access to information, especially during emergencies where medical staff need fast access to patient data. But, the digitisation of medical records also creates a challenge for those tasked with protecting personal information, and preserving the bond of confidentiality between doctor and patient.

Stephen Elgar, a project leader in the NHS for many years, chose this as the subject of his recent MSc thesis at Royal Holloway University of London, and examined the procedures that have been developed in England to plan for EHR security and privacy in the many data usage scenarios that could arise.

In an article based on the findings of his thesis, co-authored with his course supervisor Shane Balfe, Elgar explains the current state of patient confidentiality policy at the NHS in England.

As he said, patients may move houses a number of times within their lifetimes, and their medical records can become fragmented following episodes of care in a sequence of different providers. To overcome this, the NHS has created a Summary Care Record designed to improve availability of information for emergency care. The SCR contains information, such as active medication, allergies and contra-indications, and documents, such as discharge summaries, and is drawn from the patient’s long-term record held by his or her General Practice teams.

Given the sensitivity of these records, the prevention of their unauthorised use is of obvious concern to the patient and, for NHS care providers, gaining access to these records rests on acquiring the patient’s consent. This article provides some detail on strategies the NHS has used to acquire such access while maintaining patient privacy.

The feature is one of five is publishing this year in collaboration with RHUL.

Read more on Security policy and user awareness