Security warning as NHS staff view celebrity record

Security of electronic records questioned as more than 50 NHS staff access star's file

An NHS primary care trust has warned of a new risk to the confidentiality of medical records under the National Programme for IT (NPfIT), after more than 50 staff viewed the electronic records of a celebrity admitted into hospital.

One of the main drivers for introducing electronic records under the NPfIT was that they could be accessed easily by health care staff from multiple locations.

The warning by North Tees Primary Care Trust raises questions about whether hundreds of thousands of NHS staff who would ­potentially be able to view electronic records under the NPfIT could have their access to information policed.

Systems that support electronic patient records - a central part of the NPfIT - produce audit trails of who has accessed what information. But it is unclear whether busy NHS staff would have the time to police audit trails.

North Tees Primary Care Trust said the unauthorised access by staff of patient records presents a "new security risk" under the Department of Health's Care Record Guarantee. The guarantee gives an undertaking to patients that access to records by NHS staff will be strictly limited to staff who "need to know" to provide effective treatment to a patient.

The trust said in a paper to its board, "A new security risk has been identified as part of the Care Records Guarantee. This risk is around staff inappropriately accessing records of patients who are not part of their care load. It was noted in an audit that a recent admission of a celebrity to a hospital had revealed over 50 staff viewing the patient record Staff should only access records of patients with whom they have a legitimate relationship."

The document added that trusts have to demonstrate that regular audits are undertaken and that they have "disciplinary procedures in place to deal with breaches".

Computer Weekly has published evidence of a culture in the NHS that may be incompatible with tight security. Smartcards have been shared so that busy doctors can share PCs without having to log on and off each time. This can make it difficult to establish who has accessed confidential patient information.

A spokesman for North Tees Primary Care Trust said the accessing of a celebrity's records took place elsewhere, not within the trust. The spokesman was unable to give any details of the incident or where it took place.

Read more on IT risk management