WRITTEN ON February 5th, 2008 BY William Heath AND STORED IN Foundation of Trust, Political engagement, Transformational Government, What do we want?

In the wake of the HMRC data fiasco I wrote to my MP about my concerns about centralised health records. Jeremy Hunt replied within 18 hours (which must be some sort of record), wrote to the Minister, and has now forwarded me the reply – see below. Dear Jeremy (Ben Bradshaw writes)

Thank you for your email of 30 November to Alan Johnson enclosing correspondence
from your constituent Mr William Heath…about the security of patient data in the NHS.

Complex health care requires modern IT support. The best research-based estimates
suggest that, in NHS hospitals alone, adverse events that cause harm to patients
occur in ten per cent of admissions. The information that enables safe and efficient
care is not always available under current systems. Medication errors, poor record
documentation and communication failures are among the top five causes of harm to
patients.

The new IT systems and services being delivered by the Department’s NHS
Connecting for Health agency via the National Programme for IT in the NHS, with the
NHS Care Records Service (NHS CRS) at its core, will ensure easier and constant
access to up-to-date information that will enable efficient diagnosis and treatment.
The new systems will contribute to a reduction in the rate of errors by providing
decision support, as well as tools that can improve communication and reduce drug
transcribing errors. They will mean fewer lost records and test results; fewer
unnecessary repeat procedures; more and better self care by patients able to access
essential information about themselves; and improved confidentiality compared with
that offered by paper filing, with associated cost and time savings from cutting down
on filing and storing of paper files. These are the benefits against which concerns
about security must be balanced.

A key reality is that the NHS is already heavily dependent on the use of stand-alone
IT systems for holding patient information. However, by contrast to many existing
systems, the new systems and services incorporate stringent security controls and
safeguards to prevent unrestricted or uncontrolled access to personal information.
Access is controlled via a unique user identity, involving a passcode and ‘smartcard’,
which can only be obtained on verification of identity and through a formal user
registration process. Only those NHS staff that have a legitimate relationship with a
patient will be able to see that patient’s health record.

Under arrangements known as ‘role-based access control’, access to a patient’s care
record is limited to only as much information as is needed for the purpose of the care
required by the patient.

In addition, up-to-the-minute security protection has been designed in and across the
system, and international security standards are applied across all system
implementations. These include the use of encryption with communication links
between systems, and to user interfaces with systems. The quality of both the logical
and physical security of data centres is assured by using both international and British
standards, and all suppliers to the National Programme are contractually bound to
audit their adherence to these.

Over and above these safeguards, the NHS maintains an effective liaison with the
UK’s information security authorities and others for the sharing of relevant advice and
guidance on known information security threats and vulnerabilities.

Implementation of the NHS CRS will have no implications for the rights of patients,
under the Data Protection Act 1998, as far as accessing the information held about
them by NHS bodies. Information will in fact be made more accessible when future
plans are realised for a web-based function called Healthspace
(www.healthspace.nhs.uk). This will, in due course, enable patients access to their
own NHS Care Record, subject to the patient’s consent and the availability of a robust
security and authentication process to ensure that the privacy and confidentiality of
sensitive clinical information is not compromised. Individuals living in ‘early adopter’
areas will soon be able to view a summary of their medical records online.

For safety and ethical reasons, there are very strict rules on altering clinical records,
though health professionals are required to make a note within a record if a patient
disagrees with what has been written. Complete records are essential to protect the
interests of patients and staff, including ensuring that claims of negligence or
malpractice can be investigated. In addition, information contained in records may be
needed to explain why subsequent decisions were taken.

More generally, NHS Connecting for Health’s website
(www.connectingforhealth.nhs.uk) contains an enormous fund of material about every
aspect of the Programme, with a dedicated enquiries team and facilities for fielding
requests for general or specific information on any facet of the agency’s work.

I would urge your constituent to read the Care Record Guarantee, a copy of which I
enclose for his information, so that he fully understands the safeguards that are being
put in place to provide far greater security and confidentiality than has existed in the
NHS in the past. I have also enclosed an information leaflet, which explains what it
will mean for your constituent’s future care if he does not have an NHS Care Record.

If Mr Heath remains concerned about his details being entered onto the NHS Care
Record, it will be possible for him to prevent this from happening. The national
database will be created initially by transferring a limited amount of information from
GP records.

It would be helpful if Mr Heath would ask his GP in writing to ensure a note is made of
his concern and distress and the choice he has made. This is because when the
service starts up in the area, it is his GP practice that will be responsible for the
decision to enter care records on the system.

If Mr Heath is not familiar to his GP practice, he may be asked for some form of
identification. The practice will need to keep a record of his choice and may ask him
to sign a form indicating that he understands and accepts that the NHS may not be
able to treat him as safely or efficiently as others in circumstances where the NHS
Care Record will enable that.

At the time that the NHS Care Record is introduced in your constituent’s area,
Mr Heath’s views will then be known to his GP, who will be provided with guidance on
what he or she needs to do. In the meantime, if local GPs have any questions about
this process, he or she can get advice by e-mail from Professor Michael Thick, the
doctor responsible for safeguarding patient information within the NHS IT Programme,
at: michael.thick@nhs.net. Further information about the NHS CRS is available at
www.nhscarerecords.nhs.uk.

Although there are a small number of health communities that will be affected in 2007,
it is probable that the electronic NHS Summary Care Record will not be created for
the health community where your constituent lives before 2008. When it is introduced
in your area, your constituent will be informed by a letter to his household and other
communications at least two months prior to its introduction, so it is likely that he will
have time to consider this matter further.

We strongly believe that the NHS CRS is a necessary component of the healthcare
that should be provided by the NHS in the 21st Century and we would ask your
constituent to think carefully before making his final decision.

With best wishes

BEN BRADSHAW

Enclosures:-

RISKS AND PROTECTIONS

Staff disclosing information. The NHS already shares information widely and
most NHS staff are honest and trustworthy. However, there are occasional
problems with staff accessing records and disclosing information inappropriately.
With the new NHS systems, the number of staff who will have an opportunity to look
at your clinical records when they should not will be greatly reduced. Only staff with
smartcards can log onto the new NHS systems. This allows the NHS to track
precisely who has done or seen what – and you can ask for this information. Unlike
today, staff will have to be involved in your care to access your records and they will
only see information appropriate to their role.

Hackers. Safeguards that will protect the Summary Care Record from hackers have
been designed by security experts. They are far stronger than the safeguards in
place anywhere within the NHS today.

Wrong information. It is important that the information about you is accurate. All
data that goes into a Summary Care Record will have to pass quality controls. It is
also possible for you to check your record and point out any remaining errors.

Access by the state. No other part of government would have direct access to your
Summary Care Record. As now, any information from your record that the NHS
gives to others, such as the police, would be very strictly limited by law. in fact, the
Summary Care Record gives the opportunity to improve things by ensuring that any
such disclosures follow consistent procedures and are recorded and monitored.

More control by the patient. The greatest safeguards for your Summary Care
Record are that you will be able to see it yourself, know who else has seen it, and
have more control than ever before over what it contains and who has access. You
can ask for it to appear as a blank screen, or ask for information to be removed or
not added in the first place. Later on, additional controls will allow you to let staff see
some parts of your Summary Care Record, but not others.

The first Summary Care Records will be launched in spring 2007 in one Primary
Care Trust and slowly build from there. The Department will proceed with caution
and learn from these early adopters. Yours will, of course, not be created when this
happens.

The Department hopes that the information provided has made clear the practical
results of your decision. Please be assured that the Department of Health is
committed to honouring your decision and doing all it can to ensure you get the best
healthcare possible. You can, of course, change your mind at any time. We urge
you to review your decision from time to time.

IF YOU DO NOT HAVE A SUMMARY CARE RECORD

You have decided that you do not want to have a Summary Care Record. The NHS
will do its best to provide you with safe, efficient care whether or not you have a
Summary Care Record. The purpose of this information sheet is to ensure that you
are clear what your decision could mean for your NHS care.

The Summary Care Record’s purpose is to ensure that anyone treating you has
basic but important information about you, especially when care is unplanned,
urgent or during evenings and weekends. At first this would be limited to your
current medications, known allergies and any bad reactions to medicines in the past.
When you next saw your GP, important information about conditions such as asthma
or diabetes could be added if you agreed. Over time, other significant information
such as referrals, discharges, and test results could be added if you wished.

The information in your Summary Care Record could save you and the NHS time,
but could also one day save your life. The NHS has significant problems now with
lost records and test results, treatment and prescribing errors. They lead to
thousands of preventable deaths and injuries every year.

With a Summary Care Record doctors and nurses would know at a crucial time:

what medications you are taking, especially if they are many and complex;
what medications have not agreed with you in the past;
whether you have any allergies;
whether new medications they prescribe may react badly with things you are already taking; and
that you have a condition that means you should not have certain medicines.

In addition, you would have the benefits of:

round-the-clock access to your own Summary Care Record through
Healthspace, to check it for errors and to see what those who are treating
you have recorded; and
peace of mind that wherever in England you needed care, anyone treating
you would have essential information even if you were distressed or did not
remember details.

Later on, as your Summary Care Record developed, you would be able to use it to:

see your test results as they come in;
check that your referral letters have been written;
remind yourself about important things said to you about your treatment; and
inform NHS staff about your needs and how you want to be treated.

It would be misleading to pretend that there are no risks to information held in the
Summary Care Record. However, it is also misleading to suggest that not having
such a record is risk free. Substantial work is taking place to modernise the NHS,
including the introduction of the Summary Care Record, in order to reduce errors,
save lives and improve health outcomes for a great many people. Modernising and
computerising the NHS also brings with it new safeguards to ensure that information
in your records is held more securely than in the past.

Ends