Medical records risks and responsibilities hit UK headlines

Patients’ medical records contain highly sensitive information — which is why data protection regulations are suitably stringent.

The Data Protection Act 1998 enforces regulations on all UK organisations and individuals classed as either data controllers or data processors.

And the European-wide General Data Protection Regulation hits the statute books in May 2018 — bringing greater responsibilities and harsher punishments for non-compliance.

But a string of medical records mishaps left UK medics reeling in 2017. And patients are extremely concerned about their medical information getting into the wrong hands.

IT chaos

In March, the medical records of 26 million NHS patients were put at risk due to problems with IT systems in 2,700 GP practices.

Doctors had been switching on ‘advanced data sharing’ to enable legitimate collaboration with hospital colleagues.

But they were unaware that patient information was also accessible to a huge network of staff in care homes, prisons and pharmacies that had no right to view it.

An irate Information Commissioner directed NHS Digital to review the system so that information could only be shared with staff who had the appropriate security clearance.

Paper record problems

Paper patient records also have inherent data protection risks.

In June, 700,000 records referring to at least 1,700 patients were found piled insecurely in the warehouse of an NHS subsidiary company.

And the administrative cost of GPs carefully reviewing the missing notes was estimated to be £6.6 million.

Medical records and immigration

The British government has become increasingly concerned with immigration offenders accessing NHS treatment in recent years.

And in January 2017 it published a Memorandum of Understanding clarifying its legal right to request patients’ confidential medical records as part of Home Office investigations.

The move was criticised as heavy-handed by immigration support groups, but the Government claimed records would only be requested for limited, specified purposes.

Ethical staff behaviour

Data Protection breaches can occur during the daily business of any busy GP surgery.

And the Information Commissioner has the power to prosecute individual workers found to be non-compliant.

A former NHS administrator was fined £400 with £350 costs in March 2017 for accessing the personal information of one patient inappropriately on 51 occasions and that of another patient on eight occasions.

But the breach of trust involved causes incalculable damage to patient confidence.

The way forward

The broad reach of digital systems magnifies the potential harm of medical data protection breaches.

But inappropriate storage and sharing of paper records also poses a problem for doctor’s surgeries with limited resources.

Investing in cost-efficient patient note storage systems from a firm like Invicta can minimise the risk of misplaced records. And ensures paper alternatives are available when IT systems are subject to cyber-attacks and electronic glitches.

No doctor wants to hit the headlines for a data protection breach — but robust physical and electronic storage and increased staff awareness can help to restore flagging reputations.

Have you been affected by a business data breach? Share your stories in the comments section.