National Health Service agency admits to releasing information on 700,000 patients who opted out of nation’s new centralized medical-information database

In the United States, the debate is ongoing about how healthcare data is used while at the same time protecting patient privacy. The outcome of this debate will be increasingly important for medical laboratories because—in order to deliver more value—labs will want to combine lab test data with other sources of clinical information.

Thus, a similar debate over patient privacy and use of health data in the United Kingdom will be of interest to pathologists and clinical laboratory managers in this country. Recently, England’s National Health Service (NHS) came under fire for releasing information on about 700,000 patients against their wishes—a breach the NHS blamed on a lack of funding and “technical issues” encountered by the body responsible for overseeing the country’s big data initiative for healthcare.

700,000 Patients Opted Out of UK’s Centralized Medical Database

The Health and Social Care Information Centre (HSCIC) has admitted to Members of Parliament that medical details from as many as 700,000 patient records have been shared with organizations and companies, despite the fact that those patients opted out of NHS England’s new centralized medical database, Care.data.

The HSCIC said that it “does not currently have the resources or processes to handle such a significant level of objection” and that it also encountered “technical issues,” according to an article in The Guardian.

The HSCIC has acknowledged that the data release occurred because the government agency failed to log requests from up to 700,000 patients who opted to “not” pass on their medical record details.

It’s a Mess

“Obviously, if there are technical difficulties that HSCIC are experiencing they must be resolved, and it is their responsibility to make sure patients are protected. But basically it is a mess,” stated Beth McCarron-Nash, M.D., UK General Practitioners Committee Negotiator at the British Medical Association, in a British healthcare journal Pulse article.

Beth McCarron-Nash, M.D

Beth McCarron-Nash, M.D., UK General Practitioners Committee Negotiator at the British Medical Association, is expecting the National Health Service’s Health and Social Care Information Centre (HSCIC) to end the missteps that led to medical information being released from patients who opted out of the health-information database. (Photo copyright GP magazine.)

Phil Booth is “director of data rights advocacy group medConfidential”, according to Pulse and also, “sits on the Care.data advisory group.” In the Pulse article Booth said, “The material fact is, hundreds of thousands of people, last January, February, March, exercised their right to opt out of having their data passed on by the HSCIC, and that has not been respected.”

No Legal Recourse for Patients

Because HSCIC is a government agency, it’s likely that patients affected by the data breach will not have any legal recourse. However, had a private company in the United Kingdom or in the United States similarly failed to respond to the requests of 700,000 consumers, it would probably be the target of civil lawsuits by aggrieved patients, not to mention regulatory enforcement action by government agencies.

NHS England has promoted the information-sharing initiative as a way to improve the quality of care, guide decisions on allocating resources, ensure NHS organizations receive the correct payments for the services they provide, and better understand the health needs of its residents. Pilot programs initially were to be rolled out in 2014, but they were delayed until last month when patient groups raised objections over privacy concerns.

NHS Accused of Intending to Share Patient Data

Ars Technica UK, a digital publication devoted to technology, wrote that HSCIC’s plans for the potential treasure-trove of healthcare information go beyond improving the national healthcare system. The publication reported that HSCIC “also intends to provide data to third-party companies.”

It may not be surprising that NHS England patients are concerned about how their medical information might be used. Last year, the HSCIC acknowledged it sold 13 years of hospital data covering 47 million patients to the insurance industry. In response to the public outcry over that disclosure, new rules were put in place to prevent such a sale of patient data from happening again, Ars Technica UK reported.

The Care.data program has been controversial from its inception in 2013, with physicians criticizing the plan for lacking adequate safeguards and requiring patients to opt-out rather than to opt-in to the program. In addition, NHS England’s original public awareness campaign for the initiative fell short when it mailed a pamphlet to patients titled “Better Information Means Better Care.” The leaflet, however, is estimated to have gone unread by two-thirds of the nation’s 22 million residents.

Ars Technica Contributing Policy Editor Glyn Moody

Ars Technica Contributing Policy Editor Glyn Moody believes England’s new centralized database of medical record information called Care.data, will be a “tempting target” for data thieves. (Photo copyright Ars Technica.)

MedConfidential, which formed in response to confidentiality concerns surrounding Care.data, is spearheading an information campaign against the initiative and providing detail instructions on how patients can opt out on its website.

Patient Data to Be Made Available for ‘Ill-defined Purposes’

“Identifiable medical information will be extracted from the GP (general practitioner) record of every man, woman and child in England,” said Booth in a medConfidential blog post, reported the IT Pro article. “This data will be centralized, linked with information taken from other parts of the NHS and made available to an open-ended array of organizations and companies for ill-defined purposes.”

Security concerns also surround the formation of a centralized healthcare database, which Contributing Policy Editor Glyn Moody described in his Ars Technica article as a “tempting target for data thieves—assuming that the UK government doesn’t just lose them by sending them through the post.”

“Even if data is released and used in an anonymised form, it is hard to protect privacy,” Moody wrote. “Care.data would be a steep challenge for any team, never mind for one that has so far managed to produce what Wired UK last year called a ‘shambles.’ The latest news suggests the situation has not improved, and [now] is turning into an omnishambles,” Moody concluded.

Healthcare policymakers in the United States would do well to study the lessons being learned in the United Kingdom about the public’s reaction to how healthcare data is stored and shared. Patient’s desire for privacy and restricted access to their medical records will be in direct conflict with the needs of healthcare providers to accumulate large volumes of clinical data to use in population management and for similar clinical purposes.

—Andrea Downing Peck

Related Information:

Main Milestones in Controversial Health-Data-Sharing Scheme

NHS Overriding 700,000 Patient Opt-Out to GP Data Being Shared

NHS Data Released Against Patients’ Wishes, Admits Data Body

Up to 700,000 NHS Patients had Their Data Released, Despite Opting Out

Care.Data Restart Announced

NHS Tops List for Serious Data Breaches Last Year

Access List for National Hospital Records Database to Be Published

NHS England Names Care.data Pilot Programme Areas

Your Health and Care Records