Guide to HIV Healthcare Confidentiality

posted: 15/12/2010

A new guide for people living with HIV explains your rights to confidentiality in healthcare and what you can expect. The guide, Personal information and the NHS, goes through common concerns people living with HIV have about how the NHS treats the privacy of information about HIV status.

It explains how personal information will be handled, and gives practical advice about what to do if people have any concerns.

Know the facts and take action

This guide helps people with HIV understand confidentiality and privacy rights. It encourages people to ask questions and make concerns known, which NAT hopes will help improve things for everyone. If a person with HIV feels that their personal information has been mishandled, armed with the facts in this guide, they can take action.

Confidentiality is protected in the NHS in the following ways:

• NHS staff should not talk about someone to anyone else either inside or outside the NHS without the patient’s consent; this includes talking to family members and friends of the patient
• NHS staff should not leave names visible anywhere. They should therefore cover up names on paper files or close computer screens and electronic medical records
• All paper records should be kept in a secure place and all computerised records should have electronic protection, such as secure logins and passwords.

Deborah Jack, Chief Executive of NAT (National AIDS Trust), told us:

‘Many people living with HIV have experienced concerns relating to confidentiality of their status and in healthcare this is especially important. In order to receive the best healthcare, sometimes this does mean sharing your personal information but people living with HIV should be able to do that and feel confident that their information will only be shared appropriately and with their consent. NAT has developed this guide in order to set out the basic principles of confidentiality within the NHS, as it can be a confusing area and many people do not fully understand what the rules – or their rights – are.’

guide: Personal information and the NHS is here
 

NAT's policy report Confidentiality in healthcare for people living with HIV provides useful background 

Removing Your Electronic Medical Record

posted: 26/05/2009

NHS patients can now delete the electronic summary of their treatment from the new national medical database.

The decision represents a significant concession in data protection policy following talks between health service officials and the Information Commissioners' Office (ICO).

Until recently the Department of Health resisted pressure from sceptical patients and doctors critical of the security risks generated by confidential records being transmitted across the NHS broadband computer network known as the Spine.

Many people with HIV have significant concerns that news of their HIV status could become widespread or that the data could be made public, lost or misused.

Department of Health changes of mind

Only last month, officials described the cost of deleting individual summary care records (SCRs) from the system as prohibitive. The Department of Health had offered instead to "mask" or "suppress" unwanted files, making them difficult to access – a process that would nonetheless leave personal details on the database.

SCRs are being introduced as part of an NHS-wide initiative being rolled out across the country to provide clinical staff with information on those they treat.

Any doctor or nurse will have instant access to a summary of a patient's past medication, adverse drug reactions, allergies and conditions – which could be useful if that patient is unconscious or unable to recall vital details.

SCRs are also being used to record confidential treatment requests including end of life plans, where people ask to be allowed to die at home or enter instructions such as "do not resuscitate".

Bolton and Bury in first wave

Pilot schemes began in Bolton and Bury, and so far more than 280,000 SCRs have been created nationally. The Department of Health says that 98% of people who have had the advantages of SCRs explained to them are in favour.

But Dr Gillian Braunold, a medical director of the programme, acknowledged that "a significant minority" of people "don't want to have a summary care record". The new position, she said, was that "the deletion option is there if [individuals] are not happy … They can choose to have [their SCR] deleted physically."

The only exception would be if the patient's SCR file had already been used, in which case it would be archived for "medico-legal" reasons, she added.

A few rebel GPs have been encouraging patients to opt out en masse. There are worries that an individual other than relevant clinical staff could gain access to such sensitive data.

One Hampshire GP, Neil Bhatia, has asked the ICO whether it considers the SCR policy is consistent with data protection principles.

Opt Out or Delete

Connecting for Health (CfH), the NHS agency developing the records system, had already granted patients the right to opt out of the scheme at an initial stage – resulting in no SCR being created.

The latest complex issue concerned whether those enrolled on to the SCR database should subsequently have a right to have their file thoroughly purged from – rather than merely "masked" within – the system if they withdraw consent.

The dispute was resolved in talks between the Information Commissioners Office and Connecting for Health. The Information Commissioners Office has usually decided that personal information that is no longer required should always be deleted.
 

Source

A HIV+ Nurse, Human Rights and the NHS Database

posted: 15/09/2008

The NHS could be forced to completely rethink its £6 billion patient database, because it is unlawful under the European Convention of Human Rights, it has been claimed.

A nurse in Finland living with HIV found her confidentiality was broken when other health service workers searched medical records and discovered her HIV status. She took a case to the European Court for breach of privacy. The Court has now ruled that punishments for misuse of data are not enough to ensure people's confidentiality.

As a result, campaigners say, the NHS database could also be in breach of Article 8 of the convention, which protects the right to privacy.

The ruling concerned the case of a Finnish nurse whose colleagues discovered she was HIV positive after illegally accessing her health records. The court ruled that laws which allowed the nurse to sue for damages were not sufficient to protect her privacy. 'What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place,' it said.

The NHS database will use smartcards and passwords to ensure that staff can only access records where they have a relationship with a patient. These will create an 'audit trail', documenting any misuse of data. A spokesman for Connecting for Health pointed out that existing paper records have no such safeguards. The agency 'has supported higher penalties for the inappropriate accessing of patient data when it is malicious,' he said.

UK courts are required to take account of rulings from Strasbourg.

If a judge were to issue a 'declaration of incompatibility' with EU law, parliament would be forced to rethink the database.

Dr Paul Thornton, a GP in Warwickshire and campaigner for patient privacy, called on the DoH to abandon its plans for a single NHS database. If the system is to be lawful, the DoH 'will have to change its design to a lot of small, secure databases ',he said.

Professor Douwe Korff, a professor of international law at London Metropolitan University, described the ruling as a 'time bomb.' 'It shows it isn't good enough to say "this shouldn't happen",' he said. 'The government needs to take reasonable measures to ensure patient confidentiality.' Professor Korff added that the use of penalties for inappropriate data access often failed in practice. There is evidence that some NHS staff leave their computers logged on to save time. Others will ask colleagues for patient details by phone, citing computer problems, he said.