Do we actually care about patient data & privacy?
Tomorrow’s Challenges are already Here
50 million patient records were shared from Ascension to Google recently (1). This has brought about a Federal enquiry into whether HIPAA protections have been fully followed. (HIPAA is very similar to the NHS’s Information Governance legislations) (2)
The whistleblower, who was a part of the Google team on the project, was most concerned with regards to the data being handed over not being ‘de-identified’, the term used for removing all personal details so that a patient’s medical record could not be directly linked back to them.
These sorts of challenges to manage are occurring more and more frequently as technology companies look to advance delivery of care but the governance frameworks are not unified across even our NHS let alone at a more global level.
We have not quite got it right before in the NHS
The NHS has seen some major challenges when it comes to technology and infrastructure implementations.
We have already seen data sharing issues and breaches such as the NHS care.data scheme which was closed after years of controversy with key issues around data-sharing being suggested to be disastrously incompetent (4) or NHS data breach affecting 150,000 patients in NHS England in July 2018 (5). Then there was the Google DeepMind’s inappropriate access to 1.6 million patient records (6) and further more challenges when DeepMind then spun out its product to Google to commercialise (7) and shifting over all data sharing agreements to the US giants.
There have been project failings with the ‘National Programme for IT’ costing the NHS £12.7 (8) billion with many failings with poor contracting, lack of buy-in from the end users, poor accountability as just some of the reasons for its failings. (9)
Then there are clinical safety concerns as seen with Babylon’s chatbot (10)
However, if we fail to get the fundamentals right NOW, we will give over any rights as citizens and patients we have over our OWN health and care data in a similar vain that we have given our data to the likes of Facebook without any rights (10)
History might be repeating itself
The use of digital technologies in healthcare has untold possibilities and can lead to better outcomes, services and delivery for all. However, the design and the implementation of these digital solutions are key to delivering safe and effective clinical care looking after the citizens privacy.
With technology companies looking to disrupt many parts of healthcare, which is what is needed, there are some core fundamentals which the healthcare systems need to make sure are maintained.
Some of the risks which have crept in:
1) Patient data sharing without consent or the appropriate governance:
The biggest area I have seen this is in instant messaging solutions which encourage the end user, ie the clinician or nurse to download the product and utilise to share patient data.
However, this is occurring without the Trust or the NHS having oversight of which system is being used by which clinicians to share which patient data. If they do not have that oversight then how are they meant to protect patient data?
Essentially what is being created here are social networks of clinicians sharing patient data (thinking that they are compliant it is not even masked).
As a rough guesstimate there are over 40 million patient data points a year shared through these systems without the appropriate governance if their user numbers are to be believed.
This then leads on to the next big risk:
2) Business Models
As some technologies like the above are asking clinicians to download without any charge and have taken on significant capital to enable to market and develop the solutions, you are left with business models which then are reliant on data: 1) Clinician data 2) Patient data which can then be sold on to research and pharmaceuticals and insurance companies.
It comes back to the old adage — there is nothing that is free in this world, there is always a price. The price here could be people’s data used as currency, their most sensitive data.
Transfers of healthcare data to big tech companies need to be shared with the public and made fully transparent, with monitoring by an independent watchdog, which in the UK context should be either NHS D or X and the Department of Health.
Patients must have the right to opt in or out. The uses of the data must be clearly defined for all to see, not just for now but for 10 or 20 years into the future.
Full Information Governance and Clinical Safety (DCB/MHRA) compliance must be enforced, and boundaries must be put in place to prevent third parties gaining access to the data without public consent.
In short, patients and the public have a right to know what’s happening to their personal health information at every step along the way.
Is it hard to solve? Not really. The banking sector have most of this solved for quite a few years. But we need to firstly accept that this is a problem which we want to tackle at a system level and then implement.
What we do now sets the precedence for all patient data for the future. So how much do we really care about patient data and their privacy?
About the Author
A GP trainee by background with a masters in Paediatrics.
I am passionate about remodelling health and social care; not just in the NHS, but globally. I believe that health/med tech will help enable and underpin this.
Our work has been mentioned in Parliamentary Bill to #PurgeThePager put forward by Matt Hancock and our study to show each nurse and each junior doctor save 21 minutes and 48 minutes with Medic Bleep of which I am the Founder.
I am also an Innovation Mentor for GP trainees and GPs at the Royal College for GPs alongside Faculty at Harvard Medical School for Postgraduate Teaching for Surgical Leadership and Innovation.
I am also a Member of the Faculty of Clinical Informatics and Faculty of Medical Leadership and Management.
I am also experienced in running of nursing and care homes, especially looking at mergers and acquisitions along with transformation projects.
Find me on LinkedIn: https://www.linkedin.com/in/drsandeepbansal/