A non-disclosure agreement (NDA) designed to spell out clearly the duty to maintain the confidentiality of patient records could help to prevent breaches of confidence by staff not already bound by the Hippocratic oath or similar professional codes.

Dr Janis L. Huston, electronic patient record facilitator for the North London Cancer Network, showed a model NDA at a conference on IT and the NHS Plan in London this week. She suggested that everyone who had access to patient records could be asked to sign the agreement as part of a general strategy to tighten security.

“Most breaches are unintentional and occur when people are not thinking and not paying attention,” said Dr Huston, who has extensive experience of medical records in the US.

Talking in the lift or leaving notes around after a meeting were the kind of situations where breaches occurred, she said.

She suggested a set of simple safeguards to improve security including:
– changing passwords regularly;
– revising staff contracts to address confidentiality issues and be specific about the employee’s duty to maintain confidence;
– providing ongoing training;
– delineating and assigning access levels clearly.

Dr Huston emphasised the need to lay down security policies and enforce them consistently. Training was vital, but ultimately enforcement also meant dismissing staff who misused data.

For the future, she predicted more emphasis on security, more emphasis on patient rights, a move towards anonymised patient data and a move towards obtaining patient consent [for use of data].