HippocratesPeter Singleton

The principle of medical confidentiality has been around since the time of Hippocrates (right), who swore: "Whatever, in connection with my professional practice or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret".

Like many sweeping statements, the devil is in the detail. Clinicians since Hippocrates have struggled to balance their obligation to the patient with wider obligations to the patient’s family and the wider public. In some cases, such as infectious diseases, doctors are required by law to inform the authorities when a patient has a notifiable infection – so the principle of confidentiality is not absolute.

However, the practice of medicine has changed since Hippocrates. The NHS is public and provides care on a wide-scale; medicine is generally provided by ‘teams’ rather solitary individuals working from their own experience; patients and politicians expect more from clinicians; and the GMC will hold doctors to account. We need medical records to ensure good treatment not only for the individual, but also to learn more about illnesses and the effects of treatment, as well as to establish what really happened when things go wrong.

The principle that Hippocrates raised is still valid, though how we interpret it now may be different. The individual doctor has every right to record consultations in order to protect their interests if the patient (or their family) should come back and complain about their treatment – though they have flexibility in how they phrase matters, which may help address patient concerns.

The NHS also has a duty to oversee what doctors and other healthcare professionals do, both to protect the public (and we should not forget Harold Shipman at this point), and to learn from the actual practice of medicine and healthcare to improve the provision of care in the future. The National Health Service (General Medical Services) Regulations 1992 require GPs to keep medical records to meet this obligation.

The difficulty is balancing the opposing rights and duties of running a decent healthcare service against the personal rights and wishes of the public. We can have a high-quality and well-regulated health service or a highly confidential service where data is not shared when needed, but trying to have both may be impossible, and certainly expensive. We may prefer to spend the extra on healthcare rather than building the ultimate in confidential medical records systems.

Consent and choice

Peter Singleton
Peter Singleton, Cambridge Health Informatics
This does not mean that there cannot be some choice, only that the choice may necessarily be limited by what is practical and affordable.

Allowing people to opt-out of the NCRS should be possible, but there are some subtleties. If you have opted out, but turn up unconscious at A&E after a motor accident, and the clinician looks for your details as an emergency case, what should the system tell them?

"Sorry – system cannot retrieve records" is probably the best answer, leaving the clinician to deal with you as best they can knowing nothing about your past – hopefully all will be well, but then they will record your details on the NCRS system, not knowing that you don’t want them there.

The alternative is that the central system has to know about you and that you don’t want your medical details recorded in order to tell any local systems not to pass on your medical details. You still have a central record – it just isn’t useful.

"Where one is trying to balance preserving life and limb against privacy, one should probably err on the side of the former rather than the latter"

— Peter Singleton

And what if you change your mind – especially if you are conscious at A&E, and the medics need to know what drugs you are taking but you cannot remember and the drugs are lost in the car crash or at home?

The design of the NCRS tries to solve this by a simple arrangement known as the ‘sealed envelope’ – you can put as much or as little of your record into this as you wish, so that the information is not normally available, but in an emergency a doctor can override the system to find out what is needed. When they do this, it will be tracked and they have to be able to justify taking this step.

This is not bullet-proof – one can invent circumstances or scenarios where this might be abused – but where one is trying to balance preserving life and limb against privacy, one should probably err on the side of the former rather than the latter.

The ‘sealed envelope’ may seem a bit crude, but at least it is a good starting point and is easy to explain to the public – if it proves to have flaws, then hopefully we can adjust the system to be more flexible or restrictive as necessary, but at least we can start having a better healthcare system in the meantime.

There has also been a lot of commentary about the decision to go for an ‘opt-out’ process rather than ‘opt-in’, in that data is stored on NCRS regardless and will be shared unless you actively object or take steps to use your ‘sealed envelope’. There are two good reasons for this: necessity and efficiency.

It is necessary because otherwise there are unlikely to be enough records available initially to make it worthwhile for clinicians to use it; and if they don’t use it there won’t be more records or data on the system – a vicious circle – normally called a ‘network effect’ in that, like faxes, it only becomes effective once nearly everyone has one.

It is efficient because it is clear that most people are content with the arrangement – and are unlikely to get around to signing up until too late – everyone hopes that they will stay healthy until something happens. Writing to everyone in the country and sending follow-up letters until they respond positively or negatively would cost a fortune.

Writing to people and letting the minority who object take action means that we save money for healthcare and respond to those who have a reason to take action rather than badgering those who would simply prefer the NHS to get on with providing a quality service.

It is not a question of coercion or forcing people to ‘consent’ – it is a matter of providing choice as effectively as possible. It may be a chore for the objectors to register their objections – but why put the reverse onus on the majority who don’t object or are happy to have their records shared in their best interests.

Data quality and correcting errors

"The NHS has generally had enough problems sharing data at all where it needs to do so"

— Peter Singleton

On the other issue about correcting errors, the Data Protection Act 1998 places an obligation on all ‘data controllers’ to keep accurate records. If there is a blatant error, as is the case here, then the NHS organisation has a duty to correct it and may be obliged by court order to do so.

There is a caveat – the data may be accurate in that it records a misdiagnosis, which did indeed occur, but was a wrong diagnosis – under these circumstances, a court may order that the information is supplemented with a note of the true facts (e.g. that the patient turned out not to have terminal cancer).

Further a court may order that the ‘data controller’ must notify any third-parties to whom the erroneous data has been disclosed – with a presumption that they too will correct the error in their records. But this is only when the court decides that it is reasonably practicable to do so, having regard, in particular, to the number of persons who would have to be notified. For the NWCS, this could be a considerable amount.

This seems to have been an issue from the brief comments made by Mrs. Wilkinson in the interview where reference is made to ‘Excel spreadsheets’ – presumably held by researchers rather the native storage for the NWCS!

In Mrs. Wilkinson’s case, it should be possible to correct the error at UCLH and in the NWCS, but identifying where her information has been sent is likely to be more problematic. Generally, the data onwards from NWCS would not be used for clinical purposes, so Mrs. Wilkinson is unlikely to have a clinician think that she has been an alcoholic.

In most cases the data should have been aggregated or at least anonymised, so there should be little problem there, except that poor data quality means poor resource planning and possibly inaccurate research.

Research users of NWCS data are numerous, but subject to review by the Security and Confidentiality Advisory Group (SCAG) which will only allow access to identifiable data where absolutely necessary for the purposes of worthwhile research.

The NHS has generally had enough problems sharing data at all where it needs to do so, yet alone tracking where it has gone, so that such errors can be corrected. We run into a question of ‘proportionality’ – is the risk to Mrs Wilkinson’s reputation and well-being such to warrant developing such systems? On an individual case probably not, but it is an aspect that should be designed into new systems as much for data quality as confidentiality reasons.

One of the early trials of electronic health records at the Bury Knowle practice showed that a significant number of errors do occur – hopefully few would actually lead to actual medical harm, though clearly some can lead to embarrassment! One of NPfIT’s systems is Healthspace, where patients should be able to add additional information and review their records; but there needs to be a mechanism to manage error-reporting and correction/annotation about the error.

The question of data quality is key, and the benefits of allowing patients to see their own records, as is the case here, should allow corrections to be made for the benefit of all concerned.


Today programme interview with Helen Wilkinson and John Hutton, 31 March 2005
[Real Audio player required, 8m 25s]

E-mail from Phil Walker [PDF, 12K]

Related stories

Practice manager finds no opt-out from NCRS
Comment & Analysis: Can you keep a secret?