FairWarning®, the inventor and global leader in patient privacy monitoring solutions, has written an open letter to Dame Fiona Caldicott in response to the consultation process for her Information Governance Review. The letter argues that until it becomes mandatory for trusts to build patient privacy into NHS IT systems, the ever-present risk of major data breaches will remain - and the full patient benefits of electronic based healthcare will not be realised.
Based on the company's experience of working closely with healthcare organisations across the UK, the United States, Canada and France to protect patient privacy, FairWarning® has used this opportunity to offer its perspective on the critical issue of patient privacy, and to highlight its recommendations and key considerations to help secure and protect the basic patient right of data confidentiality.
FairWarning® key recommendations include:
- Making healthcare providers fully accountable for breach disclosure to patients and breach notification to the ICO
- Mandating trusts to build patient privacy into NHS IT systems by enforcing the mandatory use of audit trails across all healthcare applications
- The introduction of robust standards for audit trails
- Reinforcing a culture of privacy in the NHS through education and awareness
Kurt Long, Founder and CEO, FairWarning® commented "Despite recent data from the UK Information Commissioner's Office (ICO), revealing that data security breaches within the NHS have increased, there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place. This must be addressed as UK citizens have a basic right to know when their records have been inappropriately accessed and their privacy compromised."
According to FairWarning®, the biggest driver for improvements in patient privacy will be tighter legislation around disclosure and notification. When a breach has occurred, providers must be mandated to provide breach disclosure to patients, and breach notification to the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines.
Healthcare privacy laws in the rest of the world are being significantly strengthened and FairWarning® urges the UK to follow suit. For example, in the US, ARRA HITECH privacy legislation (2009) introduced strict guidelines around breach disclosure and notification and similarly, in Europe, pending legislation in the General Data Protection Regulation which will mandate the disclosure and notification of privacy breaches to individual patients and governmental organisations respectively.
The other key recommendations highlighted by FairWarning® include the need for the introduction of mandatory audit trails and robust standards. With no legal requirement for electronic health record vendors or applications to produce a robust audit trail, this means that when a privacy breach has occurred, neither the care provider, enforcement agencies or the patient have the ability to reconstruct who has been affected, to what extent damage has been done and how long it has been occurring. FairWarning® believes that mandating the use of audit trails across all electronic health records and applications would be the first and potentially most important step towards securing and protecting patient privacy.
To support this, the implementation of robust standards for audit trails will also be a key component in the delivery of an electronic healthcare model built on the principle of interoperable systems, which encourages the widespread sharing of data.
Concluding its response, FairWarning® emphasised that effecting meaningful change is as much a cultural challenge as it is a technological one, and agrees with the wider healthcare technology community that education, training and awareness of patient privacy within the NHS needs to be improved. This can be achieved through the introduction of clear guidelines on information sharing and privacy in order to help healthcare providers put the right practical measures in place.
"We welcome Dame Fiona's review into the protection of patient data," said Long. "Electronic based healthcare is among the most important advances of our times and acts as a powerful enabler, transforming how we plan and deliver care to individuals and populations. Given the rapid changes within the NHS it is vital for healthcare leaders to make sure they also become leaders in privacy protection. It plays a vital role in ensuring that patients build trust to protect the reputations of healthcare providers."
Studies suggest that improper access to patient records can do significant reputational harm to hospitals and damage the patient-clinician relationship. A recent survey of over 1,000 UK patients revealed that 86.5% of respondents believe a serious breach of personal data would do considerable damage to a hospital's reputation. 87.2% believe the NHS should monitor who looks at their patient records.
About FairWarning, Inc.
FairWarning® invented and is the global leader in Patient Privacy Monitoring solutions which guard against abuse of patient information in Electronic Health Records (EHRs) and Health Information Exchanges (HIEs) enabling care providers to confidently connect physicians, clinics, patients and affiliates. FairWarning® Patient Privacy Monitoring solutions are compatible with every major EHR and 185 applications used in healthcare including Allscripts, Cerner, Epic, GE, McKesson, MEDITECH, Siemens, and many others. Customers consider FairWarning® solutions essential for compliance with healthcare privacy regulations such as ARRA HITECH privacy and meaningful use criteria, HIPAA, EU Data Protection, UK Freedom of Information Act, California SB 541 and AB 211, Texas HB 300, Massachusetts 201 CMR 17.00 and Canadian provincial healthcare privacy law.