Focus on ...

Data Protection

Data Protection

Protecting the Patient

This month’s eMessenger topic is data protection, in particular relation to Electronic Health Records (EHR). Our expert this time is Dr Gillian Braunold, a UK-based GP. She has a leading role in NHS Connecting for Health and is heavily involved in the Summary Care Record Early Adopter programme.

It is generally agreed that accurate record keeping and the controlled dissemination of such information are crucial to the provision of effective healthcare. It is also agreed that privacy is the cornerstone - and this raises some issues.

Dr Braunold strongly believes that the use of EHR means that “clinicians will share more efficiently”. But, given her area of expertise, she is aware of potential problems. She has been in discussion with government for some time and is candid that “there can be problems with over-complexity. We have to keep systems as simple as possible. This is not a financial issue but a simplicity issue.

“After two-and-a-half years of discussion you tend to get into so many minutiae that you have angels dancing on the head of a pin.”

She added: “With some of the systems for both EHR and the protection of information, the doctors and nurses who will actually use these systems look at you in horror. It’s deemed as so complicated, as are the issues of explaining the systems to patients.”

Data ‘ownership’

And who actually ‘owns’ the records? Is it the patient, the GP, the NHS or, by default, the State? Dr Braunold admits that there is no single answer. “In a local practice then you could say that it belongs to the GP, but as it moves elsewhere it’s in the hands of the data controller on that system.

“We must allow patients to know where their records are going but this will get more and more difficult. And you do have cases where some doctors don’t want to share the information they have with the patient - as it becomes harder to manage. There is a fear that patients will be calling up three or four times every week with concerns and questions.”

Nevertheless, Braunold is insistent: “We must tell patients that we are sharing these records and that they have the right to see them.”

Implied consent

So do most patients know this and agree to it?

“There is a model of ‘implied consent’ [in which the patient is deemed to consent to the exchange of his or her medical data],” unless he or she actively opts-out. In this, Braunold clearly follows the ethical argument of ‘the greater good’, but adds crucially that “there must be an opt-out available to patients to enable the balance”.

So does the concept of EHR need to be hard-sold to patients worried about who is reading their records? Dr Braunold says this is not practical. “Patients can have the EHR concept explained when they visit their doctor. There should be no need for a hard sell.”

Most experts agree that patients are generally deemed ‘the masters’ of their records. Except that this is not always the case. The doctor gave a poignant example: “If I can see from your data that you are going to develop, say, Huntington’s Chorea – you haven’t got it yet, but you will get it – I am not going to inform you unless I can arrange for a counsellor to be present at the time.”

So, in certain circumstances, it is on record but knowledge could be held back from the patient through a doctor making an ethical choice.

In reverse, there will be situations in which a patient doesn’t want information on record. Patients could be given the right to opt-out from having information shared. But couldn't this be used to deny individuals the right to treatment or care? The doctor offers a perfect scenario: “If a wife is using contraception and she doesn’t want her husband to know because he doesn’t approve, well, she would presumably prefer to keep that private. The medical profession should not indulge in emotional blackmail to block that choice.”

The ethics are clear, then.

Finally, on the crucial matter of how to protect classified information from the likes of researchers, employers and commercial organisations, Dr Braunold is emphatic: “There are data laws, of course, but they need strengthening and certainly more and tougher sanctions applied to any abuses.”

“We are raising these issues at high level and government needs to carry on listening to us,” she adds.

Dr Gillian Braunold is a General Practitioner in Kilburn where she was a longstanding vocational trainer. She was chair of her local LMC for fourteen years and has been the elected representative for Central and North London of the General Practitioner‘s Committee (GPC) of the BMA since 2000.

During that time she has been deputy chair of the Joint GP IT Committee and a member of the BMA IT Committee. She is a performance assessor for the General Medical Council.

In November 2004 she was appointed Joint National Clinical Lead for General Practice within NHS Connecting for Health. She is Clinical Lead for the Summary Care Record Early Adopter programme.

Fuelling the Debate

Our second opinion is voiced by Jacqueline Bowman, Communications Director of the Brussels-based HIMSS EMEA team.

Jacqueline Bowman says that her organisation is delighted that the Perspectives opinion this month comes from Professor Georges De Moor. The professor recently gave an informed and well-received eSeminar lecture on behalf of HIMSS EMEA.

“This was certainly timely,” says Bowman, “as the topic of data protection, especially in relation to Electronic Health Records (EHR), is currently high on the healthcare agenda.”

Asked what the issues are, in her view, regarding data protection, Bowman mentions a wide range: “Debate is currently raging as to matters such as cost, interoperability and, vitally, protecting classified information from the likes of, say, researchers and commercial organisations – even employers.

“Also, the subject of who owns the data is a hot one, as outlined by Dr Gillian Braunold in the previous ‘experts’ piece.”

Keeping an eye on debate

Bowman continues: “At HIMSS EMEA we keep a close eye on what those around us are thinking and saying and the general view is that patients should be considered to be masters of their EHR and should give their consent to the sharing of personal information.

“But whether this should be by implied consent with an ‘opt-out’ or by ‘opt-in’, is still being discussed. The industry as a whole certainly needs to sort this out but, saying that, after long discussion, it appears that most organisations have decided that an ‘opt-in’ is too impractical.”

“What is certain, though, is that patients most definitely need to be informed as to EHR usage and must have the right to intervene if they are concerned about any abuses.”

Healthcare professionals have concerns, too

But it’s not just the patients who have expressed concerns over EHRs. Those at the sharp end of healthcare, the primary users, often get nervy about perceived ‘difficult’ technology and ‘patient maintenance’.

Says Bowman: “The doctors and nurses delivering health are key here. Their attitudes to new technology, their concerns over patient intervention, potential misunderstandings, patients’ unjustified fears, constant requests for updates – which health professionals may deem impractical and potentially time-sensitive - their ethical needs to, perhaps, withhold certain information for the patient’s own good, these are all likely to affect the common ground of trust between patient and provider, without which EHRs cannot work effectively.

“But,” adds Bowman, “it is a two-way street as, at the same time, it is widely acknowledged that EHRs will upgrade the flow of information to the ultimate benefit of the patient.

Safeguards and sanctions

“Doctors, after considerable debate, generally uphold the ‘greater good’ principle – namely that despite certain objections, EHRs should be introduced – with formidable safeguards and extreme sanctions against misuse – for the greater good of society in general and its health in particular. There is evidently a need on behalf of patients to understand and, hopefully, accept this.

“The most practical way of dealing with these issues is ongoing debate between health professionals, governing bodies, governments themselves and, of course, patients.

“This is certainly happening and, through such items as this newsletter and our popular seminars, HIMSS EMEA is happy to be a part of that process.”

Jacqueline Bowman is Communications Director of the Healthcare Information and Management Systems Society (HIMSS) for the Europe-Middle East-Africa (EMEA) region and oversees the Marketing & Communications teams for the Brussels Office.

Ms Bowman has spent more than 10 years involved in pan-EMEA Communications and brand management in Brussels.

Her career has spanned the European institutions as well as UN agencies, trade associations and the private sector. Ms Bowman was previously head of the European Parliamentary Working Group on Reproductive Health and Rights and has also been Communications Advisor to a number of Public Health Organisations and the UN Population Fund (UNFPA).

Latterly, Ms Bowman led the Marketing & Communications team for The World of Health IT Conference & Exhibition.

An English - and French - speaker, the Guyanese-born Briton has degrees in English Law and French Law as well as in Integrated Communications Management.

EHR Certification Complements Patient Security

Professor Georges De Moor, Head of Medical Informatics at Ghent University and President of the EuroRec Institute, recently hosted the first eSeminar on behalf of HIMSS EMEA.

EuroRec promotes the use of high-quality Electronic Health Record systems (EHRs) and supports EHRs certification development, testing and assessment by defining functional and other criteria.

“I’m of the view that EHR systems offer more security than paper-based ones and that there’s a lot of security in the systems. Privacy protection is paramount. Without enough trust in the systems people won’t use them.

“EuroRec aims for a system of EHR certifications and I believe that this will enhance security for the patients’ data. Governments and EHR implementers will have reference to a set of minimum (and better) criteria, which will clarify the differences among EU member states in respect of privacy protection.

“EuroRec not only addresses EHRs to be used for care but also those to be used in other contexts such as clinical research. So, we have also added security and privacy protection criteria specific to those contexts.

Trust is key

“EHRs should ideally be clinically based and run. If the party organising the EHR is deemed not to be trustworthy - a commercial company in the insurance field, for instance – people will reject the system. A major issue is thus the ownership and running of the system in a given country, or region. We certainly need an open dialogue between those who pay for the system, those who use the system and those who will be affected by the system.

To my mind, a centralised system is not ideal. Personally, I favour distributed systems (for example, an office, a single hospital, a region) with some exchange and interchange, integration and interoperability but with good security measures.

“Obviously, we want any systems to be able to conform – even on a worldwide scale. System interoperability provides continuity of care and is a matter of safety for the patient. I don’t see a tension between privacy protection and safety. On the contrary, they can strike a balance and complement each other.

“One of the first rules covering privacy is that you need the consent of the patient when you store medical data. But some people are nervous about EHRs and privacy. There are many stakeholders who need convincing. And they are not just patients and clinicians.

“There are the healthcare authorities - some of them wishing to implement national EHR systems - then you have the industry, the vendors. They all have their needs and their goals. We need to create trust when implementing EHR systems, and the only way to get it is to involve everybody.

Legal framework

“What EuroRec is looking for is an official and voluntary exercise with a legal framework behind it and with funding for physicians who use the quality-linked system. We are trying to harmonise all the criteria and guidelines and procedures at a higher level.

“Clearly, we are starting with Europe but, in my view, this should be a global initiative. Health has no frontiers, now that patients can travel freely. And every clinician – wherever he or she is - has the same problems.

“I believe that more and more countries will start certification of EHRs and will look to EuroRec for how to do it. As an example, there will be a pilot site in Slovenia this year. And I’m 99 percent sure that it will meet our best practice criteria – and our best practice criteria is well disposed towards patient privacy and data protection.”

www.eurorec.org

“Does eHealth contribute to patronising patients or to an improved partnership between doctors and other healthcare providers and patients?”

eHealth is primarily designed to aid patients through the use of personal health systems (PHS) and electronic health records (or EHRs, both covered extensively in this newsletter and the previous edition).

PHS are a fast-growing area of health care and concern the individualisation of prevention, treatment and well-being procedures, based more and more often on various forms of technology.

Rather than ‘patronise’ the patient, healthcare professionals will tell you that a key goal of PHS is to empower healthcare professionals and individuals to manage health conditions, strengthen communication, improve quality of life and facilitate timely treatment. This in turn empowers patients, they say.

Home care and the monitoring of daily activities in patients, such as diabetics, through ICT, is one expanding area of PHS. So-called remote patient management can, for example, use mobile phone technology to monitor and send bio signals across the wireless network.

There are issues, such as interoperability of systems but, done successfully, PHS will inevitably lead to fewer hospitalisations – and more comfort for patients who can be monitored and ‘treated’ from home.

An electronic health record (EHR), meanwhile, is a distributed personal health record in digital format. The EHR provides secure, real-time, patient information to aid clinical decision-making by allowing access to a patient’s health information at the point of care. Obviously, there is a tie-in with PHS.

An EHR may contain data about medical referrals, medical treatments, medications and their application. Also included may be patient demographics, progress notes, problems, vital signs, immunisations, laboratory data and radiology reports.

An EHR is accessed on a computer or over a network. It may be made up of health information from many locations and/or sources.

This will allow treatment anywhere, regardless of whether the patient is miles from his or her own regular doctor. All doctors will have immediate access to the patient’s medical notes.

Again, interoperability is a key issue and, in this case, so is data protection, a subject discussed extensively in this issue of eMessenger.

Cordula Singer
HIMSS EMEA secretariat

Questions anyone?
Challenge us to help you with your (healthcare ICT related) questions. Send your input to emea@himss.org (subject line: question time) and we will research and publish your questions and our answers in forthcoming issues of the eMessenger.

The HIMSS Mission

The Healthcare Information and Management Systems Society (HIMSS) is the premier professional member organisation exclusively focused on providing leadership for the optimal use of healthcare information technology.

The HIMSS mission is to lead change in the healthcare information and management systems field through knowledge sharing, advocacy, collaboration, innovation and community affiliations. HIMSS EMEA brings this mission to Europe, Middle East and Africa.

HIMSS EMEA

HIMSS in Europe, the Middle East and Africa (EMEA) is dedicated to bringing together all the major players in the Health ICT community to transcend borders and languages and engender a truly regional dialogue. As members of HIMSS EMEA, individual professionals (managers, administrators, clinicians, technology experts and users), vendor companies and IT providers meet, interact and learn from one another.

With the opening of its EMEA office in Brussels, HIMSS is now positioned to provide activities, programmes and education specifically designed for the EMEA Health ICT community. Guided by a Governing Council of members from within the EMEA region, HIMSS EMEA focuses on the needs of individual and corporate members to ensure dedicated services and membership value.

Membership benefits include

• A monthly e-newsletter - HIMSS EMEA eMessenger – delivered to your inbox on the third Thursday of every month.
• A series of educational eSeminars on topics reflecting the challenges of the Healthcare ICT community in the EMEA region. In the first half of 2007 we will focus on Electronic Health Records (EHR) and IT Governance – the results of a joint AGFA and HIMSS study, as well as a webinar highlighting EU legislative trends affecting our sector.
• An interactive website targeted at the main issues and experts within our community. This includes a weekly “Expert View” on the issues that matter to you as well as industry news (RSS feed in partnership with Healthcare IT News Europe).
• Access to the latest industry and policy documents on the HIMSS EMEA online resource centre.
• Significant member discounts on the World of Health IT Conference and Exhibition, the HIMSS Annual Conference & Exhibition, the HIMSS bookstore and HIMSS events.

To learn more about HIMSS EMEA take a look at our website: www.himss.org/emea