next up previous contents
Next: Persistence Up: Security Policy Previous: Control

Consent and notification

The patient's consent must be sought for other clinicians to be added to the access control list, and he must be notified of every addition. In the normal course of business, a poster or box of leaflets displayed prominently in the surgery or hospital reception may discharge this requirement in respect of the clinician's immediate colleagues, so long as there are effective ways to cope with the few patients who will insist that their records be available only to the treating clinician. Adding other clinicians to the access control list, such as when a patient is referred to hospital, should normally be discussed with the patient beforehand.

However, when information is shared in the absence of consent, such as when a GP shares information with a casualty department under emergency procedures, then a notice must be generated and sent to the patient. This is the GP's responsibility; if she merely assumes that the hospital would notify the patient, then she would be seriously negligent. Illegal information brokers often obtain personal health information by pretending to be involved in emergency treatment of patients; detailed guidance on the design of emergency procedures is in [And96], which lays emphasis on the need to establish the identity of the caller (such as by calling back to a number in the Medical Register), and to always notify the patient.

Notification provides an end-to-end audit that is not vulnerable to management capture of auditors or regulators. For example, a hospital employee might be bribed by an illegal information broker to request access to a patient's record from a general practice by falsely claiming that the patient had been admitted unconscious. The callback control would not be effective in this case, but notifying the patient ensures that the attack can be detected and investigated.

The notification requirement thus flows from the principle of consent. It also helps control fraud in private practice, as benefits may be cash limited and patients with expensive treatment needs may impersonate other patients when their budget runs out.

There are no exceptions to it. Even where a clinical professional is under a legal duty to pass some information to a third party, the patient must still be notified. In the event of law enforcement access or the discussion of suspected child abuse with social services, the notification may be delayed if there are reasonable grounds for belief that it would cause the suspect to flee, tamper with evidence or intimidate witnesses. However the patient must still eventually be notified.

Principle 4: The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions.

There is also the question of how often to notify. The feeling among clinicians consulted is that notification should be annually by letter, unless a violation or a suspicious pattern of activity has been detected. However, it is not quite straightforward. Recently, GPs were asked to notify women using certain contraceptives; this raised issues of how to deal with young girls who were taking contraceptives without their parents' knowledge, and women whose spouses had had a vasectomy and were taking the pill in a new extramarital relationship [Gil95]. The solution, which is already practised in STD clinics, is for the clinician to ask the patient at the outset of the relationship how notices should be sent.

A more difficult problem arises when the patient-clinician relationship ceases to exist. This may happen when a private practice is dissolved, or a patient dies or goes abroad. Concerns have been raised about the OPCS garnering emigration data from records returned by GPs to FHSAs for storage under current arrangements; it has been suggested that the Data Protection Registrar have custody of all `dead' electronic records. However this raises the question of who would watch the watchman.

Finally, there needs to be an effective complaints procedure which results in offenders being punished, whether by dismissal, by professional disciplinary action, or by criminal prosecution. When a patient observes from his annual notification letter that someone he never consulted has read his record, what should he do? Should he go to his GP in the first instance, or take the matter up with the General Medical Council, some kind of ombudsman, the Data Protection Registrar, his MP, the press, or even the police? A resolution of this may depend on the success of the BMA's campaign for a bill to enshrine the confidentiality of personal health information in statute [BMA95].

next up previous contents
Next: Persistence Up: Security Policy Previous: Control

Ross Anderson
Fri Jan 12 10:49:45 GMT 1996