Threats to clinical confidentiality

Many organisations, both public and private, have replaced dispersed manual record keeping systems with centralised or networked computer systems which give better access to data. Their experience is that the main new threat comes from insiders. For example, most of the big UK banks now let any teller access any customer's account; newspapers report that private detectives bribe tellers to get account information which they sell onwards for £ 100 or so [LB94]. This practice was made illegal in a recent amendment to the Data Protection Act, but there have still been no prosecutions of which we are aware.

The effects of aggregating data into large databases should have been expected. The likelihood that information will be improperly disclosed depends on two things: its value, and the number of people who have access to it. Aggregating records increases both these risk factors at the same time. It may also create a valuable resource which in turn brings political pressure for legalised access by interests claiming a need to know [Smu94].

Health systems are not likely to be different. At present, security depends on the fragmentation and scattering inherent in manual record systems, and these systems are already vulnerable to private detectives ringing up and pretending to be from another healthcare provider. A recent newspaper investigation showed that most people's records could be obtained for as little as £ 150 [RL95]. There are also some incidents specifically involving computer systems:

• following the theft of a general practice computer, two prominent ladies received blackmail letters threatening to publicise abortions;
• there is continuing abuse of prescription systems [JHC94];
• a Merseyside sex stalker who calls himself `Dr Jackson' wins the confidence of young women by discussing their family medical history over the telephone and then tries to arrange meetings. Police believe that he is a health worker or a computer hacker [Tho95].

The interim guidelines issued at the same time as this policy give advice on how to make such attacks, on both manual and computer systems, less likely. However, the introduction of networking will change the risk profile, as current UK health networks are limited in scope, whether geographically or by function, and connecting them into a full-function national network will greatly increase the potential for mischief.

Put simply, we may not be much concerned that a GP's receptionist has access to the records of 2,000 patients; but we would be very concerned indeed if 32,000 GPs' receptionists all had access to the records of 56,000,000 patients. The danger of aggregating records, and the likelihood that abuse will result, is confirmed by the experience of the USA, where networking has advanced somewhat more than in Britain:

• a Harris poll on health information privacy showed that 80% of respondents were worried about medical privacy, and a quarter had personal experience of abuse [GTP93];
• forty percent of insurers disclose personal health information to lenders, employers or marketers without customer permission [CR94]; and over half of America's largest 500 companies admitted using health records to make hiring and other personnel decisions [Bru95];
• a banker on a state health commission had access to a list of all the patients in his state who had been diagnosed with cancer. He cross-referenced it with his client list and called in the patients' loans [HRM93];
• a US drug company has gained access to a database of prescriptions for 56 million people by purchasing a health systems company. It now plans to trawl the database for patients whose prescriptions suggest that they might be suffering from depression manifested as several other minor illnesses, such as backaches and sleeplessness, and try to get their doctors to prescribe them Prozac [See95];
• a credit reference agency is building a network to trade health records. It is sponsoring a bill in the US Congress which would facilitate disclosure to interested parties without patient consent, and remove patients' right to sue if unauthorised disclosure results in harm. This is an example of an information resource bringing political pressure for legitimised access, and is being contested by civil liberties' and patients' groups.

The problem was studied by the US government's Office of Technology Assessment. It confirmed that the main threats to privacy in computerised clinical record systems come from insiders rather than outsiders, and that they are exacerbated by the data aggregation which networked computer systems encourage [OTA93]. Other concomitants of data aggregation are growing claims of a need to know and treatment biased towards the interest of the corporate sponsor rather than the patient [Woo95].

The British government admits that wide access to identifiable clinical records has no ethical basis. Not even a clinician (let alone an administrator) may have access to personal health information in the absence of a need to know. In the words of David Bellamy, Principal Medical Officer at the Department of Health:

It is a commonly held view ... that I as a doctor can discuss with another doctor anything about a patient because a doctor has a duty to maintain confidentiality by reason of his ethical obligations. It is just not true and it no longer holds water. Even if it helps professionals discussing individual patients with their colleagues, they must discuss only on the basis of the information the colleague needs to know [WHC95 p 16].

There are frequent claims by insurers, social workers, policemen and administrators that they have a `need to know' personal health information. When evaluating such claims, it may be helpful to bear in mind that a surgeon's `need to know' a patient's HIV status --- so that he can take extra care to avoid needlestick injuries --- is insufficient to override the patient's right to privacy about this status. A recent court case found that even a doctor's HIV status may not be disclosed: the small risk to patients' health does not outweigh the public interest in maintaining the confidentiality that enables infected persons to seek help [DGMW94].

The BMA does not accept that `need-to-know' is an acceptable basis for access control decisions. As the EU and GMC documents make clear, it is patient consent that matters. The concept of `need-to-know' implies and encourages the surreptitious erosion of the patient's privilege for the sake of administrative convenience. In any case, needs do not confer rights: the police's need to know whether a suspect is telling the truth does not give them a right to torture him. It is also useful to bear in mind empirical surveys of patient attitudes that show strong resistance to the sharing of personal health information with NHS administrators, social workers and government statisticians [Haw95].