All members of the practice team should be aware of what will happen to centralised patient data, and how patients can opt out
Data has always been central to caring for patients in the NHS. It has moved gradually, and often infuriatingly slowly, from paper to computer systems, and is becoming easier to pass around the service for patient care.
Information about that care has also been passed around the service. Registration forms have been around for as long as the NHS has existed. Claim forms in the 1990s for such things as minor surgery and contraception advice gradually gave way to electronic versions. Since 2004, the quality and outcomes framework (QOF) has also been hungry for data. Clinical data, however, has been limited to immunisations, cervical cytology and, before 2004, contraception.
Practices have also been presented with data from secondary care by Primary Care Trusts (PCTs) and Clinical Commissioning Groups (CCGs) as part of the quality and productivity indicators in the QOF. This has tended to be transactional data – collected as part of the payment by results system to enable bills to be paid correctly. This contains a little information about diagnosis and any procedures that the patient has undergone, but it could not be regarded as a clinical record.
This transactional data can still contain quite a lot of personal information, so its transfer has been carefully regulated. PCTs received legal permission to hold and process this information. When the CCGs came into being in April 2012, they did not have this permission, and short-term measures were necessary to ensure that they and NHS England could continue to handle patient data.
This is one of the problems that the ‘care.data’ service in England has been designed to solve. The Health and Social Care Information Centre (HSCIC) would collect information from hospitals as well as from GP registrations and other centrally-collected data and provide a service to the rest of the NHS. It has ambitions to transform this database into something that provides much more information about a patient’s medical history, including current treatments and diagnoses.
Using information for research, commissioning or anything other than direct patient care are referred to as secondary uses in the jargon of informatics. The primary use, of course, is the care of patients.
Information has been extracted from patient records for some time. Consent was not needed from patients if it was thought to be unfeasible to obtain this from each patient individually. These releases of identifiable patient information were permitted individually under section 251 of the NHS Act 2006. It is this provision that currently allows data to be seen by commissioners, and also covers other extractions of identifiable patient data such as the National Diabetes Audit.
Researchers have also used data from general practices in the past although identifiable records were generally not used. QResearch, developers of the QRisk, QFracture and other risk formulae, have based their research on anonymous data extracted from practices running some EMIS software. The Clinical Practice Research Datalink has also been able to make data available for clinical trials.
Under the 2012 Health and Social Care Act, that same act that created CCGs, it will be compulsory for practices and other providers to provide information to the HSCIC’s care.data system. The government has announced that individual patients may opt out of either having their data uploaded to the HSCIC or alternatively of preventing identifiable data leaving the HSCIC. Any release of identifiable information would still have to be individually approved under section 251.
The data will be extracted from practice computers by the general practice extraction system (GPES). This is the same system that will be used for QOF analysis, although the actually extractions will be quite separate.
Research is considered to be an important use of this data. With a highly centralised NHS we will have one of the largest sets of patient data in the world, and this is likely to be attractive to many researchers from across the globe. These could include universities or pharmaceutical companies.
The government sees this as an opportunity to attract research to the UK. In a speech in 2011 David Cameron specifically talked about the opening up of data and stated that the NHS should work “hand in glove” with industry. There is no restriction to the sort of organisation that can receive the data and patients cannot restrict the use of their data. They cannot, for instance specify that only NHS organisations should have access.
The range of data to be extracted will be quite wide although only codes entered after April 2013 will be extracted. No free text will be extracted. There is a list of codes similar to the lists used for QOF data extraction, although the net is cast a little wider. While the QOF aims to be highly specific, more general codes are included to try to catch the full breadth of the medical history.
There is a list of sensitive codes including termination of pregnancy, HIV and domestic violence which will not be extracted. This list may change and other information, such as anti-HIV drugs, will be extracted which will limit the efficacy of these exclusions.
Patient identifiers will be extracted from practices along with the data. This will not include name or precise address but will contain the NHS number, date of birth and postcode. This will allow GP data to be combined with other sources such including acute medical trusts, mental health services and social care, although these other sources will not start immediately. Once this has been done the identifiers will be removed from the anonymous data sets.
The information from hospitals is also to be greatly increased. The Hospital Episode Statistics currently report the primary diagnosis and procedure (if any) performed during either inpatient, outpatient or A&E attendance. During a long inpatient stay there may have been have been several diagnoses and many procedures. In the future, the data will be expanded to include all tests performed as well as medication prescribed and nursing observations. Further administrative data including the ward and named nurse will also be included, as will patient feedback and any adverse event records.
There are four possible ways in which data might be released by the HSCIC. Identifiable data could be released where nothing else would do. In the first release of data this will only be used for commissioning purposes.
The next level down would be anonymised or pseudonymised data. Data is regarded as pseudonymised when patient identifiers have been replaced, but it would be possible to reidentify the patient, perhaps by looking up a master database held by the HSCIC. This is similar to the data currently being used by the QResearch and CPRD systems, although they do not routinely re-identify data.
Anonymised data will have no reversible identifier. That does not mean that it is not possible to identify individuals from anonymised data. Strong identifiers such as NHS number and date of birth have been removed. The medical data extracted will be so rich and detailed that it may be possible to identify individuals in combination with other data sets. This is a similar situation to when you can’t remember a person’s name but you can give a description. For instance, while there might be a million people in the UK of the same age as you, the number who share your height, weight and medical history might be quite small. This ‘jigsaw’ identification is not particularly easy but it has been proved possible in other sets of data. For this reason, even anonymised data cannot be made public, and organisations requesting a supply of data will be asked to sign agreements pledging not to attempt re-identify the data.
Any publically-available data will be released in an aggregated form. This is similar to the current QOF data that only deals with numbers of patients. It is generally considered not to be a risk to privacy if the number of patients with, say, diabetes in a practice is listed alongside the number who have a cholesterol level below the target. Some care is needed when dealing with small numbers of patients, but generally this is safe to be released publicly.
There has been some opposition to the concept of uploading this quantity of data to a central government database without explicit patient consent. There is no direct patient benefit to the upload and any breach of confidentiality could be harmful to the individual. It may also be harm the doctor-patient relationship if it is perceived that all information is to be passed on. While the HSCIC has stated that all possible precautions will be taken with the data the patient opt-out and national leaflet campaign have been a direct result of these objections.
Although the upload is compulsory, practices will
remain the data controller for the data held within their surgery. Part of the practice’s responsibility is to inform patients about what will be happening to their information and their options to opt out of this. Patients should be aware about what the data will be used for and the safeguards, including anonymisation, that have been put in place to protect that data.
They should be aware that this upload is purely for secondary uses. There will no influence on the care and services that a patient receives as a consequence of opting out of the upload. It is completely separate from the Summary Care Record (SCR), and patients who have opted out of the SCR will have to separately dissent from the care.data extract.
A national leaflet campaign will take place early in 2014. Every household in England should receive a leaflet. These will not be individually addressed and could easily be overlooked alongside flyers from pizza delivery companies or supermarket offers. Patients may also have opted out of receiving junk mail from Royal Mail.
There are two codes that may need to be entered if patients do not want their confidential data to be released. The first prevents confidential data from leaving the practice in the first place. The second prevents identifiable data from leaving the HSCIC. In the latter case it seems that anonymised or aggregated data would be fine to be issued at it is not personal or identifiable.
Patients may want both codes. If only the first is used then no data will be uploaded from the practice, but this will not prevent data from other healthcare providers and agencies being uploaded to the centre. There is currently no way to prevent this upload. Information from these other agencies could be passed on.
Some patients may want the second code only as this would prevent identifiable information leaving the HSCIC but data from the practice could be used in aggregated figures. As they are both dealing with different data and different processes, patients will need to be informed and consider both codes.
Using both codes will not prevent the second code being extracted from the practice system so that it can be used appropriately. There are also codes to be used if patients later change their mind.
While entering the codes is relatively simple, practices will need to be careful when patients transfer from another practice. If these codes are not entered along with other clinical data then data could be uploaded or released against patient’s wishes. It is likely that the information commissioner would hold practices responsible if this occurred.
Practices are likely to the first point of contact for patient with concerns or questions about the care.data system. All members of staff who deal with the public should be aware of the plans and what actions patients may need to take. Unfortunately this is yet another challenge at the end of a very busy year.