This site is intended for health professionals only

Secure patient data or face consequences, warns MDDUS

27 June 2008

Share this article

Failure to adequately secure electronic medical records could result in a GMC hearing or even criminal charges, warns the Medical and Dental Defence Union of Scotland (MDDUS) today.
The warning follows the theft of a personal laptop containing thousands of confidential patient records from the home of a Midlands GP. A Wolverhampton practice has written to all 11,000 of its patients to alert them and apologise.
“GMC ethical guidance warns that patient records must be effectively protected against disclosure at all times,” says MDDUS medico-legal adviser George Fernie.
“In other words, GPs must take all reasonable steps to ensure patient records remain confidential, or face a potential GMC summons.”

Additionally, the Data Protection Act 1998 (DPA) requires “appropriate technical and organisational measures” to prevent “unauthorised or unlawful processing of personal data.”
Under Section 55 of the DPA it is a criminal offence to intentionally or recklessly disclose personal data without appropriate consent, for instance of a GP practice. 
“The law could view taking patient information home on an unencrypted laptop, memory stick or other device, or leaving it in a car or office – all with the risk of theft – as ‘reckless’,” warns Dr Fernie. Breaching patient confidentiality could also lead to a patient claim for compensation.

“Protecting information by passwords may no longer be enough. If necessary, take professional advice on encryption. 
“GPs are increasingly using laptops and PDAs (personal digital assistants) to record information during home visits. That’s fine to achieve the GMC stipulation of keeping, clear, accurate and legible records, but do store data securely.”