We have this week uncovered an issue with GP computing systems that seems to affect major GP computer suppliers. We have confirmed so far that affects CSC Isoft Syngery, Emis and INPS Vision. The issue is that none of these major GP computing systems record an audit trail to show who has accessed your medical record. Unauthorised access to GP records featured in the recent Channel 4 Dispatches programme.
When we where fighting the Summary Care Record battle the Department of Health made a big issue of how the audit trail would protect patient confidentiality, as patients could see who had accessed their records.
We now have the Health Bill upon us and major companies such as Virgin, Serco and corporate GP providers such as the The Practice PLC bidding for GP contracts. These Surgery are large Surgery’s often spread across multiple sites with a large number of GP’s and ancillary staff working for them. Yet the patient has no way of knowing if any unauthorised access to their GP has occurred.
The other worrying thing is a small Surgery is taken over by a large corporate organisation ALL the patient records are transferred over this INCLUDES the records of patients no longer registered at the Surgery and any private patients.
Even if you are private patient at an NHS practice your records will be included in this issue too. As the majority of Surgery’s are paper light or paper free this presents a large risk to patient confidentiality. It will also be of concern to celebrities/MP’s/prominent people. The risk of a confidentiality breach increases the larger the Surgery.
We have also discovered that the GP systems are unable to delete a record too that has been uploaded in error it can only be deducted, hidden from view. This would seem to also fail to meet Section 10 of the Data Protection Act when to be on a database would cause significant and unwarranted distress under the Act.
Whilst there are ethical issues in removing clinical data that has been relied upon there are also instances such as when Section 10 of Data Protection Act is applicable or if a record has been uploaded in error when is appropriate to totally remove the medical record from the GP computing system.
We discovered this accidentally as my GP was seeing me as a non-registered patient due to Section 10 being applicable to me across the whole NHS and my clinical records where kept on a small village 2 doctor practice computer. The Surgery has been taken over my the large Marlow Medical Group and my records have been transferred even though I was NEVER going to Marlow patient! Marlow Medical Group is a large 16/17 doctor surgery across 4 physical sites with a huge number of ancillary staff. I have discovered there is no audit trail for my records and a serious data breach has occurred as my clinical details have been discussed with Bucks PCT. There is also apparently no way they can be deleted other than it seems physically with mallet!
If you are concerned about this I would suggest you ask your ask your GP to use paper records and to keep them securely. Anyone having issues do feel free to contact us.