Confidentiality implications for North of Tyne NHS IM&T strategy: can confidentiality be preserved (technically)?

I appreciate that the greatest threat to patient confidentiality is 
people, but my question - to this technically literate group - is 
whether it is technically possible to construct a shared record (at 
present this means, in CSCA/TPP[1]  language an integrated record held 
between General Practice and Community nursing services - not sure 
whether this includes health visitors, chiropodists, physios, specialist 
nurses and Community Matrons - or Social Services as yet) and maintain 
data integrity and patient confidentiality?

The background to this is that the CSCA is the LSP for 3/5ths of England 
and has taken over TPP systems from Accenture.
TPP claims to have an integrated system that covers general practice, 
community, prisons, hospices - anything you could name - and Yorkshire 
and the Humber SHA have a strategic plan to migrate all GP practices to 
this by 2009/10.

This is a link to the IM&T strategy for North Tyneside  (where, by the 
way, 70-80% of practices are EMIS)

http://www.northtynesidepct.nhs.uk/board/67September07/item19.pdf

but there seem to be some doubts in Rotherham (where they are actively 
implementing this)

presentation at the PRIMIS+ conference 30/10/07

http://www.primis.nhs.uk/pages/conference/2007Presentations.asp
An Insight into TPP Community Templates - The Rotherham Experience

Questions on confidentiality:

Re: Confidentiality implications for North of Tyne NHS IM&T strategy: can confidentiality be preserved (technically)?

In article <eMX96ADtwnUHFw1Y@...>, Mary Hawking 
<maryhawking@...> writes
>- is it technically possible to limit access to the patient record to 
>those patients with whom the clinician has, for want of a better term, 
>a "legitimate relationship"?

Technically possible, yes. But the problems arise when attempting to 
manage the list of 'clinicians with a legitimate relationship'. (Or 
indeed clerical staff with a legitimate relationship).

Who defines when an additional clinician/clerk needs to be added to the 
list, and how quickly and securely can *that* be delivered. Does it need 
to be done on a case by case (patient by patient) basis, or are there 
circumstances where a general permission is appropriate.

For example, you are taken ill and admitted to a hospital far from home. 
Can the whole. A&E might claim they don't need your medical records (and 
there's no time to add all the staff to your access-list anyway), but 
later on - does all the surgeon's team get access jus on his say so [he 
seemed like such a nice chap], or do we need to individually scrutinise 
that student nurse who took, and noted, your blood pressure just before 
you went to the operating theatre?

--

-- 
Roland Perry

Re: Confidentiality implications for North of Tyne NHS IM&T strategy: can confidentiality be preserved (technically)?

Re: Confidentiality implications for North of Tyne NHS IM&T strategy: can confidentiality be preserved (technically)?

In article <01AF6AC6-1559-4284-9526-82C02C0D5F5F@...>, Gerard 
Freriks <gfrer@...> writes
>Read again the BMA rules for Access Control to the Patient Record.
>And it is clear that it is not technology that is key

I haven't read them for a first time, but nevertheless I'm glad we seem 
to agree that it's a social problem, not a [failing of] technology one.

As indeed is the case with most of the "bad things that happen on 
networks".
--

-- 
Roland Perry

Re: BBC NEWS | Politics | Discs with 15m bank details lost

A couple of weeks back I wondered whether a suitable way of increasing  
the  priority given to DPA issues by ministers would be making them  
personally responsible for apologising individually to those affected.

So I put in a petition to the PMs website, expecting it to be kicked  
out as too frivolous...

If anyone is interested, its at...
   http://petitions.pm.gov.uk/dpa-sign/

	Nigel.

Re: BBC NEWS | Politics | Discs with 15m bank details lost

Nigel Metheringham wrote:
> A couple of weeks back I wondered whether a suitable way of increasing 
> the  priority given to DPA issues by ministers would be making them 
> personally responsible for apologising individually to those affected.
>
> So I put in a petition to the PMs website, expecting it to be kicked 
> out as too frivolous...
>
> If anyone is interested, its at...
>   http://petitions.pm.gov.uk/dpa-sign/
>
>     Nigel.
Smart Card News (28/11/07) has reported something in this area, from the 
USA:

Following on from some very high-profile data thefts, many States have 
now enacted so-called "Data Breach Notification" legislation.

Put simply, this legislation says, "If you lose customers' Personal 
Identifiable Information (Social Security numbers, credit card numbers, 
driving licence numbers, etc) and it wasn't encrypted, then you MUST 
notify everyone who's likely to be affected. Many States have also 
included additional consumer protection, such as one year's free credit 
monitoring services to protect against possible identity theft.

** end quote **

Then there is a comment that US federal govt is immune from legislation 
by the States.

Peter

Re: CDs ... terminological drift

> The organisation was responsible for Britain’s biggest security breach
> when two discs containing the country’s entire child benefit records
> were lost in the internal post between HMRC and the National Audit
> Office in London on 18 October.

This is a careful use of "internal".

Internal for me is within a building.
"Private" post might apply.
--

-- 
A

Re: CDs ... terminological drift

In article <47532FE6.5080502@...>, Adrian Midgley 
<amidgley2@...> writes
>> The organisation was responsible for Britain’s biggest security breach
>> when two discs containing the country’s entire child benefit records
>> were lost in the internal post between HMRC and the National Audit
>> Office in London on 18 October.
>
>This is a careful use of "internal".
>
>Internal for me is within a building.
>"Private" post might apply.

That's just daft. Think of a site like Addenbrookes in Cambridge. even 
within the one hospital there are dozens of buildings. And I'm pretty 
sure their "internal post" will take in most of the rest of the 
University (without any external long distance courier companies getting 
involved).
--

-- 
Roland Perry

Re: CDs ... terminological drift

"Outsourced" would I think be the unions' preferred term :)

Cheers,
Ian.
--
http://people.oii.ox.ac.uk/brown/

On 2 Dec 2007, at 22:21, Adrian Midgley wrote:

> Internal for me is within a building.
> "Private" post might apply.

Re: CDs ... terminological drift

On 2 Dec 2007 at 22:21, Adrian Midgley wrote:

> > The organisation was responsible for Britain´s biggest security breach
> > when two discs containing the country´s entire child benefit records
> > were lost in the internal post between HMRC and the National Audit
> > Office in London on 18 October.
> 
> This is a careful use of "internal".
> 
> Internal for me is within a building.
> "Private" post might apply.

In some definitions internal might apply to post within an 
organisation. However, that is not the case here.

--

-- 
  David Hansen, Edinburgh 
 I will *always* explain revoked encryption keys, unless RIP prevents 
me   
http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54