Shared Care: Benefits and Risks
Doctors are the original information professionals. Since the days of Aesculapius doctors have shared information and developed technology to make people better.
It’s a powerful position to hold - to have patients’ lives and wellbeing in your hands. And there is, as there has always been, a responsbility that goes with that power; the obligation to not share information wrongly. From the Hippocratic Oath to modern medical ethics to our own Health Information Privacy Code, rules have arisen to protect the relationship of confidentiality between doctor and patient.
That relationship has been, if not endangered, at least complicated by the emergence of shared care records. The health sector has been moving towards a shared and integrated model of care for a long time, but it’s fast becoming an everyday reality. Driven by a combination of desire for cost-savings, convenience and a need for better and faster outcomes – not to mention a general sense of digital inevitability - health records are becoming a shared resource.
As the Privacy Commissioner’s advisor on health issues, I’ve had a lot of contact with the health agencies setting these records up. They felt, rightly in my view, that if they didn’t get the privacy angle locked down at the start they will be running a major risk in the future. My own feelings were that how these initial schemes set themselves up and started operation would have a major impact on how shared care records did or didn’t work in the future. Beginnings are delicate times, and health care occurs in an environment that demands a high level of trust. Trust takes a long time to build, but can be damaged very quickly.
To get an overview of how three of these agencies have dealt with the challenges of setting up and running a shared care record I pulled together some information from privacy impact assessments, discussions with clinicians and technologists and my own research and wrote up a report, Electronic Shared Care Records Review: Elements of Trust.
I’m happy to say that my overall conclusions are in line with my initial impressions; the three agencies have done a careful and thoughtful job of assessing the privacy risks and managing them. However there are some key points to take away from the review, and they’re relevant both to agencies looking to set up a new shared care record and to GPs wanting to use one that already exists.
First; patients need to know what’s going on. It’s a legal requirement, not to mention good manners, to put some effort into telling people that their health information is going to be more widely available for care purposes than it previously was. This can be done by brochures and posters, automated text or email messages, or even an old-fashioned conversation. Where practical, asking “do you mind if I look at your shared care record,” is a good baseline.
Many people will assume their information is already stored on a database and be pleased to agree. Some people will be less pleased and want to be taken off it – which they should be, no questions asked – and a few will likely be outraged that it was even considered.
A fundamental problem that the agencies setting up the records ran into was that asking people individually if they wanted to have their information put onto a shared record would not produce a usable record. A busy doctor in the ED on Friday night, say, is not going to waste time checking a record that’s nearly always empty. To avoid wasting time and money on a record that is unusable, some of the shared care records ‘populated’ the record with existing information. While this is justifiable under privacy law, there is a risk of a patient receiving a nasty surprise; for instance, if a woman’s estranged husband, working in a practice in a different part of the country, were to look up her test results and use that for nefarious purposes.
As always, the complaints process of the Privacy Commissioner is available to anyone who thinks their information has been misused but, as a GP, as long as you have good processes and you’ve been straightforward and open about how you’ve used patient information you shouldn’t have anything to worry about.
That leads me to the second big issue to consider: your culture of privacy. Health professionals are lucky enough to have a head start on this because privacy and confidentiality is a bedrock of good clinical care. But it’s important to consider whether your organisational culture needs any tweaks to deal with the wider access to patient information. You can get a free health privacy toolkit from our enquiries line (0800 803 909) if you’d like a refresher, and we’re currently reviewing and updating our training programme so we are likely to have more to offer in the near future. Make sure you’re making use of all the available resources to protect yourself and your employees against privacy complaints.
One final specific point to be aware of is that all shared care records will track who has been using them. Medical staff browsing patient information from curiosity or personal interest is a major threat to public trust, not only in shared care records, but in the health sector more generally. Our expectation is that this kind of browsing will be logged, monitored, and misuse dealt with firmly.
I’m guardedly confident that the steps the agencies reviewed in my report have taken to safeguard the information held in their shared care records will keep it safe. But Murphy’s Law is always lurking to catch at the heels of the overconfident and footloose, so perhaps I should just say that though missteps are probably inevitable, the benefits appear to outweigh the risks.
[Sebastian Morgan-Lynch is the Senior Health Policy Advisor for the Privacy Commissioner].