The use of electronic health records in hospitals and clinics can benefit the care provided to patients because information can be accessed immediately. But it also raises important data security issues.
The information contained in a health record is considered by law to constitute sensitive personal data under the Data Protection Act 1998. This means it is subject to more stringent conditions in relation to its use and security than other types of information.
The authority on data protection in Europe, called the Article 29 Data Protection Working Party, produced a working document on electronic health records in 2007 that said: “Access by unauthorised persons must be virtually impossible and prevented, if the system is to be acceptable from a data protection point of view.” The message could not be clearer: the security of electronic health records is of paramount importance.
What additional data protection measures are needed if health information is accessed by an offshore diagnostics team?
The location of the team affects the legal measures that need to be put in place to ensure the information is protected and that the transfer is compliant with UK law.
As the data controller, the healthcare provider will remain liable for any breach of the act, even if it is the third-party offshore diagnostics team that is responsible. So it is crucial there are clear obligations on the offshore team around how the information is used and clear provisions stating what happens if the offshore team fails to comply with these obligations.
One of the first questions to consider is whether there is an actual transfer of personal data taking place when the offshore team accesses test results. In many cases, the size of the image in question – for example an X-ray or MRI scan – will be too large to send overseas and the team will instead access the UK-based system remotely to view the image. Although the image itself remains in the UK, a transfer of personal data will occur because the definition of “processing” under the act is so wide.
If the diagnostics team is outside the European Economic Area (EEA), the data controller of the patient information needs to ensure the transfer complies with the eighth data protection principle, which limits the ability to transfer information outside the EEA unless there are adequate safeguards in place. Measures to consider are patient consent, safe harbor registration (if the team is in the US), or the use of EU model contractual clauses.
Are there security issues around staff accessing test results on mobiles phones?
The information security risks around the use of any technology, whether it is a mobile phone or other device, must be assessed before implementation. In 2010, the Canadian information commissioner published an order after a public health nurse lost a USB stick containing the personal health information of 83,524 individuals. The commissioner explicitly recommended the implementation of a “policy for mobile devices to ensure that, to the extent that personal information must be transported on those devices, it is strongly encrypted”.
This example demonstrates that stringent access controls must be put in place on mobile devices to avoid any potential risk of health information being disclosed. Any mobile phones or mobile devices should have strong password protection and the data should be encrypted both in transmit and at rest. Any individuals who will have access rights to data remotely through their mobile phones should receive information security training. Where information is sent to mobile phones, it should be only the minimum required in order to provide a diagnosis, anonymised where possible and held on that phone for the shortest possible time before being expunged.
Mhairi Mival is an associate at law firm Pinsent Masons