Monday, November 12, 2007

Patient Information Theft – Will It Be Easier with the NEHTA Identity Services?

Talk about totally predictable but unintended consequences. Read on.


PDS increasing patient information theft

06 Nov 2007


The practice of extracting confidential patient information from GP practice staff has become much more frequent since the introduction of the Personal Demographics Service (PDS) according to a GP IT representative.


Dr Paul Cundy, co-chair of the Joint IT Committee of the BMA and Royal College of General Practitioners, is warning GPs and their staff to be extremely cautious before giving out confidential data over the telephone.


Dr Cundy claimed insurers, solicitors and others seeking to track down individuals were using practice staff to obtain the details they need.


He told EHI Primary Care: “Since the introduction of the PDS it has become much more common and Connecting for Health are concerned about it and have set up their own unit to deal with it. We want to support them by warning people to be on the lookout for it.”


Dr Cundy said those trying to illegally obtain patient information would often telephone practices and pose as someone from the patient services authority or another practice ringing to check name and address details of a patient.


Dr Cundy added: “GP practice staff must not reveal any information over the telephone unless they are absolutely certain about the identity of the caller.”


Continue reading here:


http://www.ehiprimarycare.com/news/3195/pds_increasing_patient_information_theft


The problem here is that it is inevitable that once there is a database available with contains personal demographics, (Name, Sex, Address and Date of Birth) which are not easily available any other way, all sorts of people will seek to exploit the capacity to look up individual information.

Those who may seek to use the service inappropriately extend from debt collectors looking for a current address to the abusive husband who wants to find an estranged partner for who knows what purpose.

It is for this reason that all such data-bases are typically well protected and typically also do not contain a sufficiently large segment of the population that it is worth covert use.

The key issue that faces anyone providing such a service is to ensure that anyone who has access to the look up capabilities of a national service is firstly traceable by a robust audit trail and is well trained to know that abuse of the service is a sackable offence at best – and will potentially result in civil and criminal liabilities if abused.

Given that NEHTA is planning that the Individual Health Identifier (IHI) service will be accessed by all health providers and their staff – just how nefarious uses of the system can be prevented is hard to imagine unless there are indeed severe penalties legislated for inappropriate use as well as a robust and ongoing educational program.

NEHTA claims that the IHI will improve privacy, but it seems to me that unless the individual has a token of some sort which holds their IHI the first time every provider needs an IHI they will need to look it up from the central system – to place in a patient’s record for that particular service.

To be workable the system will need to be quick and easy to look up (or no one will use it) and here lies the problem! There will ultimately be 500,000 providers with quick and easy access to a very valuable demographic data store with 99% of the population listed. Does anyone really believe this will not be abused – especially given that the public will also be able to look up / search for their record.

I look forward to NEHTA’s final design documents and privacy impact assessment to be assured the issue has been addressed. Looks like the UK have not managed it yet.

David.

No comments:

Post a Comment