Skip to main content
The BMJ logoLink to The BMJ
. 2006 Jul 1;333(7557):39–42. doi: 10.1136/bmj.333.7557.39

Patients should have to opt out of national electronic care records

FOR

Nigel Watson 1
PMCID: PMC1494772  PMID: 16809714

Short abstract

Although some aspects of the NHS care record service have a broad consensus agreement, issues of consent and security are dividing health professionals, the public, and the national programme for information technology. Nigel Watson believes his experience of opting out shows it to be the most workable option, but John Halamka uses a US model to argue that opting in is the only way to ensure confidentiality


Health care is becoming more complex and is often delivered in different places by several professional groups. At present many records are still on paper and electronic records often do not link up. For example, although general practice electronic records are among the most advanced in the NHS,1 they are not normally available when the patient is seen out of hours or attends accident and emergency or another practice as a temporary resident. Electronic coded clinical communications between hospital and general practice systems are limited to pathology.

Figure 1.

Figure 1

How should she choose what records the doctor can see?

Credit: MARK THOMAS/SPL

The NHS care records service lies at the heart of the national programme for information technology.2 The service will provide electronic summary care records and detailed care records that are available throughout the health service. The concept of appropriate electronic clinical information being available to legitimate healthcare professionals is not contentious. Most people agree that patient centred care requires comprehensive information to be available wherever and whenever care is provided. There is less agreement, however, on how patients should consent to use of electronic records and how the data can be kept secure.

Models of patient consent

There are two broad schools of thought. The first, characterised as the opt-out model, is for the public to be informed of the NHS care records service and to be offered a chance to express their wish that they do not want their clinical records shared within the NHS. The second model is for no sharing to occur until people have expressed their desire to share their clinical records within the NHS—opting in. This is the option supported by the BMA's General Practitioners Committee.3 However, having experienced an opt-out approach in Hampshire and the Isle of Wight, I believe that, with caveats, this is the way forward. In November 2003, the public advisory board of the National Programme for Information Technology also advised, on balance rather than by clear consensus, adoption of an opt-out approach with a warning period. But what evidence is there on patients' views?

Evidence supporting opt-out model

Scotland has already used the opt-out approach for its emergency care summary, which extracts data from the general practitioners' records and hospital notes and is available to the out of hours service.4 Patients were informed of the project by a widespread publicity campaign and were invited to opt out if they had concerns. In February 2006 the emergency care summary contained records for nearly 3 300 000 patients and only 22 had opted out.5

In February 2004, the Wirral Health Informatics Service started consultation on establishing an electronic health record for each patient. The record contains clinical information provided by general practitioners and the hospital and will be available to general practitioners, hospital clinicians, and the out of hours service. Patients were invited to opt out if they had concerns. Of the 350 000 patients whose records were uploaded, only 25 opted out.

The health service in Alberta, Canada, changed from the opt-in position to an opt-out one in 2003. The decision was made after consultation with patients and clinicians. Minister of Alberta Health and Wellness stated: “The changes also recognize that patients must be assured their information is confidential. We consulted with health stakeholders and the Information and Privacy Commissioner to ensure confidentiality and appropriate access.

“The people who keep and manage electronic health records have told us getting consent is an administrative burden that takes time away from patient care and pilot project shows a majority of people consented to have their records shared by electronic means.”

Hampshire and Isle of Wight

General practitioners in Hampshire and the Isle of Wight have been involved in two similar projects for the past six years, and our experience may provide some practical solutions to issues of security and consent. A pilot project during April 2000 to March 2003, evaluated a patient electronic health record that could support the clinical care of the patient out of hours and in an emergency situation.6 A meeting between representatives of the General Medical Council, the medical defence organisations, the BMA's information and technology committee, the information commissioner, the local medical committee, and the primary care trust reached a consensus that records could be downloaded without explicit patient consent but that consent was required before the record was accessed. A leaflet was produced to explain the aims of the project and the important issues of consent. Patients were offered the opportunity to opt out of the project. Leaflets were sent to all households in the area and were also available in general practices and at the hospital.

The strategic health authority then worked in partnership with the local medical committees and hospitals in Hampshire to develop the clinical data repository using the same model of consent. When the repository went live in May 2006 it contained over 650 000 patient records from 76 general practices and 450 000 patient records from three hospitals. More practices and hospitals are contributing to the repository all the time.

Of the 1 300 000 patients in Hampshire and the Isle of Wight, 1150 have decided not to have their records included in the repository. Patients are made aware that they can view the information that is held on them. About 2000 patients have requested to view their record, although many stated this was out of curiosity rather than any concern over the project.

Security

Access to a patient record in the repository requires a user name and password. Local NHS organisations issue user names only to staff who have confidentiality clauses in their employment contracts. Before accessing the patient record the user is asked to confirm that the patient has given consent. Patients can give consent for once-only access or for one year for all clinicians involved in their care.

The record includes an audit trail that shows the date and time the patient's record is accessed and, most importantly, by whom. The audit trail automatically identifies when a record has been accessed but no change has been made to the record. A change would be expected if the patient had been receiving care from the general practice or hospital. If no change is made to a record, clinicians would be contacted to explain why they accessed the record. In the case of a life threatening emergency the consent can be overridden, but the clinician would record the reason in the record and have to defend his or her action if challenged at a later date.

The project has some limitations—for example, the clinician is unable to review the records before a consultation unless consent has been previously obtained. General practitioners do not ask consent to look at clinical records in their practice because they are deemed to have a legitimate relationship with the patient. Major problems have to be resolved regarding consent and access to the records when the patient is not present—for example, looking up hospital laboratory or radiography results.

Conclusions

The potential benefits of greater sharing of patients' electronic records are broadly agreed, with concerns remaining over patient consent and security. Several schemes have used an opt-out approach for electronic patient summary records, and these schemes have been widely accepted by health professionals and the public.

The opt-out model allows patients to benefit from earlier availability of information, reduces the workload on hard pressed services, and cuts the bureaucracy for both practices and patients. I believe we should adopt an opt-out approach for contributing information to the NHS care record service but obtain consent, or have a legitimate clinical relationship with the patient, to access the clinical records. It will be essential, however, to have a large publicity campaign six months before the start of the service, detailing to patients what is going to happen, the potential benefits and dangers, and most importantly how they can opt out of having their records shared.

Editorials pp 2, 3

Contributors and sources: NW is a general practitioner and GP and regional representative for Hampshire and Isle of Wight on the BMA's General Practitioners Committee.

Competing interests: None declared.

References

BMJ. 2006 Jul 1;333(7557):39–42.

Patients should have to opt out of national electronic care records

AGAINST

John D Halamka 1

Regional data sharing is a new concept in the United States, and each region of the country is still defining its privacy policies. The government has created a new organisation called the Health Information Security and Privacy Collaboration to record best privacy practices in an attempt to create a harmonized national privacy policy. Massachusetts has one of the most advanced regional data exchanges in the country and has developed its opt-in policy over the past two years by engaging all stakeholders in our state.1 The policy enables us to prospectively educate patients about the risks and benefits of data sharing and creates a sound foundation for trust in regional data sharing. We feel this trust is a prerequisite to successful implementation of the technology—patients have to trust that their data will be protected and used appropriately, and providers have to trust that the system has clinically relevant information in it and that it has been disclosed with the patient's knowledge and understanding.

Figure 2.

Figure 2

Unified electronic records can be available with a few keystrokes—but can privacy policies be harmonised?

Credit: MICHAEL CONROY/AP/EMPICS

US policy

New England has implemented several novel regional data sharing initiatives over the past three years.1 Exchange of clinical data depends on a regional master patient index that does not contain clinical data but points to the sites holding medical records. An authorised clinician can query the index through a secure web page, and once institutions with records are identified ask for information on problems, drugs, allergies, case notes, and laboratory or radiology results. The local technology varies according to local needs and preferences—for example, solo practitioners need simpler applications than a multispecialty practice and academic medical centres need different technology from community hospitals.

Although variation in local health information systems is a virtue, variation in privacy, security, and patient permission is a vice. If privacy policies are not consistent, sharing data becomes more difficult because stakeholders may have differing views of what can be shared and with whom.2 Since sharing electronic health record data among care givers is new, I believe that patients are best served by prospectively seeking their permission to include data in the regional index. This approach acknowledges patient control and ownership of medical information.

Degrees of consent

Patients at Beth Israel Deaconess Medical Center, a 550 bed teaching hospital, might receive care varying from removal of an ingrown toenail to a heart transplant. The fact that they have medical records at the centre does not disclose any specific disease state or lifestyle. However, if they seek care at McLean Hospital, well known for treating mental illness and substance misuse, the mere fact that they have a McLean medical record number discloses a fact that could jeopardise their employment, electability to public office, and standing in the community. If they seek care at Fenway Community Health Center, a centre of excellence in gay and lesbian care, the presence of a Fenway medical record number may disclose a lifestyle choice that they wish to keep private. When asked to consent for clinical data sharing, patients may therefore opt to include Beth Israel medical record number but not their McLean and Fenway medical record numbers if they consider the risk of disclosure too high. Similar protection could be offered in the NHS through sealing parts of patients' records.

In our experience with an ongoing implementation of electronic health records in around 170 physician offices in three Massachusetts cities, clinicians, especially solo practitioners, feel less comfortable taking legal responsibility for gathering consents on behalf of other doctors in the community, or conversely, getting other practices to get patient consents for them.

An opt-out approach would include all known sites of care in the regional index but would give the patient the option at the point of care to prohibit a clinician from looking up data. Both approaches have risks and benefits. With the opt-in approach to consent, patients declare what data they are willing to share. If the regional index is hacked or inappropriately released, the only data compromised would be their name, sex, date of birth, postcode, and the institutional identifiers that they had approved for sharing. Just as customers who use online banking understand the benefits of convenience but accept the risk that their account may be hacked, patients have made an active choice. Patient advocates, Massachusetts regulators, and local politicians support the opt-in approach.1

The key disadvantage of this approach is that an opt-in system populates the regional index slowly, since no data are sent to the index until patients opt in at each site of care. This makes adoption of data sharing slow, and in the first few months of use many queries for patient data do not return any matches. Another disadvantage is that clinicians may treat the patient based on an incomplete medical record. For example, a clinician may prescribe a drug that has an important interaction with the patient's undisclosed mental health prescriptions. However, my experience as an emergency physician, shared by many of my colleagues, is that access to any medical records is better than delivering care without access to data.3

Risks of opting out

With the opt-out approach, patient demographics and medical record numbers would be stored in the regional database without patients' approval. Historical records could be used to populate the regional index rapidly. However, if the regional index is compromised, information on all institutions would be leaked. This could cause much anxiety for patients if they had not consented to that information being shared or been properly informed about the regional index. With an opt-out approach, patients have only one choice during a clinical visit—either consent to enable a clinician to query records at all sites or deny consent. Telling a clinician, “I consent to you retrieving my Beth Israel records but not my McLean or Fenway records” is disclosing, so patients with concerns are more likely to withhold consent in the opt-out model. If a patient arrives unconscious, the clinician can over-ride the opt-out consent and look up the entire patient record. Although this may benefit the patient, it may lead to unwanted privacy breaches. This may affect patient confidence in the system.

In conclusion, we have only one opportunity to build a healthcare information superhighway that patients and providers can trust. We should let the patients decide if they want to drive on it.

References

  • 1.Halamka J, Aranow M, Ascenzo C, Bates D, Debor G, Glaser J, et al. Health care IT collaboration in Massachusetts: the experience of creating regional connectivity. J Am Med Inform Assoc 2005;12: 596-601. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 2.Gottlieb LK, Stone EM, Stone DL, Dunbrack LA, Calladine J. Regulatory and policy barriers to effective clinical data exchange: lessons learned from MedsInfo-ED. Health Aff (Milwood) 2005;24: 1197-204. [DOI] [PubMed] [Google Scholar]
  • 3.Institute of Medicine. Hospital-based emergency care: at the breaking point. Washington, DC: IoM, 2006.

Articles from BMJ : British Medical Journal are provided here courtesy of BMJ Publishing Group

RESOURCES