There's something peculiarly emotive about the image of medical records lying unattended in hospital corridors. For a nation of people so preoccupied with each other's health, the prospect of a stranger viewing confidential patient data seems to touch a raw nerve in terms of privacy.
Two recent incidents in Scotland have illustrated this reaction. Earlier this month several boxes of medical records were discovered in a corridor at Glasgow's Southern General Hospital. Photographs were sent to Labour's health spokeswoman, Cathy Jamieson, who declared herself "appalled". The Liberal Democrats, meanwhile, described the hospital's attitude to patient confidentiality as "cavalier".
And late last year a television reporter stumbled across children's records at the abandoned Strathmartine hospital in Dundee. This prompted a report which recommended new rules on the physical security of records. These were adopted by the Scottish Government on 4 October 2008, and £1 million was dispatched to health boards in order to improve information security.
Nicola Sturgeon, Scotland's health secretary, said it constituted a "new benchmark for information security". Although not directly concerned with paper records, it introduced a requirement that mobile devices used to store identifiable patient data had to be encrypted to a given standard and employed only after specific authorisation.
Encryption, of course, doesn't apply to paper records, as demonstrated by the Southern General incident. On this, Sturgeon's response was pitched reassuringly. "The Scottish Government treats the confidentiality of patient records very seriously," she declared. "Medical records are the legal responsibility of NHS Boards holding them and last July we published an NHS Scotland Code of Practice for Records Management setting out the high standards we expect of boards."
Commissioner's concerns
The UK Information Commissioner's Office (ICO), which recently said it was "increasingly concerned" about the NHS's protection of records following several incidents involving patient data stored on abandoned computers and lost laptops. The ICO is in charge of data protection in Scotland as well as the rest of the UK, despite healthcare being fully devolved to the Scottish Government.
Ken Macdonald, the assistant information commissioner for Scotland, told SmartHealthcare.com: "An important principle of the Data Protection Act is that organisations which process personal information ensure records (paper and electronic) are stored and processed securely. It is particularly important that adequate safeguards are in place to prevent sensitive health records from falling into the wrong hands.
"Greater Glasgow and Clyde Health Board has informed the ICO of the [Southern General] incident and will be undertaking a full enquiry. The ICO provides clear guidance to organisations to help them ensure that personal information is secure and is processed in line with data protection principles. We take breaches of people's privacy very seriously and have asked for a full report from the health board before deciding what action, if any, should be taken."
That action could include enforcement, which has been used more than eight times against NHS organisations in England since last November. Perhaps with this in mind Robert Calderwood, chief executive of Greater Glasgow and Clyde Health Board, personally led the investigation and pledged immediate action to improve procedures if shortcomings were identified.
So what else is the Scottish Government doing to appease public unease about the security of health records? Its long term goal is the creation of a "single sign-on portal" for health professionals to access patient records. This is proceeding slowly, but eventually only those with appropriate password access will be able to look at this single electronic patient record, increasing security and reducing reliance on paper records.
Until then, however, the Liberal Democrats' health spokesman Ross Finnie thinks ministers ought to be doing more in light of the Southern General discovery. "Patients need to be confident that detailed personal information about their health is kept private," he said. "The health secretary must ask all boards to carry out an audit of their procedures and give an assurance that patients throughout Scotland can rely on the NHS to keep their records confidential."
Sturgeon stopped short of calling for an audit but reminded critics that the chief executive of the NHS in Scotland had written to all health boards in 2008 "to seek their assurance about the proper conduct of their duties concerning the holding of patient records". If, she added, "it is established that a member of staff has breached procedures then it would be expected that action is taken under disciplinary procedures."
So a combination of tough talking and the modernisation of Scotland's health records sums up the Scottish Government's approach to appeasing public anxiety over the security of patient data. As for Scotland's hospitals, it seems likely that health board staff will be busy scouring corridors in search of unattended boxes, keen to avoid further potentially damaging discoveries.
