When looking to understand the complex world of medical records, the obvious place to start seemed to be my own record. So, I googled my GP surgery. The website offered no obvious way of getting access. A call clarified the process – I must take my identification documents in, pay a £10 administration charge (which would have been £50 had they also copied my paper or Lloyd George record) and hey presto, a whole week later, I get a print out of my record…on paper…online access is apparently “on its way”.
Now I may be spoiled by the immediacy of the digital age, but given how complicated that all seemed to be it made me question whether my record is really mine at all?.
So who actually owns our medical data?
The simple answer is. I don’t know.
When medical records were handwritten on paper, the closest you could get to an answer was that the Secretary of State for Health owned the paper, the GP the ink, and the information belonged to the patient. So now in an era of electronic health records (EHR), does the hardware or software owner have a claim over my medical data? Is that the Secretary of State for Health or my GP, or my GP practice or even my GP practice software provider?
I’d like to think my record is owned by me, and others use it for legitimate purposes to provide me with the best possible care. Historically, that's how data sharing relationships within the NHS have worked, relying on implied consent for sharing where the imperative is direct care.
The fact is that we are legally allowed to view our records (unless this may cause harm or disclose other patient information), and after May, in a post-GDPR world, we will need to be given free access. No more £10 or £50 charges.
But viewing my data (online on its way) is about as far as my control currently goes. I’m surprised how little attention the ‘data owner’ or ‘data creator’ gets in the data protection world. My status is rather weakly described as a "data subject.' It’s all about the data processors and controllers - who 9.99 times out of 10 aren’t the data subjects.
Who can view my medical data?
“The NHS Constitution explains that patients have the right to privacy and confidentiality, the right to expect the NHS to keep patient confidential information safe and secure, and the right to be informed about how their information is used.”
I know my GP views and adds to my record. I’m pretty sure any member of staff with the right access at my multi-site GP practice group can access it. Beyond that I have absolutely no idea. I don’t know who has access to my data now, or who my data has historically been shared with- anonymously or otherwise. I also don’t know how it is transmitted to other care providers. I was told on a recent visit that I have no Electronic Health Record prior to 2009 – it must have gone missing when moving GP practices. So who knows where that data is now?
I feel poorly informed about how my data is being used. Which makes me feel a little uneasy in this Cambridge Analytica, #deleteFacebook era. Do I want my GP to share my medical data at all without my knowledge?
The simple answer is. I don’t think so.
So what is happening to improve the situation?
GDPR is on its way and will give every one of us data subjects greater control over how our data is used. In health, we will have to get miles better at roles-based permissioning and sharing data securely on a need-to-know basis. At Dovetail, we think explicit patient consent mechanisms will increasingly be required to action information sharing relationships; with patients wanting to see and have control over who has access to their records.
PSD2 and the Open Banking movement has broken up the monopoly of the big banks and given consumers the ability to do all sorts of things with their financial data. The same may be on its way for health data. Access and portability to another provider on a one time basis is going to be required after 25 May 2018 when GDPR goes live. So health service providers will have to up their game. Companies must now convince you that they are good custodians of your data. Those developing new technologies with AI (artificial intelligence) will need to convince you that there are benefits to sharing your data. Lost or poorly guarded medical data could hit GPs and Trusts with hefty fines.
Greater visibility and control over my health data is on it way; and I for one am looking forward to making a difference with it.