"The law is clear and the consequences of breaking it can be severe.”
Except for large companies like Google...
A former midwifery assistant from Essex has been fined £1,715 for unlawfully accessing and sharing patients’ medical records. Brioney Woolfe pleaded guilty to the offences, which took place between December 2014 and May 2016, at Colchester Magistrate’s Court. The UK’s data protection watchdog, the Information Commissioner, …
Thirty quid a name plus legal costs means it isn't even severe for Jo Public to do it.
Whilst not wishing to minimise the severity of the crime, I suspect that £1,700 quid will sting the culprit quite a bit. A midwifery assistant will be on what, as a Band 3, £18k a year, so that's about a month and halfs take-home. As a proportion of disposal income it'll be a whole lot higher. And I would imagine that a criminal record and local publicity means she'll struggle to find a job for a few years yet (and possibly never in the NHS, depending on the role).
For somebody with (I assume) no previous convictions, this is a very significant penalty.
The thing about the NHS databases that I worked on for ten years is you could tell who accessed the data and when. Quite the opposite of trusting random employees, every database query is logged. The triple AAA of authentication, authorization, and accounting are applied to confirm if someone is up to no good and prosecute every single wrongdoers. Of course we could throw all that investment away and go back to receptionists in GP surgeries send pages and pages of medical records in clear text to un-manned fax machines in unsecure locations but that really would be trusting unknown random employees.
"Of course we could throw all that investment away and go back to receptionists in GP surgeries send pages and pages of medical records in clear text to un-manned fax machines in unsecure locations but that really would be trusting unknown random employees."
My partner has worked in QA and Safeguarding, so I've a fair idea of the problems. If you don't think this already goes on, then you're not looking very hard.
"The thing about the NHS databases that I worked on for ten years is you could tell who accessed the data and when"
Can you?
There are a few things wrong with this statement:
1. The NHS does bulk exports to other systems, which are not logged.
2. Not all NHS systems are logged or access controlled (finance data isn't, and yet financial systems have to be tied back to a patient identifier and account code for audit, so the finance system knows that Smith, DoB 14 Aug 1983, had a treatment under the contract with the sexual health clinic for £100).
3. The user logged isn't always a human and is often a generic team user.
4. The admin tools bypass the logging and authentication.
5. Almost nobody checks that the record accessed is appropriate for the user accessing it.
6. The whole lot runs on a network that trusts almost everything on that network and is full of vulnerabilities.
48.2
The point 2 is the vertically challenged hospital porter.
You do ask a fair question though which could be answered and resolved with some clever patient/clinician logging. If you access patient x's records then are you currently treating,dealing with or recently dealt with said patient, if not then it throws up a flag.
If I'm ever brought into A&E in a "mostly dead" state; then I'd really hope that the medics aren't "applying for an exception" to get access to my records.
Seriously, I can imagine that governing this kind of access would become a huge overhead in terms of time to implement and maintain the systems and fast become a huge PITA when HCPs can't access the records they need to ("Sorry Mr John Smith we have three people with that name and the clerk got the wrong one").
When you arrive in A&E you will be treated and admitted. Once admitted everyone who works on your case would have access to your relevant records.
In general, emergency situations aren't helped by seeing your records anyway.... otherwise people arriving at A&E without identification would be dead, or people whose records are held by another authority, or if you had an accident abroad etc...
Re: How many more ...
When you arrive in A&E you will be treated and admitted. Once admitted everyone who works on your case would have access to your relevant records.
In general, emergency situations aren't helped by seeing your records anyway.... otherwise people arriving at A&E without identification would be dead, or people whose records are held by another authority, or if you had an accident abroad etc...
Had to quote the whole thing so its clear which coward i was replying to.
Everyone who works in the case wouldnt have access if the over the top draconian no-one-should-ever-have-access policy being hyped here was in force.
Maybe "in general" its records are not needed. "In general" i dont need the spare tyre in my car . I hope u see where im going with that.
I've no dount that some anon people arriving at A&E *are* dead due to not having vital info that was in their records
'If I'm ever brought into A&E in a "mostly dead" state; then I'd really hope that the medics aren't "applying for an exception" to get access to my records'
I wish people wouldn't drag up this old chestnut again and again. It's mostly rubbish. First rule of emergency medicine - treat the symptoms in front of you (I only did the first year of medical training, I'm sure there would have been more in later years). In a few very, very rare cases it might be helpful but they are rare.
Personally I have one of those "this patient has a condition..." cards in my wallet. On the few occasions I've been to A&E nobody cares. The last doctor even said "I'm liable, I'll do my own diagnosis".
If there is something massively wrong with you that isn't obvious then by all means carry an SoS token of some sort. If you don't want to carry something then opt-in to a database. Just don't force the rest of us into an insecure system because a tiny, tiny minority are too lazy to take responsibility for their own life.
Just because someone else might have an allergy doesn't mean my entire medical history should be available to all 2 million NHS employees. And the Police. And GCHQ. And central government. And the council benefits office.
If I ended up in A&E on the other side of the country fighting for my life, I'd hope that anyone there with a current bonefide NHS id/smart card could pull up my GP records and see that I'm allergic to penicillin, that I'm already taking blood thinners, and any number of things that would increase my chance of survival. But I'd also like it logged who accessed my medical records, just on the off chance that a midwife in the next corridor wasn't in the pay of Rupert Murdoch. Fuck knows what's been done now that NHS Digital have taken it all in house but between 2004 and 2014 that's exactly what happened on SPINE and PACS and RIO and all the other ACUTE NHS databases that I worked on to protect the confidentiality of over 50 million NHS patients.
Bollocks to that, I'm not spending life wearing a wristband saying I'm allergic to penicillin my whole damn life on the exceedingly small chance that one day it'll be useful. A subcutaneous microchip with handy stuff on it maybe; certainly not anything visible that will need replacing constantly.
I'm not spending life wearing a wristband saying I'm allergic to penicillin
Then you have no-one but yourself to blame if you get given penicillin. Take responsibility for your own health and don't rely on others to magically know.
At the very least, carry a card in your wallet so say that you are allergic.
I'm on a variety of toxic stuff[1] for arthritis and so I always carry a card stating that giving me certain treatments will, quite likely, kill me.
[1] Various DMARDS to suppress my immune system and a once-a-week boilogical injection to reduce inflammation.
"At the very least, carry a card in your wallet so say that you are allergic."
I do. I was responding to another commentard who stated that that's how it should be, with the vehemence I felt it deserved. Other information available in my wallet for this eventuality includes my blood type on my donor card so there is, in fact, as much information as I can think to give considering that I don't take anything regularly in my wallet for these eventualities.
"I'd hope that anyone there with a current bonefide NHS id/smart card could pull up my GP records and see that I'm allergic to penicillin, that I'm already taking blood thinners, and any number of things that would increase my chance of survival."
Rest assured - having asked the same questions whilst sitting in ED and in consultant appointments - they can't. Make sure you tell them about that anaphalaxis.
Oh for the love of dog.
Here is my statement.
"if not then it throws up a flag"
"if not"
If not then it throws up a flag. What part of this is difficult to understand? I'm not advocating removing access I'm saying that if you access a record then it needs to be linked to the care you have provided and if there is no link then it raises a flag so your access to a patients record can be investigated.
This is the same way the PNC should work.
I don't know why I bother sometimes.
You overestimate how well connected healthcare systems are. There is very little way for a system to know if a user has a link to the record being accessed.
Doctors work bizarre shifts, cross-cover numerous teams, may have to emergency cross-team outside of normal processes, staff may have to be brought in a few hours notice, one doctor may informally ask for advice or 2nd opinion from a colleague that isn't on call or dealing with the patient. It's a similar thing with nurses, there may be emergency cross-cover or deployment to one or multiple wards or multiple care teams. You couldn't possibly flag every access where there isn't an obvious link. On top of that, data quality in the NHS is notoriously poor, with incorrect team assignments, etc. rampant.
You are limited to very broad brush limits - such as reception staff should have access to the appointment list, but little else. Lab technical staff should have access to laboratory systems, but limited access to other systems.
There is another issue about what you do with "VIPs" - not necessarily celebrities, but people who might pique the interest of certain staff members (sports personalities, politicians, etc.). As an example of how this can go wrong, the admin of a EHR, set his record to "VIP" to stop prying eyes. Except when he ended up ill in A&E in the milddle of the night, no one could access his record to order an X-ray, or order blood tests, or even log in the attendance. Never mind not being able to access the prior records - there was no access to anything, he didn't exist, unless you were logged in as sysadmin. So, the only way to get this sorted, was for him to log in as admin, and clear the VIP flag, before any of the medical staff could get access.
The VIP issue has been partially solved with a "special search" or "break glass" function. VIP access is suppressed, unless the user opts to perform a "VIP search" which requires them to log in again, and provide a written reason why they are performing a VIP search, which is then logged and flagged for a manager to audit at a later date.
Think she got off rather lightly tbh. I work in an NHS trust and we have it drilled into us from the start the consequences of using patient data inappropriately, or even not reporting when it's suspected other people may be doing so.
This woman got off extremely lightly with a slapped wrist and fine, although she's probably killed her midwifery career now as well.
So the personal, medical, highly sensitive, highly confidential data of 29 patients is worth just under 2 grand?
Not nearly harsh enough a punishment, IMHO.
I'm pretty sure that, as a doctor, were I to commit the same a naughtiness I would be looking at a much larger fine and an interview without coffee with a General Medical Council Fitness to Practice panel.
(EDITED to correct typos)
"Why it isn't just rolled into the original fines I don't know."
It applies even if there isn't a fine eg a conditional discharge. There are also no exceptions for being unable to pay it.
A compassionate judge was censured for offering to pay a defendant's surcharge.
There is disquiet in legal circles about this surcharge.
Well, at least she wasn't going for a bulk discount.
The online, Pharmacy2U service got fined £130K for selling info of 21,500 patients to 3rd parties.
"... Including a lottery company that “deliberately targeted elderly and vulnerable individuals”"
So just over £6 a head, bargain!
(More information at the Chemist+Druggist, https://www.chemistanddruggist.co.uk/news/online-pharmacy-hit-%C2%A3130k-fine-sale-patient-info behind a registration wall)
The pestilential in the US are draconian compared to this . The fines can any were from $100 to $50,000 per incidence for the medical institution for repeat offenses.
Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.
Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
"The fines can any were from $100 to $50,000 per incidence for the medical institution for repeat offenses."
A number of UK data-related laws have "per incidence" clauses in them.
The government bodies enforcing them _choose_ to interpret this as "per group of complaints we investigate", rather than "per individual breach"
Some might call that subverting the will of parliament.
I assume she looked up family and friends and one of her family or friends blabbed resulting in a complaint that traced back to her looking up stuff not related to her role.
you can imagine how some private information can be blabbed in a heated argument or just general gossip.
Most officers over 45 will tell you how they looked up daughters / nieces ex wives potential partners etc.
Its human nature to look and these reports of unlawful access just exposes the serious failings of the current controls in place.
we should all get access to near time (updated monthly) report on who is accessing our data for what reason.
I work for a private company that builds and maintains databases and front-ends for a number of hospitals throughout Britain, and I can tell you that most of the "why can't they..." posts here are unrealistic and unworkable.
Anyone working with healthcare data, internally or externally, will frequently require access to the data in unpredictable ways. Logging every SQL request, including read-only ones, would place a huge burden both in terms of storage and in terms of extracting any useful audits. Even if it were possible, such a log will tell you little about the motive or intent of the request, which is where the issues arise.
All I can say on my own part and that of my colleagues is that it is frequently made clear to us, to the point of being a basic assumption, that we should never treat the data in a prurient or cavalier fashion, and in all honesty that's the best you can hope for. For the most part, we're just checking that, for example, a letter's text has been imported correctly, or that a blood result is displaying appropriately.
Bottom line, yes, there are people who might view your clinical data and not all of them will be directly involved in your treatment, but that doesn't, of itself, indicate anything inappropriate is going on.