While the U.S. medical community has only recently begun to deal with the Health Insurance Portability and Accountability Act (HIPAA), the U.K. has had its own medical privacy protection act in place since 1984. However, Britain's Data Protection Act (DPA) of 1984 covered only paper records, requiring businesses and organizations to keep them secure. This proved easy enough. But confusion set in for the British medical community when Parliament updated the DPA in 1998, expanding the scope of the law to cover electronic records and strengthen patient rights.
Confusion soon gave way to apathy: There was a definite lack of hubbub about the updated version of DPA. Three years later, the U.K. medical community remains unclear about what the law means, and has done very little to implement it. Most hospitals and doctors have taken a "wait and see" approach. In fact, a few interviewees asked to remain anonymous in order to keep out of the public eye on this issue.
"One doesn’t want to go too much into print about it," said Dr. Lionel Jarvis, chairman of the IT committee for the Royal College of Radiologists (RCR). "Keep it quiet before you start upsetting the apple cart."
When is a record not a record?
The DPA defines "record" as "any record which consists of information relating to the physical or mental health or condition of an individual, and which has been made by, or on behalf of, a health professional in connection with the care of that individual."
Under the DPA, all records must be obtained only for one or more specified and lawful purposes and kept for no longer than is necessary for those purposes. Patients must be informed as to the purposes their data will serve and must consent to such uses. The act also requires that appropriate technical and organizational measures be taken to protect against unauthorized or unlawful use and against accidental loss, destruction, or damage of personal data.
One radiologist who had received word about the act from his hospital’s trust said that its instructions were unclear. The trust’s memo required the radiology department to dispose of all records that were kept without patients’ written consent. The physician, who preferred to remain anonymous, requested clarification and asked whether teaching files and publication materials were included in the purge. His inquiry yielded no response.
"All the teaching films that radiologists keep seem to be illegal under the act unless you’ve got the patients’ informed consent, even, possibly, if they are anonymous," said Dr. Andrew Downie, consultant interventional radiologist at the Victoria Infirmary in Glasgow, Scotland.
Most physicians seemed unsure as to how far the informed consent clause should be taken.
"Can [you discuss] the case between doctors or other professional colleagues? If I see a patient who’s got a curious problem, do I need to ask that patient for permission to discuss her case with another colleague before I actually do so?" Jarvis said.
Although the DPA asks that hospitals ensure the safety and security of all medical records, it does not delineate what it means by "measures," and many physicians and hospitals don’t know how far to go. As teleradiology and PACS dawn in the U.K., these issues move to the forefront.
"The ramifications haven’t really been thought out," Downie said. "For instance, I keep records on my handheld PC. That’s probably illegal, because it’s not registered and all that other stuff."
In addition, the DPA states that patients must be given unfettered access to all health records for a fee, currently set at £10 ($14.50 U.S.). According to Downie, hundreds of requests are coming in for patient records, including complete x-ray packets, the compiling of which takes time and money.
In an even more startling section, the DPA states that patients can request the deletion or revision of data in their medical records. However, patients can request the deletion of only that material deemed inaccurate, according to Sandra Cavill, compliance manager for the health sector of the Office of the Information Commissioner (OIC), the agency charged with enforcing DPA. But who and what determines inaccuracy is still a gray area.
This is just one issue that the RCR and the National Health Service (NHS) are working together to clarify, according to Jarvis.
A cry in the dark for help
In the meantime, the majority of radiologists interviewed for this article said the OIC and the NHS have not taken any measures to explain the DPA or outline how to comply with the legislation.
"[Doctors] don't get any guidance from anywhere," said Kate Hill, an associate solicitor specializing in healthcare, human rights, and data protection with the London law firm of Radcliffe's. "Over the last few years I have seen so many health professionals falling afoul of good practice simply because of ignorance." Hill has started her own company, InPractice, to educate physicians about DPA compliance and other patient protection and human rights legislation.
Like the law itself, the OIC’s stance on assisting physicians with the DPA seems a bit muddled.
A call to the OIC resource hotline for industry and consumers yielded the following: If hospitals ask for assistance regarding the DPA 1998, the OIC will provide educational information. In other words, compliance and interpretation are the responsibility of the industry, not of the OIC, according to the hotline staffer.
"Certainly [this information shouldn't] come from us," she said. "The industry should provide information to [general practitioners] on how to comply." The majority of advertising about the DPA has been directed at consumers, "to make the public aware of what's available to them under the act," she added.
It would also seem that consumers are responsible for determining when the DPA will be enforced. According to Hill, recent guidance from the OIC says that "[t]aking action… will not always be necessary, but if the commissioner receives a number of complaints over a short space of time and it appears obvious that the [hospital] controller is doing nothing to investigate or remedy the problem, then action will be taken."
If the OIC deems that action is necessary, it sends a letter to the hospital requesting compliance with various requirements. If the OIC finds that the hospital has not complied with its requests, court action may be taken, and the court has the power to impose an unlimited fine.
OIC on the job
While the U.K. medical community may see a lack of interest in making the written law a practical reality, the OIC's Cavill said the agency is doing exactly what it should and can do with the DPA.
"The act is really general," she conceded, but "it can’t be too specific, because it has to cover all sectors."
Cavill refuted claims that the OIC has done little to assist the medical community with understanding the DPA, noting that the agency has published guidance for physicians on its Web site, with more extensive instructions set for future release.
As for enforcement notices generated by patient complaints, they are not sent out very often because breaches in compliance are generally corrected through in-house letters to the hospital or physician, she said.
According to Cavill, the OIC is "phasing in" the DPA: For the time being, the organization is concentrating on investigating patient complaints about delayed or denied access to health records. Patients with concerns about the accuracy of their records can go directly to court and file a suit against the doctor or medical institution. The OIC is scheduled to take on other parts of the DPA, such as patient complaints about medical ethics and physician accuracy beginning in October 2001, Cavill said.
However, the medical professionals who spoke with AuntMinnie.com did not profess any awareness that the OIC is working on the DPA in stages. In a sense, this kind of confusion seems to be the DPA’s greatest contribution to the medical community thus far, with many practitioners having all but given up on figuring it out.
"[U.K. laws] cover all loopholes in the English language. We base British law on the law of precedent, and only when something has been tried and a test case has been proven one way or another, do we know whether this is a precedent for future problems," Jarvis said.
And the law may soon be tested, according to Hill, who estimated that there are probably more than a hundred lawsuits related to medical privacy pending.
"This is new territory," Jarvis said. "Although it’s the Data Protection Act of 1998, it takes a long time for such legislation to finally start affecting practice. It’s only just now that U.K. radiology is beginning to wake up to the problem."
By Leslie FarnsworthAuntMinnie.com contributing writer
August 13, 2001
Related Reading
Europe still lags in communication technology, May 24, 2001
Copyright © 2001 AuntMinnie.com
