The government has announced an extra £1 billion is being channelled into efforts to make the NHS “paperless” by 2018. Central to this aim are plans to make patient health records digital.
The goal is ambitious for many reasons, not least because its success depends on making sure that these digital health records do not compromise patient privacy.
Electronic Health Record systems can be good for patient safety, reduce costs and make it easier for doctors to access medical histories. In these systems a wealth of information, including demographics, diagnoses, medication, and lab results, is recorded for each patient. While traditionally used for medical care, the data are also useful in medical research. For example, patient health records can be linked to genomic information when studying the impact of genetics in disease.
But there are serious privacy concerns associated with the sharing of patient health information in electronic form. In a 2012 survey of nearly 2,000 adults in the US by the National Partnership for Women & Families, 51% of respondents whose records were digitised said they believe that the privacy of health information is not sufficiently protected in these systems, even though the vast majority of respondents also said they trust their doctors to protect such information.
Concerns are justified because electronic health records contain private and sensitive information, including diagnoses and medication, and because simply removing identifying information about patients such as names and phone numbers does not suffice to address these concerns. Even without this information, it is still possible to link the information back to patients.
In fact, several incidentsin which patient identities may have been disclosed have been widely reported. In these cases, patients were linked to their health records because demographic information, such as age, gender and postcode is contained in both these records and in other data sets such as voter lists.
In one example, students re-identified individuals in the Chicago homicide database by linking it with the social security death index, while in another, an expert witness re-identified most of the individuals represented in a neuroblastoma registry. Other incidents involved an individual identifying their neighbour using a prescriptions record database, and a researcher who cross-referenced voter-registration records with a limited amount of public record information from the Group Insurance Commission, which included birth date, gender and zip code, to identify the full medical records of former Massachusetts governor William Weld and his family.
To address privacy concerns, there are several policies that govern the sharing of patient medical information. The Anonymisation Code of Practice, published by the Information Commissioner’s Office, for example, emphasises the need to limit (but notably not eliminate) the risk of linking published records back to patients, and the NHS Confidentiality Code of Practice aims to inform NHS staff about privacy. Guidelines for maintaining the privacy of health records also feature in the Good Practice Guidelines for GP electronic patient records, which is endorsed by the Department of Health, the GPC and the Royal College of General Practitioners.
All these policies serve as a first line of defence for protecting electronic health records, but are limited in that they do not provide guarantees against attacks. They are also quite general in their nature and are of limited use for individual practitioners trying to apply them to increasingly complex types of medical data, such as data containing genomic information.
On a positive note, advances in computer science and medical informatics have made it possible to guarantee that private and confidential information will not be disclosed when electronic health records are shared. For instance, we have been developing methods to thwart several privacy threats and have demonstrated that the electronic health records of thousands of patients can be disseminated in a privacy-preserving way.
This involves measuring the privacy risk of the data and then controlling the risk by aggregating or deleting some carefully selected information about patients. This helps protect privacy while continuing to ensure that the data is useful for medical analysis. Companies including Microsoft and IBM are also working in this area.
Nevertheless, current research cannot give a perfect answer to the question of whether the disseminated electronic health records are completely safe and useful. This is mainly because we still need to fully understand the privacy risks that are out there and deploy the privacy-preserving technologies that can protect us from them.
To make digital patient records work, we need progress in both these areas. First, we need to rigorously assess the privacy risk associated with medical information before sharing it because policies alone may not always protect privacy and can even make the data unusable if applied blindly.
Then, computer scientists need to work with medical experts and patients to develop solutions that take into account the privacy requirements of both patients and medical institutions, as well as the data usage and recipients. These technologies need to be integrated so that large volumes of patient data can be protected automatically. An important step towards achieving this will be the development of approaches that scale well with large amounts of complex data.
If spent wisely, the government money could help better preserve privacy when our health records go digital, as long as we advance our understanding of privacy threats and produce technology that is flexible and scalable enough to fit an organisation as large and sprawling as the NHS.