Holding data in confidence
Insurers’ access to and use of confidential medical information will always be controversial, whether it is medical records of individual patients or aggregated data collected by NHS bodies. Nevertheless insurers have a legal requirement under the Equality Act only to discriminate on grounds of disability when they can show that such discrimination is evidence based and reasonable. This tricky balance has recently been shifted by two new developments.
In May, the Care Act was passed. The new law means that a person’s data can only be shared and analysed when there is a benefit to healthcare and that all uses will be scrutinised by an independent statutory body. In addition, there will now be a legal basis for people to stop their data being shared if they wish to.
The second development, in June, was the publication of the Partridge review on data released by the NHS Information Centre (NHS IC) from 2005 to 2013. Its role was to collect and manage health records data including sharing it with third parties under data sharing agreements which restricted its use. The review discovered lapses in the arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly.
The NHS IC should have imposed restrictions on what information can and cannot be used for, how it must be stored securely and how it must eventually be destroyed. Some of the data provided under data sharing agreements was not fully anonymised. Although names and addresses were normally removed, it was possible that the identity of individuals could have been deduced if the data was linked to other data.
The process of data sharing now has added importance because of plans to upload information from patients’ GP records on to a national database known as the care.data programme. The review found there were 3,059 releases of data of which 588 were to private sector organisations. There were four Data Sharing Agreements made by the NHS IC with three re-insurance companies (Pacific Life, RGA and ScoR) which allowed those re-insurers to continue to use the data until the agreements expired but the HSCIC has not released any new data to these companies and has asked them to delete the data they hold. Data was also released to the Institute of Actuaries CI Working Party, BUPA, the Foresters Friendly Society and Scottish Re. All the data fell into one category – hospital episode statistics (HES). HES data contains patient admissions, outpatient and accident and emergency records for all NHS hospitals in England. There are over 125 million records processed annually. Since 1 April 2005, just under a third (529) of HES data releases were made to private sector organisations. These included pharmaceutical companies and consultancies. As can be seen only a tiny proportion of data releases were made to insurers and re-insurers.
So what next? Clearly a large number of private sector organisations will want some level of access to HES data and possibly access to GP data under the new care.data scheme. The practical boundaries of how this will pan-out, the operation of the oversight panel and the implementation of the Partridge review recommendations are yet to be tested. It seems to me that a way forward could be to work with HSCIC to ensure that any data released to the private sector is fully anonymised. In addition, for insurers, that it is held by an independent body not subject to commercial interests – perhaps the Institute of Actuaries. That way data can be gathered as envisaged in the Equality Act.
Written by Richard Walsh, first published in Cover Magazine, 19 August 2014 (click here for Cover article)