Telling Patients about the Checker

Originally posted to GP-UK in 2003

Patients have a right to know who has accessed their records and why. The State asserts the right and need to do so. A data structure is needed to make disclosure less easy to describe as too hard to do.

The model of the British GP computerised medical records is under attack, with a central database yet again proposed. As the scope for access to the medical records expands and the people involved are able to do so without being seen by GPs, practice staff, or indeed anyone anywhere near the patient, so we need better defined ways of telling a patient who has seen their records, why, and what they saw.

At present GPs are generally trusted to look at the records which they have made and which they use of their patients. The same trust extends to looking at old records, hospital letters, and to their staff also viewing these elements as part of their job. GP record systems in principle can reveal who has looked at what for those within the Practice.

People coming from outside - of whom there seem to be more and more as time goes on - clinical nurse supervisors, Clinical Governance and Prescribing leads and workers, audit staff in both the medical and the financial sense all come along pointing to an assumed right of access and consent to access for any part of the records. The most that any locally have proposed as far as telling the patient goes is to place a laminated A4 notice somewhere in the waiting room and assume this immediately constitutes informed consent of the whole practice population. It doesn't.

What to Disclose

The only contentious bit, the only piece needing clever design, is the specification of what the checker saw.

Who saw the notes, what they do, why and where they work are surely details they should have on their ID badge, would tell the patient if they were dealing in person and have no right to keep silent on in pursuit of their proper duties.

Passing significant elements - verbatim copies for instance - of the notes as accessed gives the usual security problems. Probably the pragmatic approach is to identify sections of record and give the identities of these, along with a terminal in the Practice that offers access to those elements for the patient.

Data Structure

Obviously the identity of the checker. With networking of health services this should include a unique ID for the person identity server, or whatever other method the health service uses to keep track of who it authenticates as an employee or contractor. And perforce the identity of the patient concerned. The rest of the list can grow as a simple XML specification, but start with these.

• Who
• Why
• Where
• When
• What

Example

John Smith the Exeter Primary Care Trust financial audit control assistant (serial number 123456789) inspected parts of your medical record on 1 April 2003. He asserted his occupation gives him the right to view all parts of the record at any time in order to exclude fraud in the NHS. Your records were accessed over the NHS Network from the PCT office beginning at 0900 and ending at 1200. The elements of the record inspected are those listed in a file which the access key QWERTYUIOP will produce from the patient access terminal at the Practice when presented with your identification, and come from the record areas: appointments, contraception, immunisations, narrative history, coded entries.