Convenience, speed and cost-effectiveness - the huge benefits of email mean that it is routinely used in general practice. But just because we can communicate so easily, it doesn’t mean we should do it on autopilot.
The recent news that hundreds of patients’ confidentiality had been inadvertently breached by an HIV clinic was a reminder that even routine communication carries data protection risks.
At the MDU we are aware of other similar cases when GP practices have sent group emails to patients about routine screenings or health clinics, and patients’ addresses were displayed in the CC field rather than blind copied using the BCC field.
As a result, each recipient could identify the others from their email address, know they were patients of the practice and that they had a condition that might benefit from the service offered in the email.
Such breaches are obviously distressing for patients, but can also have serious repercussions for practices. Under the Data Protection Act 1998 (DPA), reckless breaches could result in financial penalties of tens of thousands of pounds.
There is also the possibility of a CQC investigation for the practice or even a GMC investigation for the individual doctors concerned, not to mention the breakdown of trust with patients.
Preventing data breaches
The best chance of avoiding this situation is to ensure your practice has an effective system of information governance that addresses potential threats. While no system will ever be 100% secure, if an unauthorised disclosure occurs you will need to be able to justify the measures taken to prevent breaches.
The DPA says that, taking into account the state of technological development and the cost of implementing them, these measures must, ‘ensure a level of security appropriate to a) the harm that might result from such unauthorised or unlawful processing of personal data or accidental loss, destruction or damage as mentioned in the seventh principle, and b) the nature of the data to be protected.’
It’s also important to review your information governance and data protection procedures regularly to make sure they are still relevant and fit for purpose. Some of the areas to consider are listed below.
Specify the use of password protection and individual log-in profiles to prevent unauthorised access to patient data. It is also a good idea to appoint a senior member of the team, such as the practice manager, to oversee your data protection policy.
This individual should take responsibility for ensuring passwords are regularly changed, are never shared with others and that all staff receive regular training in data protection.
There is a risk that email can be intercepted, or simply sent to the wrong person. You may wish to set out a policy for email communications that covers specific issues:
- Use a secure email such as NHSmail when communicating with colleagues and other NHS bodies.
- Make sure that emails to non-NHS recipients which contain sensitive or confidential information are encrypted.
- Email a named recipient instead of a generic address such as ‘reception’ or ‘enquiries’.Don’t forward emails to personal email accounts.
- Don’t store identifiable patient data on a home computer, laptop or tablet.
If your practice sends out bulk emails or text messages to groups of patients, you will need to set out the steps for obtaining patients’ permission and for recording those who later decide to opt out.
Under the DPA, patients have to be given a simple opportunity to decline contact about future services both at the time their details are collected as well as in future messages. Include an opt-out option in the text message or at the end of the email.
To avoid inadvertent confidentiality breaches, you should also have written guidance on the acceptable format for mass emails. This should include that the sender puts their own address in the To field and uses BCC for all recipients, so they don’t see other email addresses.
In Doctors’ Use of Social Media (2013) the GMC recognises the potential benefits of using social media but also highlights the real risk to patient confidentiality. Staff should know that publicly accessible social media sites should never be used to discuss individual patients. Include this in your practice conduct policy.
Notifying data breaches
If the worst should happen, staff should know how to respond appropriately. That means immediately reporting any loss of data to the nominated senior person in your practice so that action can be taken to prevent further breaches and the Information Commissioner informed, if appropriate.
English practices can log incidents such as data losses using the online Information Governance Toolkit, which will automatically report incidents it considers ‘serious’. With emails and text messages, the Privacy and Electronic Communications Regulations require practices to notify the Information Commission if a personal data breach occurs and keep a log of any such breaches.
The MDU suggests that if a mistake is made, you should inform patients promptly so they can take action if they wish, and that you should apologise to them for the error. If the worst happens, your medical defence organisation can give you further advice on what steps to take.
- Dr Edward Farnan is a medico-legal adviser at the MDU